19 Jan Cyber Essentials Changes Infrastructure and Pricing
Cyber Essentials – a reminder
As covered in our recent series of blogs on the subject, and as you are no doubt aware, Cyber Essentials is a scheme from the government agency the National Cyber Security Centre (NCSC) that aims to support organisations to protect themselves from cyber-attacks and other online security threats.
The scheme has a strong focus on stakeholder engagement to improve and develop staff vigilance and adherence to security policies. It advises that this should be achieved through training and internal communications that emphasise the dangers of cyber-attacks and the importance of security measures.
Cyber Essentials also advises organisations on reviewing their online security frequently and rigorously, in response to the increasing sophistication and aggression of cyber-attacks.
Cyber Essentials – What is changing?
The NCSC is making changes to Cyber Essentials, to help organisations improve online security. There will be additional guidance coming out regarding best practice for data back-ups, but this will not fall under the requirements for Cyber Essentials, although it is strongly encouraged.
The pricing has been changed to a tiered structure, with larger organisations now being charged more. This is to reflect the increased complexity of assessments and the increased time involved to carry them out.
The main changes to requirements for Cyber Essentials are outlined below.
Cyber Essentials will now cover all Cloud services used by an organisation, and all devices, such as mobile phones, computers and so on, that can access any aspect
of services or networks. All Cloud services will be required to have Multi-factor Authentication (MFA) as standard.
Improving password policies
For protection against brute-force attacks, where hackers attempt to guess passwords using password spraying or with personal information gathered through social engineering techniques, there must be strict password policies for all systems and networks.
These may include controls on the number and variety of characters used in passwords, MFA to be used in addition to passwords, blocking common or predictable passwords, automatic lock after a number of failed attempts, etc.
All devices must be locked with passwords of at least six characters, or with a biometric factor (facial recognition, voice, fingerprint identification, etc).
Software updates and administration accounts
An organisation should only use licensed and up-to-date versions of any software, and administrators must carry out all updates as standard procedure.
Administration accounts must not be used for standard user activities. All user and admin accounts must operate separately.
Cyber Essentials revised pricing structure
Here is the new tiered pricing structure for the updated Cyber Essentials scheme.
If you have any queries or concerns about Cyber Essentials and what it means for your organisation, contact us.