Cyber Essential is a government-backed scheme in the UK designed to help businesses avoid cyber-attacks. It covers the basics that every business should have in order to protect itself, such as:
- Secure Configuration
- User Access Control
- Malware Protection
- Patron Management
As this scheme was launched in 2014, it must be kept up to date with technology as well as its advances and threats.
Since the beginning of the first lockdown, many people have been and continue to work at home. However, many of these people do not use ‘work’ devices/laptops to work on. Although this saves the company money, these computers each have to go through the Cyber Essentials scheme and have antivirus software installed as well as being patched regularly. Home routers are no longer a part of the scope.
Many businesses neglect the security of the Cloud device, assuming that it’s all taken care of when these systems are not secure when you first start using them. Additional configuration needs to be applied. This is why they have become a part of the Cyber Essentials scheme. Cloud services like Microsoft 365 will have a checking place which will enable people to check through mailboxes and remove those who are not still with the business. People with admin access may be removed from having it if it is deemed that they do not need it. This means all admin access needs to be reviewed as a part of the scheme. Another massive change in Cloud services is that if the Cloud service provider is responsible for some Cyber Essentials such as patching or secure configuration, those using the Cloud management must get evidence from the provider that they are completing it.
Cloud service admin accounts now must have multi-factor authentication in place, and from January 2023, all Cloud service users must have multi-factor authentication. However, we recommend enabling multi-factor as soon as possible as it makes your accounts and data much more secure from hackers and cyber-attacks.
Increasing Password Security
This builds on the previously mentioned Multifactor Authentication. If someone were to try to access a service with no Multi-Factor Authentication being enabled, this would mean that the password character requirement would go up from 8 to 12 characters. Alternatively, the characters can stay at 8 characters; however, the password must be more complex. Because many people still use simple or basic passwords, this will be prevented. Advice will be given on how to create passwords, such as using three random words or different characters like exclamation marks and numbers.
Inclusion of Thin Client
A thin client is a device that connects to a Cloud service that is not an entire computer. These are now required to be secured and maintained regularly, as previously they were excluded.
In many businesses, employees can access work emails and data on personal smartphones. Since January, smartphones have become a part of the scope, and they, therefore, must be patched and up to date. To prevent testing and managing people’s phones, which many employees will not like. Businesses can supply a work phone if they wish their employees to have access and be accessible outside of the workplace. However, if personal telephones are being used for applications such as Microsoft authenticator or receive texts as part of multi-factor authentication, they will not be included in the scope and, therefore, will not need to be tested and managed.
Guidance on Backing up
There will not be any testing to see if a business has backup or sufficient backup; however, guidance will be provided for having and getting backup. We recommend that you certainly have backups of your data in case of an incident such as a cyber-attack.
All servers and networks are now a part of the scheme. This may seem confusing and like this was already obvious; however, some businesses in the past have excluded certain offices and networks from the Cyber Essential scheme. This will no longer be allowed, and the entire network will be checked and a part of the scope.