The threat of cyber-attacks has been on the rise in recent years, with hackers becoming increasingly sophisticated in their methods. In order to combat this growing danger, the UK government launched the Cyber Essentials scheme in 2014.
This scheme helps businesses protect themselves against cyber threats by providing a set of guidelines for best practices in cybersecurity. However, as technology evolves, so too must our approaches to cybersecurity. That's why in April 2023, the Cyber Essentials scheme will undergo a significant update.
In this article, we'll take a closer look at what these changes will entail, and what they mean for businesses looking to keep their data and networks secure. Whether you're a business owner or an IT professional, it's important to stay up to date on the latest developments in cybersecurity. The Cyber Essentials update is a major step forward in protecting against the ever-present threat of cyber-attacks.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organisations to protect themselves against common cyber threats. It was developed by the National Cyber Security Centre (NCSC) to provide a basic level of cybersecurity for organisations of all sizes, from small businesses to large corporations.
The scheme provides a set of basic cybersecurity controls that organisations can implement to reduce their vulnerability to cyber-attacks. These controls include things like boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management.
Organisations can gain Cyber Essentials certification by completing a self-assessment questionnaire and having their answers independently verified by a certification body. There are two levels of certification available: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials requires a self-assessment questionnaire to be completed, while Cyber Essentials Plus involves an additional technical assessment and on-site testing.
By achieving Cyber Essentials certification, organisations can demonstrate to their customers, suppliers, and stakeholders that they take cybersecurity seriously and have taken steps to protect their data and systems. The scheme is particularly useful for small and medium-sized enterprises (SMEs) that may lack the resources to develop their own cybersecurity policies and practices.
What’s in the Cyber Essentials 2023 Update?
The Cyber Essentials scheme was originally launched in 2014 and has since undergone several updates. The updates have typically focused on addressing new cybersecurity threats and emerging technologies. For example, previous updates have included guidelines for securing cloud services, remote working, and internet of things (IoT) devices.
This year’s update will be slightly more relaxed than the previous year’s update, providing clarification and important new guidance:
- User devices - All user devices that are declared within the certification scope, except for network devices like firewalls and routers, are only required to list their make and operating system. The model of the device is no longer required to be listed, which is a change from the previous requirements. This modification will be updated in the self-assessment questionnaire, instead of the requirements document.
- Clarification of firmware - Currently, all firmware falls under the definition of 'software' and is required to be supported and updated. However, we have received feedback that finding this information can be challenging. To address this issue, we are updating the policy to specify that only router and firewall firmware must be maintained and kept up to date.
- Third-party Devices - More information and a new table that clarify how third-party devices, such as a contractor or student devices, should be treated in your application.
- Device unlocking - A modification has been implemented to address the problem of unconfigurable default settings in devices, particularly with regard to the number of unsuccessful login attempts before the device is locked. As a result, applicants may now utilise these default settings when necessary.
- Malware protection - The reliance on signature-based anti-malware software will be eliminated, and we have provided clear guidance on which mechanism is appropriate for various types of devices. Additionally, the option for sandboxing has been removed.
- New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
- Style and language - several language and format changes have been made to make the document easier to read.
- Structure updated - the technical controls have been reordered to align with the updated self-assessment question set.
- Cyber Essentials Plus Testing - The Cyber Essentials Plus Illustrative Test Specification document has undergone an update to ensure alignment with the revised requirements. The most significant modification is the introduction of a new set of Malware Protection tests that have been streamlined to simplify the process for both applicants and assessors.
When will the Cyber Essentials requirements be updated?
The latest increment of updates for the Cyber Essentials application will take effect from the 24th April 2023. This means that all applications made after this date will be required to use the newest question set and requirements.
Haptic Networks strongly recommends organisations acquire a Cyber Essentials certificate if it utilises any type of IT infrastructure or if it collects, stores, and uses customer or employee data on an online system. We also recommend it where organisations wish to improve their cyber security status and prevent serious impacts from cyber-attacks.
Cyber Essentials 2023
In conclusion, the Cyber Essentials update scheduled for April 2023 is a crucial step in strengthening the cybersecurity of businesses and organisations in today's ever-evolving digital landscape. The update is expected to introduce new guidelines and requirements to address emerging cybersecurity threats and technologies, and to provide a higher level of protection for businesses' networks, data, and reputation.
By following the updated guidelines and implementing best practices in cybersecurity, businesses can not only protect themselves against cyber-attacks but also gain a competitive advantage and comply with regulatory requirements. While the update may present some challenges and considerations, careful preparation and planning can help businesses to overcome them and successfully achieve Cyber Essentials certification.
It's essential for businesses to prioritise cybersecurity and stay informed of the latest updates and developments in the field to ensure the safety and security of their digital assets. The Cyber Essentials update is a vital step towards achieving this goal and strengthening the overall cybersecurity posture of businesses and organisations.
If you’re keen to improve your cyber security, why not take a look at our predictions for cyber security in 2023 and build a cyber security plan.