Blog Post

Cyber Essentials Update 2022

Download this article here >>

What has Changed and Why?


Since its launch in 2014 the government backed Cyber Essentials scheme has evolved to ensure that it stays effective and provides appropriate protection as cyber threats evolve. Following the recent review by a team of experts, a series of changes have been introduced to keep the scheme current. Here is our summary of the key changes which apply from January 24th 2022.


Cloud Services are now in scope


This is the biggest and most onerous (but very appropriate) change with cloud services now fully integrated into the 2022 update. Businesses are now responsible for assessing cloud services against the Cyber Essentials standards and applying the controls wherever possible. Previous iterations of Cyber Essentials assumed, to an extent, that security was handled by the provider and that they were secure by default. Applications firmly in scope now are, for example:


  • Electronic ID services and related onboarding services
  • Online search providers
  • Microsoft 365/Office 365
  • Salesforce
  • Hosted Practice Management and Case Management systems


Businesses are now responsible for user access control and the secure configuration of these services and for ensuring that security updates and controls are implemented by the provider.


Devices used for home working are more in scope (But routers are not)


If you have employees working from home for any amount of time they are now classified as a ‘home worker’. The devices that they use to access organisational information, whether they are owned by the organisation or are personal devices, are in scope for Cyber Essentials. Thin clients also fall into scope now when they connect to business information or services.


Prior to this update, one of the key issues was trying to secure and configure home routers provided by ISP’s. This requirement has now been transferred directly to the device (PC, Laptop, Mobile Phone etc) where software firewalls should be applied along with other relevant protection.


So, the ISP supplied router is now out of scope, but if the business supplies the router then it is still in scope.


Mandatory Multi-Factor Authentication (MFA)


Multi-factor authentication (MFA) MUST now be used for all accounts when connecting to cloud services to provide additional protection. Previously only administrator accounts were mandatory and it was recommended to use MFA for other accounts.


Unsupported Software


All software installed on devices listed as being in scope must be:


  • Licensed and supported
  • Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet.
  • Have automatic updates enabled where possible
  • Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released.


Organisations now need to apply all high and critical updates for all systems without exception. 


Passwords


When using passwords, one of the following methods should be used to protect against brute-force password guessing:


  • Using multi-factor authentication (MFA)
  • Throttling the rate of unsuccessful or guessed attempts.
  • Locking accounts after no more than 10 unsuccessful attempts.


Technical controls must be used to manage the quality of passwords. This will include one of the following:


  • Using multi-factor authentication (MFA) in conjunction with a password of at least 8 characters, with no maximum length restrictions.
  • A minimum password length of at least 12 characters, with no maximum length restrictions.
  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list 


Smart Devices


All smart phones and tablets connecting to organisational data and services are now in scope when connecting to corporate networks or mobile Internet such as 4G and 5G.


  • Biometrics or a minimum password/PIN length of 6 characters must be used to unlock a device.
  • The scope of an organisation must also include end user devices.
  • There is a grace period of 12 months to allow organisations make the necessary changes for the following requirements:


  • The requirement for MFA will apply for admin accounts from Jan 2022 and the requirement for MFA for users will be marked for compliance from Jan 2023.
  • The requirement for support and updates on Thin Clients will be marked for compliance from Jan 2023.
  • Unsupported software remove from scope will be marked for compliance from Jan 2023


__________________________________


To explore what steps your practice should take now to protect your practice from cyber threats and to ensure that you can comply with these new requirements, get in touch with Frank Manning at Carton & Co. A preliminary discussion in confidence, with no commitment will cost you nothing and could save you and your colleagues financial loss, damage to your reputation and the stress that comes with every breach.


Email: fmanning@cartonconsultants.com


Tel: 07778 572420


Or, you can schedule a 30 minute appoint with Frank at a time that works for you here >>


by Allan Carton 05 Oct, 2023
Master client relationships in your law firm. Learn proven best practice and strategies, from active listening techniques to leveraging technology, that elevate client relationships. Discover how your legal practice can thrive in a client-focused landscape. Dive in now!"
by Allan Carton 07 Jul, 2023
Watch the video to see how your law firm can make client onboarding easier and more effective for your people and your clients, helping to progress matters faster too - and improve your management information.
Lawtech UK report on machinine learning (AI - automated intelligence) in legal services.
by Allan Carton 31 Mar, 2023
DOWNLOAD: LawtechUK conducted a consultation with legal professionals, organisations, and industry experts. They gathered these 12 case studies of Machine Learning (ML) in use today to understand ML’s current applications in legal services and how legal service regulators could support responsible use for the benefit of consumers.
Carton & Co Model:  Making the most of the voice of your clients
by Allan Carton 08 Mar, 2023
The voice of your clients – and others you deal with – has potential to play much more of a leading role in the ongoing development and evolution of law firms. Find out here how to harness it, the potential impact, how to produce those results, how far and how fast you could/should move. what is coming next and about potential next steps for your practice.
Piecing initiatives together like a jigsaw
by Allan Carton 05 Jan, 2023
We outline the 4 key initiatives that SME firms should be evaluating and implementing now to be able to match new client expectations and operate efficiently to maintain profitability. Law firms not focused on these areas are in danger of getting left behind.
Making client onboarding easier
by Allan Carton & Frank Manning, Carton & Co 05 Dec, 2022
7 Steps to look afresh at your Client onboarding system to benefit from what has been learned so far by your practice, suppliers and other law firms. Much of the radical improvement in how clients are brought on board digitally has been introduced out of necessity due to the Covid lockdowns, not because the manual systems that had persisted until then were remarkably poor, slow, time consuming and difficult for both clients and law firm administrators.
Winning Tenders Managing Director
by Philip Norman, Winning Tenders 24 May, 2022
25% of public procurement spend is with SMEs and most public contracts are won by SMEs. Plus, in uncertain times the public sector can be a good, solid option. If you've been unsuccessful with public sector bidding in the past, we thought it would be useful to send you our ten top tips on how to win a tender to help you re-consider.
Creating a future-proof client listening programme
by Allan Carton 11 May, 2022
Would you like to see what "always-on" client listening looks like? Does your firm want to listen to more clients more often? Or to do more with the client-related data you already have? We can help you set the strategy, define the approach and get the key compenents in place to make that a success, including "always-on" intelligent automation to capture, evaluate and share the feedback and support new initiatives.
Alistair Marshall
by Alistair Marshall 26 Apr, 2022
If not enough new work is coming in, make time to do any or all of these over the next few months ... but not all at once says Alistair. A business development consultant and keynote speaker who has helped 150+ professional services firms add six & seven figures to their annual revenues.
by Catherine Gasparini 15 Feb, 2022
How best to prepare for your 2022 renewal, A review of 1 October 2021 renewals and forecast ahead to 2022, Key Renewal Trends, An update on PII claims - trends in risk by worktypes, A “Back to Basics” article on PII cover that we invite firms to share with junior lawyers, Advice regarding potential wellbeing initiatives firms can consider, Updates on "silent cyber" and PSYROC.
More posts
Share by: