Cyber Essentials Updates Business Leaders Should Understand
As a business leader, you should be well aware that on the 30th of November 2021, the National Cyber Security Centre (NCSC) announced changes to the requirements of the existing Cyber Essentials and Cyber Essentials Plus certifications which became effective on 24th January 2022. As this is the most significant update of the scheme since it was released in 2014, businesses need to be aware of and understand these updates to guarantee successful certification. Considering this, we’ve written this article outlining cyber essentials updates business leaders should know so that those considering getting certified are aware of all revisions and know where to get relevant assistance.
Why Are Changes Being Made?
Since the scheme launched in 2014, this recent update is the biggest since its creation and responds to the ever-growing threat of cybercrime that businesses face. Over the past several years, the way companies operate has changed significantly through remote working, cloud applications, and many more, which has provided businesses with tremendous benefits and subjected them to a fresh wave of cyberattacks. Therefore, updates have been made to protect businesses in ever-changing work conditions and ensure their safety.
What Are The Main Changes To The Requirements?
First and foremost, business leaders should be aware of the main changes to Cyber Essentials and Cyber Essentials Plus requirements, which we outline below.
- Bring Your Own Device (BYOB) – Cyber Essentials had always covered previously any company-owned electronic devices such as mobile phones and laptops. However, recent changes to the requirements have now enforced those personal devices used to access company data must fall under the scope of Cyber Essentials. The only exception is if they are solely used for narrative voice/text applications or multi-factor authentication.
- Remote Working, Routers and Wireless Devices –Cyber Essentials firewall controls must be implemented unless the company has issued the equipment. Wireless devices are only in scope if they can communicate with other devices through an internet connection but not if a threat is unable to attack without going directly through the internet or if the router is a home-based or user-owned ISP router.
- Cloud Services and Web Applications – If a business uses a cloud service, they are now responsible for implementing controls such as multi-factor authentication, etc. Web applications have now been added to the scope.
What Do Businesses Need To Do?
If your business is currently certified for Cyber Essentials, then rest assured that you will have to do nothing until your renewal date, as your current certification will remain active. However, we still recommend familiarising yourself with the changes to the requirements so that you are prepared when you come to reapply. Suppose your business is currently going through the cyber essentials process. In that case, the previous standard will continue to be used, and you’ll have until the 24th of July to complete it under this standard.
For those businesses seeking certification after 24th January, you will have to use the new standards. If you’d like any assistance, take advantage of the knowledge from managed service providers Texaport, who will be able to offer any advice and support your business throughout its cyber essentials journey. Peruse their website for more information and their offering to see how utilising their services in the future could help your business.