Cyber Essentials has been with us for some time now: launching way back on the 5th of June 2014. The scheme is aimed at promoting basic cyber hygiene to encourage organisations to have in place 5 key technical controls to help prevent the majority of commodity (or low-skill) cyberattacks.
By the end of June 2014, several organisations had already achieved certification and currently, more than 30,000 certificates have since been issued.
It is worth noting that the Cyber Essentials standard is constantly evolving and usually there are annual updates to the question set. The reason behind these updates is that the threat landscape is constantly evolving and attacks that have been successfully thwarted in previous years may well have moved on in sophistication and delivery ensuring success for the criminals in the present day.
On the 24th January 2022, the new Cyber Essentials Evendine question set will be launched and this will represent the biggest change to the standard since it was launched. In previous updates, although new question sets have been released there have been very few changes to the scheme requirements themselves. With the Evendine release, there are significant changes to the scope requirements and the controls that need to be applied to the devices within that scope.
In the Evendine updates, there are significant changes to what will be included in the scope with the most obvious changes being the inclusion of all cloud services. Of the three forms of cloud services: Infrastructure as a Service (IAAS), Platform as a Service (PaaS) and Software as a Service (SaaS) previously IaaS was likely to be in scope SAAS regarded as ‘out of scope’. PAAS was something of a grey area and generally needed careful consideration as to whether this service should be in scope or not.
With the inception of Evendine, all cloud services will be required to be in the scope of Cyber Essentials.
Whilst considering the scope question we must note that organisations end-user devices must be in scope as well. The NCSC and IASME have clarified that.
- It is not acceptable to descope all end-user devices
- It is not possible to descope cloud services used by your organisation
- All devices/software/firmware in scope (including Bring Your Own Device (BYOD)) must use supported software and all controls applied.
For further information please see The new “Requirements for IT Infrastructure v3” document, which can be found on the NCSC’s website:
There are also changes to passwords and 2-factor authentication requirements.
From January 24th 2022, all administrative users of cloud services must have Multi-Factor Authentication (MFA) applied and all standard user accounts will need MFA when certifying in 2023, in the meantime, user accounts will need either:
- 12 character passwords, or
- 8 character passwords when there are technical controls to deny poor passwords.
Below is an extract from the NCSC requirements document describing password controls;
“People must be educated on how to avoid common or discoverable passwords, such as a pet’s name, common keyboard patterns or passwords they have used elsewhere. This could include teaching people to use the password generator feature built into some password managers.
Next is encouraging people to choose longer passwords. This can be done by promoting the use of multiple words (a minimum of three) to create a password, (e.g., ‘Three Random Words’)
The entity should provide usable secure storage for passwords (for example a password manager or secure locked cabinet) with clear information about how and when it can be used.
Also not enforcing regular password expiry and not enforcing password complexity requirements.
There is an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.”
Declaring devices
Servers and end-user device quantities must be declared, and a change is that the make and model of the device, as well as the operating system, must be recorded. A common fault causing assessments to be sent back is that both edition and version numbers are required and often missing.
In order to be able to provide the required information, we recommend that an up-to-date asset register is maintained and this must include BYOD devices.
As tracking BYOD devices can be difficult, we would suggest having a process for “on-boarding” a BYOD device so that the owner/make/model/OS can be documented whenever a staff member wishes to use their own device to connect to company data. You should also prepare your staff for the possibility that, if they choose to use a BYOD device, the device may need to be tested during Cyber Essentials Plus auditing which should be covered through employment contracts or internal policy. The recommendation is to cover this off with HR to ensure adequate coverage for BYOD.
Just to be totally clear all BYOD devices that access business data including emails and cloud services must be regarded as being in scope and must be fully declared. They must also have all the controls applied to them in the say way a corporate device would have.
BYOD scope examples:
If mobile devices are only being used to access a VDI solution, then this will bring the device into scope in the same way as if it was able to access corporate emails.
If BYOD devices are only used for voice calls, SMS text messages or as a platform to receive 2-factor authentication codes then this does not bring them into scope.
Overall, we suggest you ask yourself are BYOD devices absolutely essential to your business. Unless you treat BYOD in the same way as corporate mobiles where all updates must be applied), a minimum 6-character pin applied (with rate-limiting/lockout in place), and that the device must not be jailbroken or rooted then you may fail Cyber Essentials and/or Cyber Essentials Plus.
Thin Clients
From 2023 all Thin Clients will need to be in support and able to receive security updates. The Evendine question set will ask questions around thin client use.
Home Workers
There is clarification around organisations that employ home workers. If the home network makes use of an ISP-provided router, then this is seen as being out of scope. Should the organisation provide a router for the home worker then this will be in scope.
Homeworker computers must have the software firewall active on the device. If this is in place, then home networks are out of scope. In the interests of best practice, we suggest the public firewall profile be set to deny all incoming traffic.
Router/Firewall admin portals password-based authentication.
These must have a minimum of an 8 character password and either 2FA in place or limiting the login to internal addresses, or a select few external whitelisted IP addresses.
This will also be tested as part of Cyber Essentials Plus.
Cyber Essentials Plus
There are also some significant changes to the Cyber Essentials Plus testing and auditing process. As a CE Plus Assessor, I have seen many organisations fail the standard due to insufficient patching of operating systems and applications. Applying security updates within the mandated 14 day period does present a challenge to some organisations and the changes to be applied will only result in the “bar being raised”.
The reason behind this is that previously we were allowed to discount some vulnerabilities that required attack vectors such as local access to the machine or tricking a user into action. Additionally, the functionality of the attack had to be proven with a reasonable level of certainty.
In the new Cyber Essentials Plus, all critical and high vulnerabilities must be remediated regardless of the attack vectors. This is a significant change and many organisations that I have previously been able to pass would now fail under the new assessment.
A new test of all cloud services is to be introduced with initially checks that all administrator accounts have 2FA enabled. From 2023 all accounts even standard user accounts need to have 2FA present.
There are further tests to ensure that administrators do not work on a day to day basis with admin privileges which I do often find is a contentious requirement for developers. Needless to say even for developers having admin privileges in the course of normal work is prohibited.
For macOS/Linux devices specifically, please note that there must be account separation between the user account (used for day-to-day work like email/web browsing) and the administrative account of the machine. It is not compliant for a user to be a part of the “Sudo” user group – there must be complete separation.
Overall, the new version of Cyber Essentials and Plus is bound to add complexity and costs to organisations wishing to certify to the standard. To ensure your certification journey is as smooth as possible we suggest you select the guided process and also ask for a pre-audit to avoid disappointment on being unable to meet your predicted timescale.
Costs are likely to increase due to the extra time an assessor has to spend on auditing organisations. We believe that Cyber Essentials self-assessment will be priced depending on the number of users/endpoints. This is also expected to be reflected in the Cyber Essentials Plus pricing model.
With more and more organisations requiring their suppliers to be certified to the Cyber Essentials standard, we suggest that you start your journey early whether that is for renewal or the first-time certification. Early engagement with a reputable Cyber Essentials Certification Body also is the key to success.
Richard Wilding
CISM, CISA, ECSA, Pentest+, Cloud+, CCAK, IASME Lead Assessor.
