Using five security controls, Cyber Essentials aims to help businesses to reduce the impact of online threats, such as:
Phishing attacks
Malware
Ransomware
Password attacks
Network attacks
Earlier this year, some of the technical control requirements for Cyber Essentials changed in line with recommended security updates. Let’s take a closer look at the updates.
Home working is in now part of the scope. However, most home routers are not. Following the increase in ‘working-from-home’, it has become the norm for staff members to access their work through a home/personal device. Even though home routers are out of scope, any end-user devices used to access a business infrastructure must have the Cyber Essentials controls applied. Anyone who works from home for any amount of time is classed as a ‘home worker’ and this rule will apply.
All cloud services are now part of the accreditation process. In the last two years it has become increasingly common to access work through cloud solutions with businesses opting for a cloud-based infrastructure. Any cloud services must now be fully integrated into the accreditation. If your business data or services are hosted in the cloud, then Cyber Essentials controls need to be implemented.
Multi-factor authentication (MFA) is now required to access cloud services. Most of us use some form of MFA every day, for example to access our banking app. MFA uses a minimum of 2 factors to grant access, something you know and something you have: usually a password and a face, voice or print recognition. For Cyber Essentials, the password element of the MFA approach must be at least eight characters long, with no maximum length restrictions.
Smart phones and tablets are now part of the certification. These are any device that you use to connect to your corporate network and access organisational data and services via mobile internet. However, if mobile devices are only used for voice calls, text messages or MFA, then these devices will not be considered.
Two additional tests have been added to the Cyber Essentials Plus audit. These are: test to confirm MFA is required for access to cloud services and test to confirm account separation between user and administration accounts.
If you would like to learn more about the updates to Cyber Essentials then please do get in touch with our team on 0161 763 4529. We are fully trained and experienced in keeping your business safe online.