Cyber Essential Changes from January 2022

Integral IT - Cyber Essential Changes From January 2022

Share This Post

Cyber Essential is a government-backed scheme in the UK designed to help businesses avoid cyber-attacks. It covers the basics that every business should have in order to protect itself, such as:

  • Firewall
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patron Management

We have a separate blog on these as well as a YouTube video.

As this scheme was launched in 2014, it must be kept up to date with technology as well as its advances and threats.

Home Devices


Since the beginning of the first lockdown, many people have been and continue to work at home. However, many of these people do not use ‘work’ devices/laptops to work on. Although this saves the company money, these computers each have to go through the Cyber Essentials scheme and have antivirus software installed as well as being patched regularly. Home routers are no longer a part of the scope.

Cloud Services


Many businesses neglect the security of the Cloud device, assuming that it’s all taken care of when these systems are not secure when you first start using them. Additional configuration needs to be applied. This is why they have become a part of the Cyber Essentials scheme. Cloud services like Microsoft 365 will have a checking place which will enable people to check through mailboxes and remove those who are not still with the business. People with admin access may be removed from having it if it is deemed that they do not need it. This means all admin access needs to be reviewed as a part of the scheme. Another massive change in Cloud services is that if the Cloud service provider is responsible for some Cyber Essentials such as patching or secure configuration, those using the Cloud management must get evidence from the provider that they are completing it.

Multi-factor Authentication


Cloud service admin accounts now must have multi-factor authentication in place, and from January 2023, all Cloud service users must have multi-factor authentication. However, we recommend enabling multi-factor as soon as possible as it makes your accounts and data much more secure from hackers and cyber-attacks.

Increasing Password Security


This builds on the previously mentioned Multifactor Authentication. If someone were to try to access a service with no Multi-Factor Authentication being enabled, this would mean that the password character requirement would go up from 8 to 12 characters. Alternatively, the characters can stay at 8 characters; however, the password must be more complex. Because many people still use simple or basic passwords, this will be prevented.  Advice will be given on how to create passwords, such as using three random words or different characters like exclamation marks and numbers.

Inclusion of Thin Client


A thin client is a device that connects to a Cloud service that is not an entire computer. These are now required to be secured and maintained regularly, as previously they were excluded.



In many businesses, employees can access work emails and data on personal smartphones. Since January, smartphones have become a part of the scope, and they, therefore, must be patched and up to date. To prevent testing and managing people’s phones, which many employees will not like.  Businesses can supply a work phone if they wish their employees to have access and be accessible outside of the workplace. However, if personal telephones are being used for applications such as Microsoft authenticator or receive texts as part of multi-factor authentication, they will not be included in the scope and, therefore, will not need to be tested and managed.

Guidance on Backing up


There will not be any testing to see if a business has backup or sufficient backup; however, guidance will be provided for having and getting backup. We recommend that you certainly have backups of your data in case of an incident such as a cyber-attack.

Whole Networks


All servers and networks are now a part of the scheme. This may seem confusing and like this was already obvious; however, some businesses in the past have excluded certain offices and networks from the Cyber Essential scheme. This will no longer be allowed, and the entire network will be checked and a part of the scope.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

How quickly should you get your IT problems fixed?
IT Security

How Quickly Should Your IT Problems Get Fixed?

IT Problems are probably one of the most frustrating things that can happen within your business. What are you to do when you’ve got deadlines to meet, or you’re working from home and can’t access anything? Are you then expected to contact your IT support and wait? How long should you wait? The answers to

Hackers are Beating Multi-Factor Authentication

Just when your thought your cloud applications were secure by implementing multi-factor authentication, hackers are developing strategies to beat this defence. If you didn’t already know, Multi-factor authentication is an essential part of your IT security for logging into your devices and cloud applications. With multi-factor authentication, you need to enter your username and password

Scroll to Top