Nine months on… meeting the new Cyber Essentials requirements

Early this year, the Cyber Essentials scheme underwent its biggest shake-up since its launch. Now, nine months on, the Grant McGregor team considers what we’ve learnt and offers some advice about how your organisation can meet the new requirements.

In November 2021, the two organisations with responsibility for running the UK Government’s Cyber Essentials scheme announced that the requirements for organisations seeking certification would be changing. The changes came into effect from January 24, 2022.

What is Cyber Essentials?

For those of you unfamiliar with Cyber Essentials, it’s a government-backed scheme designed to help small and mid-size businesses around the UK to strengthen their cyber-security. It was originally launched in response to the number of small and mid-size businesses that were failing to implement even basic cyber security controls.

The scheme has been a great success since its launch. It has helped more than 30,000 UK organisations to strengthen and evidence their cyber security practices. However, technology has changed greatly in the eight years since the scheme was launched. To bring Cyber Essentials up to date with current risks and ways of working, the January 2022 changes were implemented.

How has the scheme changed?

You can find out the full details about how the Cyber Essentials scheme has changed in our earlier blog about the changes.

Essentially, the two major areas of change are:

• Multi-factor authentication

• End-user devices (and, especially, the correct implementation of firewall controls)

There is also additional guidance about the need for backup and recovery to mitigate the growing ransomware threat. This isn’t essential – but very advisable! Let’s look at how small and mid-size businesses can address these changes to the scheme and, in doing so, strengthen their cyber-security posture.

Multi-factor authentication

The Cyber Essentials changes brings the scheme in line with guidance from the UK’s National Cyber Security Centre (NCSC) around passwords and user authentication.

Ideally, you should implement multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions. Further, to unlock a locked device, biometrics or a password or pin length of 6 characters are required.

In addition, to protect against brute-force password-guessing attacks, at least one of the following should be implemented: multi-factor authentication; throttling the rate of unsuccessful or guessed attempts; locking accounts after no more than 10 unsuccessful attempts. We’d suggest implementing all three would be a good idea.

The security tools that come as standard within a Microsoft 365 Business Plus subscription provide many of the essential tools here. This includes being able to ensure secure remote access by configuring policies to strengthen your security, e.g. disable access from untrusted locations; only allow access from registered devices; enforce multi-factor authentication.

The Microsoft Authenticator App used in conjunction with Active Directory will help you to meet most requirements.

Managing end-user devices

The effective management of end-user devices requires a carrot-and-stick approach.

Standardising on a high-quality but affordable device that staff want to use is a good way to encourage compliance and reduce the use of unauthorised devices for work. The Microsoft Surface family of devices stands out here because of its tight integration with Microsoft tools like Autopilot and Intune.

If a nice device is the carrot, these tools are the stick. They enable you to create and enforce policies that prevent data leakage and secure all end devices, including Windows, IoS and Android.

This includes being able to ensure secure remote access by configuring policies to strengthen your security, e.g. disable access from untrusted locations; only allow access from registered devices; enforce multi-factor authentication. It also enables you to remotely wipe devices if they are lost or stolen.

The auto-provisioning that Autopilot enables also helps you to implement effective policies around the management of end devices for leavers and starters.

Backup and recovery

While the new additions to the Cyber Essentials scheme around backup and recovery are only guidance at the moment, we would advocate that you follow them. Effective backup and recovery are the only way to truly be sure your organisation can recover from a ransomware attack.

Developing a backup and recovery solution begins with analysing the desirable recovery point objectives and desirable recovery time objectives with leaders and users across the business. Once these have been defined, you will have a clear idea of what your backup solution must be able to do.

One often-overlooked element of backup and recovery is the backup of your Microsoft 365 deployment. Here, my team would recommend the use of a specialist cloud backup solution. This enables you to back up your Microsoft 365 data effortlessly including email items (emails, contacts & calendars), SharePoint, Teams and data from other cloud service providers too.

For a more tailored backup solution, please get in touch to arrange a consultation with our team.

What next?

For assistance with your Cyber Essentials preparation or certification – or for wider practical, unbiased security advice from technology experts – the Grant McGregor team is always on hand to help.

Call us: 0808 164 4142

Message us: www.grantmcgregor.co.uk/contact-us

About Cyber Essentials
Download our updated Cyber Essentials guide here:

Further information on cyber-security topics