Cyber Essentials Scheme, 2022

The National Cyber Security Centre introduced a big update to Cyber Essentials control in January 2022. The technical control in the updated scheme is a big overhaul to the one which was launched in 2014, in response to the evolving cyber security challenges that we face today.

Over the last year and a half, we have seen a considerable change in the way we work, due to the global pandemic, and these changes happened very, very quickly. The speed of this digital transformation has become normal for many people, as they work from home and as companies adopt a hybrid working style.

The changes in the most recent update to the Cyber Essentials reflect this transformation, and this government-backed scheme aims to help businesses of all sizes defend against the most common cyber threats. We have summarised the changes that came into 2022.

Update 1: Home Working

When the Cyber Essentials scheme was first introduced, working from home was an exception in most cases, but as we have seen in the last year and a half, it has become the new normal. The role of the Internet service providers routers has been taken out of scope as the NSCS does not expect individuals to configure routers correctly, even with guidance.

SAR Computing recommends you reach out to make sure that firewall controls are correctly applied to end-user devices. Contact us for more information on this.

Update 2: Password & Multi-Factor Authentication

Most people will now be familiar with the extra layer of protection that MFAs offer. The new update includes guidance information from the NCSC on choosing the right additional factor for your business. It explains the importance of choosing an extra layer of protection that is usable and accessible to employees. The guidance on the password requirement has also been updated in reference to the government’s “Three random words” advice and although this isn’t a mandatory approach for Cyber Essentials, it is good practice. The Cyber Essentials encourages the use of other password security methods such as using a password manager.

Update 3: Cloud Services

The NCSC has implemented a shared responsibility model whereby each party’s accountability is clear. This is a common method that directs the security obligations of each party. The NCSC has also added a few guides to help organisations control the 3 main types of cloud services which are IaaS, PaaS, and SaaS. However, the responsibility remains on the applicant to ensure that the cloud provider is implementing services correctly.

If you have any questions regarding these changes, or if you’d like to speak to us to help you implement these into your IT environment, please contact us!