At the end of January 2022, the National Cyber Security Centre (NCSC) introduced what they described as “the biggest update to Cyber Essentials technical controls since it was launched”. They also updated the certification fee structure.
In this blog, we examine these changes and explore how they are likely to affect small businesses.
For those of you who may be uncertain what Cyber Essentials is all about, it is a government-backed scheme that was introduced in 2014. It’s designed to help businesses implement the basics of cyber security and prevent common forms of cyber-attacks. In many ways, it’s like having a regular MOT on your vehicle to ensure that it is safe for use on the roads.
These are the key changes that we believe will impact small businesses:
1. Changes to Certification Fees
Since the scheme’s introduction, the cost of Cyber Essentials Basic hasn’t changed from a flat rate of £300, no matter what the size of the organisation. The 2022 refresh introduces fees based on organisation size.
2. Working From Home
Homeworking is now specifically identified but the ‘technical controls’ requirement is more applicable to larger organisations.
For smaller businesses, the good news is that, if an ISP-supplied router is in use, and the PCs and smartphones used by the home-worker comply with the wider Cyber Essentials requirements, then no further configuration should be necessary.
3. Hardware Lists
Previously, it was a requirement to list all mobile devices connected to the organisation by their manufacturer, model number, and software version. This was to prove that hardware and software were being supported by the original manufacturer through security updates etc. However, when it came to endpoint devices (like laptops, workstations, and servers), it was only necessary to identify the operating systems in use.
This anomaly has been removed, and full details of all endpoint hardware must now be listed.
What is not so clear-cut, though, is at what stage hardware will be deemed non-compliant. For example, a 10-year-old E71 Lenovo workstation might be running the latest version of Windows 10 (21H2) without issues, even though Lenovo only provide driver software with stated compatibility up to Windows 7.
Given the financial pressures that many small businesses experience, deeming this non-compliant could be viewed as a negative step. However, we believe that encouraging businesses to plan sensibly for hardware replacement will be beneficial to them in the longer term.
Microsoft will also act as a catalyst for hardware replacement with the introduction of Windows 11. As a rule of thumb, PCs running Windows 10 will be unable to upgrade to Windows 11 if they were manufactured before 2018. (They must be running at least an 8th generation Intel processor which was introduced in that year).
Windows 10 will be supported until 2025, so there is no need to panic, but the inference is clear.
4. Cloud Services are now in Scope
A lot has changed since 2014. Cloud services such as Microsoft 365 and Xero Accounting now dominate the small business software landscape by providing a flexible and scalable alternative to programs historically installed on a local server. Anyone remember MS Small Business Server …?
This shift, and the increased cyber risk that cloud service adoption can pose unless controls are maintained, has been recognised in Cyber Essentials 2022. These services now need to be identified and are subject to similar security configurations as on-premise installations.
5. Multi-Factor Authentication is Mandatory
Multi-Factor Authentication (MFA) is no longer a ‘nice to have’ feature. It’s now a mandatory requirement for accessing cloud services and administration functions.
Although the mandatory aspect only applies to ‘Administrator’ account logins right now, this limitation will change next year when MFA will be required across the board for all users.
Since Microsoft 365 is probably the most common cloud service, now is the time to get ready.
So, that’s our quick summary for small businesses. If you want a more comprehensive description of the changes, then IASME (who are responsible for the delivery of the scheme) provide that here.
If you still have unanswered questions about the recent changes to the scheme or you’d like to find out about obtaining Cyber Essentials for your business, simply get in touch for a no-obligation chat.