What Needs to Be Done to Ensure You Comply?
In the previous article we learned that the Cyber Essentials Accreditation has changed in line with the changes to our workplaces, because cyber threats are on the rise and the way we work has changed dramatically. With a large portion of the working population now operating from the comfort of their own homes – new doors have been opened to cyber threats that were previously unheard of.
So, what can be done to ensure you comply?
• Multi-Factor Authentication (MFA) Must Be Used for Access to Cloud Services
MFA is required to provide additional protection to accounts when connecting to cloud services. The Cyber Essentials accreditation requires you to have – at minimum – two types of credentials before being able to access an account.
• Password and MFA Requirements
The Cyber Essentials Scheme requires that additional protection is implemented in the form of MFA. This is so that you can monitor the number of guessed attempts at passwords – or you can lock accounts when there has been a maximum of 10 unsuccessful attempts.
• Software Licensing, Support, Updating and Removal
The updated Cyber Essentials requires your organisation to ensure that all software on your in-scope devices is fully licensed and supported. You must also remove all software from devices when it becomes unsupported, because not doing so will leave your systems vulnerable.
You must have automatic updates enabled wherever possible. One of the key changes is that if a vendor defines an update as ‘critical’ or ‘high risk’ then you must apply it within 14 days of release.
• Device Locking for Physically Present Users
One of the new requirements is centred around device unlocking – this is brand new to the scheme. You must now use biometrics or a password of at least six characters in length to physically unlock a device.
All credentials on an account must be protected against cyber attacks. The best way to do this is by limiting the number of opportunities the criminals have to attack, by only permitting a certain number of guesses in a set amount of time. You can even go one step further by locking devices when there has been a certain number of unsuccessful attempts – this can be stress inducing when employees are constantly getting locked out because they are unable to recall their passwords, but this minor inconvenience is worth it for security.
What are the Key Changes You Will See When Completing the Questionnaire?
Those of you that have completed a Cyber Essentials Questionnaire before will be glad to hear that the new one isn’t too different. There are new questions, of course, but the majority were originally part of an existing question that – due to the changing work and cyber landscape – have now been given their own question status. The new questions come with some requirements, which are as follows:
You must:
•List all Cloud services that you use which are provided by third parties.
•Detail how Firewall controls are applied on BYOD devices, which are not connected to your internal network.
•Ensure that there are locking arrangements on end devices which have access to software and services installed.
•Describe methods for unlocking devices and measures for protecting against all manner of cyber attacks.
•Describe how you protect accounts from cyber attacks regarding password guessing in your organisation.
•Describe the technical controls you use to manage the quality of your passwords within your organisation.
•Explain how you encourage people to use unique and strong passwords.
What Changes Were Made to Cyber Essentials Plus?
All of the above changes have also been applied to the Plus accreditation; the difference is that there are additional tests as part of this assessment process.
The first entails the assessor looking out for confirmed account separation between user and administrative accounts, and the second involves the assessor looking to confirm your organisation has successfully implemented multi factor authentication in order to access Cloud services.
As inconvenient as these changes can be, the extra precautions will only benefit your organisation going forward. As cyber threats grow in commonality, sophistication, and complexity, your cyber security measures have to do the same. Cyber Essentials ensures that you do this correctly.
Armco IT: IT Support and Managed Services for Businesses Across York, North and East Yorkshire
There’s nothing we love more than seeing Yorkshire businesses flourish by harnessing the power of IT. Our team of dedicated engineers stands ready to help you overcome any technical challenge and deliver tailored solutions that help your business meet its goals and growth ambitions. From our base in Malton, we deliver proactive IT support and services across York, North and East Yorkshire. We have a strong track record in delivering impactful IT to clients across a wide range of sectors, including manufacturing, design and insurance, among many others. We focus on maintaining, optimising and securing your digital estate, so you can focus on the growth and success of your business. Contact our team and let us start our journey together today.