+44 (0161 929 8355
What has Changed and Why?
Since its launch in 2014 the government backed Cyber Essentials scheme has evolved to ensure that it stays effective and provides appropriate protection as cyber threats evolve. Following the recent review by a team of experts, a series of changes have been introduced to keep the scheme current. Here is our summary of the key changes which apply from January 24th 2022.
Cloud Services are now in scope
This is the biggest and most onerous (but very appropriate) change with cloud services now fully integrated into the 2022 update. Businesses are now responsible for assessing cloud services against the Cyber Essentials standards and applying the controls wherever possible. Previous iterations of Cyber Essentials assumed, to an extent, that security was handled by the provider and that they were secure by default. Applications firmly in scope now are, for example:
Businesses are now responsible for user access control and the secure configuration of these services and for ensuring that security updates and controls are implemented by the provider.
Devices used for home working are more in scope (But routers are not)
If you have employees working from home for any amount of time they are now classified as a ‘home worker’. The devices that they use to access organisational information, whether they are owned by the organisation or are personal devices, are in scope for Cyber Essentials. Thin clients also fall into scope now when they connect to business information or services.
Prior to this update, one of the key issues was trying to secure and configure home routers provided by ISP’s. This requirement has now been transferred directly to the device (PC, Laptop, Mobile Phone etc) where software firewalls should be applied along with other relevant protection.
So, the ISP supplied router is now out of scope, but if the business supplies the router then it is still in scope.
Mandatory Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) MUST now be used for all accounts when connecting to cloud services to provide additional protection. Previously only administrator accounts were mandatory and it was recommended to use MFA for other accounts.
Unsupported Software
All software installed on devices listed as being in scope must be:
Organisations now need to apply all high and critical updates for all systems without exception.
Passwords
When using passwords, one of the following methods should be used to protect against brute-force password guessing:
Technical controls must be used to manage the quality of passwords. This will include one of the following:
Smart Devices
All smart phones and tablets connecting to organisational data and services are now in scope when connecting to corporate networks or mobile Internet such as 4G and 5G.
__________________________________
To explore what steps your practice should take now to protect your practice from cyber threats and to ensure that you can comply with these new requirements, get in touch with Frank Manning at Carton & Co. A preliminary discussion in confidence, with no commitment will cost you nothing and could save you and your colleagues financial loss, damage to your reputation and the stress that comes with every breach.
Email: fmanning@cartonconsultants.com
Tel:
Or, you can schedule a 30 minute appoint with Frank at a time that works for you here >>
Carton & Co - Consultants & Business Partners
☎ +44 (0)161 919 8355
solutions@cartonconsultants.com
VAT No: 414152045