Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Secure your productivity on any device, anywhere, any time.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Discover how Six Degrees has driven success for others.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Cyber Essentials Standards Updates: What You Need to Know
The Cyber Essentials and Cyber Essentials Plus schemes have been running for several years, and although the recent updates have been relatively small, they are still very much worthy of noting.
Accreditation body IASME has been working on improvements for both standards since taking over sole responsibility for the delivery of the scheme, and the latest update that took place on 24th January 2022 marked the biggest change to the standards for a number of years. If you are new to the standard, you can get up to speed here.
The revised and improved standards are now live; I believe the updates are very much due, as they aim to maintain the goal of the scheme to raise the bar for security standards in business across the UK.
But what are the updates? And why should you start preparing now?
To answer the latter, the changes are mostly around scope. Traditionally where changes to scope have been introduced in the past (either by client request or enforced by changing standards) passing the standard becomes more complicated and time consuming at first. Preparation for these changes is going to be key to a smooth certification or recertification process, so it’s important they are both understood well ahead of time.
First off, there is an option for a sub-set of the network to be considered for accreditation. The interesting addition here is the definition for the term ‘sub-set’ to the standard which was much needed. The definition for sub-set is now “a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. Use of individual firewall rules per device are no longer acceptable.”
The following graphic better describes what is typically considered in-scope for the majority of assessments:
Source: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf
Working from home has really hit the mainstream over the last few years, helped nicely along by a global pandemic… With that, the growth in home working devices has been huge. I wrote an article not so long ago about how many teams struggled in the early stages to provide equipment at rapid demand while also keeping in line with their usual security standards; the truth of the matter is many have not, and the result is presenting attackers with some very wide attack surfaces indeed! This addition to scope aims to ensure such devices are under control.
Devices (personal or owned by the organisation) used by home workers to access corporate data are now deemed to be in scope for Cyber Essentials. Home routers are now out of scope; however, if the applicant company has provided routers to its users then these will still be considered in scope.
All cloud services are now to be considered within scope of the scheme. If the organisation’s data is being stored or accessed via a cloud-based platform, the applicant organisation will be responsible for ensuring all Cyber Essentials controls are applied. Definitions have been provided for Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS); which of these types is involved will depend on who is responsible for enforcing the controls that are applied. The following table is taken from the NCSC’s ‘requirements for infrastructure’ documentation and outlines the responsibilities. The applicant will need to be confident and have agreements in place to ensure responsibilities of third parties meet that of the standard.
Multi-factor authentication (MFA) now needs to be applied to all cloud-based services. To start with this will apply to system administrators only, but over time will apply to the whole user base; in this case however we would recommend it being applied to the entire user base anyway. The number of attacks against cloud-based system users has grown hugely over the last few years and now represents one of the biggest and most fruitful attack vectors. Incident response cases attended by the Six Degrees Offensive Security team over the last year have in over 80% of cases been traced back to an initial entry via a system not using MFA. Using a secondary factor of authentication can help stop such attacks in their tracks, and this is something many system administrators refer to now as a non-negotiable.
Thin clients that connect to organisational data are now also to be included within the scope of the Cyber Essentials assessment, alongside all servers (virtual or otherwise).
All mobile devices that connect to the organisation and can access organisational data are now in scope and must be protected using biometrics or a minimum 6 character pin.
Password strength and MFA settings have been hot topics of discussion for several years outside of Cyber Essentials, and over time have seen a number of best practice revisions. For Cyber Essentials specifically the changes added to the new version of the standard are as follows.
Where passwords are in use anywhere within the scope, one of the following must be applied:
In terms of password strength, these too have had an overhaul and the following guidance has been provided; just note that only one of these options needs to be met:
Account separation is an interesting addition to the standards, and it is geared towards ensuring administration accounts are used for just that – administration and administration alone. There should be no ‘standard’ user activities performed using administration accounts, and in particular they list web browsing and emailing as examples of such activities.
End user devices are now required to be in scope for any assessment. You can no longer just certify a collection of servers or a given ‘environment’ without including the end user devices that access or administrate them.
This is being seen as a positive step in the security world. Attacks don’t just originate within environments; often they are introduced by weaker connecting devices from users or even administrator devices.
For all devices in scope, a 14-day period to apply and close High and Critical updates is mandated. These are issues described by the vendor as ‘Critical’ or ‘High’ severity, or hold a CVSSv3 score of 7 or above.
Many will likely see this change as one of the most challenging to overcome. It will require extra vigilance and coordination to maintain, yet at the same time it is very much required to improve the standard of cyber security within the UK.
There have been several high-profile vulnerabilities this year (Log4J for example) that have gone from disclosure to public knowledge to being weaponised in mere days; it is no longer viable (and arguably it never has been) to leave such issues exposed for more than 14 days while maintaining the standards of security.
Given how large some of these changes are, they are going to be introduced gradually from 24th January 2022 going through to January 2023. Most of them will appear within the questionnaires from 24th January 2022, but in specifics there are a few caveats; the MFA requirement for Administrators will kick in for 2022 while the requirement for MFA to be applied to all users will be moved further down the line to January 2023.
The same applies to the requirement to remove unsupported software; this will be marked in the questionnaire for compliance from January 2023, but for now will only be used as informational data during 2022.
For further questions or to begin the certification process with support and guidance from Six Degrees, feel free to contact us for quotations.
Fortify your organisation’s security posture by evaluating your…
Planning for the Future of Cyber Security Today…
Penetration Testing Improve your organisation’s cyber security posture…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
