An ever-changing digital landscape, wide-spread use of cloud services and a move to home and hybrid working is behind the biggest update to Cyber Essentials since its launch in 2014.
With a new question set, comes a new version name; this will be known as the Evendine question set.
The changes will take effect for all applicants from 24th January 2022. To help you understand what these changes may mean for you, we provide an outline of the major changes below.
Homeworker? Your router isn’t in scope unless provided by the applicant company
Home routers provided by ISPs or by the homeworker are out of scope. The Cyber Essentials firewall controls are transferred to the home worker’s device (laptop, tablet and/or phone).
Routers supplied by the applicant company *are* in scope and must have the Cyber Essentials controls applied to them. The use of a corporate (single tunnel) VPN transfers the boundary to the corporate firewall/virtual cloud firewall
All Cloud services are in scope. Multi-factor authentication must be used to access these
Use of MFA to access any cloud service is a requirement for administrator accounts from January 2022, and for *all* accounts from January 2023
This covers Software as a Service, Infrastructure as a Service, and Platform as a Service (SaaS, IaaS and PaaS). Examples of these include:
- SaaS – Microsoft 365, Google Workspace, Dropbox, HubSpot
- IaaS – Servers (Windows or Linux) hosted in Microsoft Azure or AWS EC2
- PaaS – AWS Lamda, Google App Engine
New password requirements, and protections against brute-force attacks
At least one of the following protections should be used to protect against brute-force password guessing:
- Use of multi-factor authentication
- Throttling the rate of unsuccessful or guessed attempts.
- Locking accounts after no more than 10 unsuccessful attempts.
Technical controls are to be used to manage the quality of passwords. This includes one of the following:
- Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions.
- A minimum password length of at least 12 characters, with no maximum length restrictions.
- A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
It is now recommended that three random words are used to create a password that is long, difficult to guess and unique.
The scope of an organisation must include end-user devices
If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loophole where organisations were able to certify their company without including any end user devices. Cyber Essentials must now include end point devices.
Thin clients are in scope
A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet. Thin Clients need to be supported and receiving security updates – this is a recommendation at present, becoming a requirement from January 2023.
All high & critical updates must be applied within 14 days
All software in scope must be updated within 14 days of an update being released, where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
- The update addresses vulnerabilities with a CVSS v3 score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provide by the vendor
Guidance on backing up
Backing up your data is not a requirement of Cyber Essentials, however there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended. In our opinion it is not only highly recommended, it is absolutely vital.
Cyber Essentials Plus changes – two additional tests
Cyber Essentials Plus assessors will now also check for the following;
- Test to confirm account separation between user and administration accounts
- Test to confirm MFA is required for access to cloud services.