Cyber Essential Changes from January 2022

Integral IT - Cyber Essential Changes From January 2022

Share This Post

Cyber Essential is a government-backed scheme in the UK designed to help businesses avoid cyber-attacks. It covers the basics that every business should have in order to protect itself, such as:

  • Firewall
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patron Management

We have a separate blog on these as well as a YouTube video.

As this scheme was launched in 2014, it must be kept up to date with technology as well as its advances and threats.

Home Devices


Since the beginning of the first lockdown, many people have been and continue to work at home. However, many of these people do not use ‘work’ devices/laptops to work on. Although this saves the company money, these computers each have to go through the Cyber Essentials scheme and have antivirus software installed as well as being patched regularly. Home routers are no longer a part of the scope.

Cloud Services


Many businesses neglect the security of the Cloud device, assuming that it’s all taken care of when these systems are not secure when you first start using them. Additional configuration needs to be applied. This is why they have become a part of the Cyber Essentials scheme. Cloud services like Microsoft 365 will have a checking place which will enable people to check through mailboxes and remove those who are not still with the business. People with admin access may be removed from having it if it is deemed that they do not need it. This means all admin access needs to be reviewed as a part of the scheme. Another massive change in Cloud services is that if the Cloud service provider is responsible for some Cyber Essentials such as patching or secure configuration, those using the Cloud management must get evidence from the provider that they are completing it.

Multi-factor Authentication


Cloud service admin accounts now must have multi-factor authentication in place, and from January 2023, all Cloud service users must have multi-factor authentication. However, we recommend enabling multi-factor as soon as possible as it makes your accounts and data much more secure from hackers and cyber-attacks.

Increasing Password Security


This builds on the previously mentioned Multifactor Authentication. If someone were to try to access a service with no Multi-Factor Authentication being enabled, this would mean that the password character requirement would go up from 8 to 12 characters. Alternatively, the characters can stay at 8 characters; however, the password must be more complex. Because many people still use simple or basic passwords, this will be prevented.  Advice will be given on how to create passwords, such as using three random words or different characters like exclamation marks and numbers.

Inclusion of Thin Client


A thin client is a device that connects to a Cloud service that is not an entire computer. These are now required to be secured and maintained regularly, as previously they were excluded.



In many businesses, employees can access work emails and data on personal smartphones. Since January, smartphones have become a part of the scope, and they, therefore, must be patched and up to date. To prevent testing and managing people’s phones, which many employees will not like.  Businesses can supply a work phone if they wish their employees to have access and be accessible outside of the workplace. However, if personal telephones are being used for applications such as Microsoft authenticator or receive texts as part of multi-factor authentication, they will not be included in the scope and, therefore, will not need to be tested and managed.

Guidance on Backing up


There will not be any testing to see if a business has backup or sufficient backup; however, guidance will be provided for having and getting backup. We recommend that you certainly have backups of your data in case of an incident such as a cyber-attack.

Whole Networks


All servers and networks are now a part of the scheme. This may seem confusing and like this was already obvious; however, some businesses in the past have excluded certain offices and networks from the Cyber Essential scheme. This will no longer be allowed, and the entire network will be checked and a part of the scope.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

How to use Microsoft to do

The ULTIMATE Microsoft To Do Tutorial

How do you handle your to-do lists? Do you write tasks on scraps of paper? Or do you pop them in a notebook? Perhaps you have a digital application such as Todoist!  If you’re a Microsoft 365 user, you already pay for a task management system! It is called Microsoft To Do.  We all have

Zero Trust Holy Grail

Is Zero Trust Security The Holy Grail OF Cyber Security?

USA president, Joe Biden, thinks that Zero Trust is the way to go in your cyber security journey, but, what is Zero Trust, and what does it mean for your business?  When it comes to your business, I’m sure you’ve got a strategy in place for how you’re going to win new business, market your

Scroll to Top