Cyber Essentials update

The new Cyber Essentials question set is on its way in 2022; so what are the highlights of the biggest changes to the NCSC sponsored Cyber Compliance initiative since it began?

Let’s start off with the hardest challenge

The biggest change, and what businesses may experience as the hardest challenge is the implementation of mechanisms to prevent brute force attacks. What this means is when multiple password attempts are made to hack into your company data.

This may seem obvious and necessary when considering systems like firewalls or services that are accessible from the internet on corporate networks. However, the biggest challenge now is that PaaS and SaaS solutions are now in scope of Cyber Essentials.

So, what does this mean to businesses? In a nutshell any portal or service that contains business data is considered a SaaS and therefore in the scope of Cyber Essentials accreditation.

To be compliant, firstly businesses will need to understand and track what portals the business use, which from our perspective business should be doing already. Secondly, it’s essential to apply brute force protection by utilising multi factor authentication (2FA) on identified portals.

Why multi-factor authentication?

NCSC are expecting account separation from administration users and standard users, which may incur additional licensing costs for an organisation.

Furthermore, any administration accounts will be required to have 2FA in place to be compliant, when the new compliance requirements go live which is expected to be mid-January 2022. NCSC are offering a grace period for standard user 2FA to be implemented until January 2023 when this will be a requirement to be fully compliant.

Can the challenges be overcome?

Clearly, Cyber Essentials is becoming more and more challenging as it matures. And that is essential in order for the accreditation to ensure that organisations remain effective against growing threats now and on the horizon.

With other changes, challenges and refinements in the scheme now might be the time to move away from starting self-certification to using a consultation approach. Working with the right accredited ISAME consultancy is even more important as they can clarify the scheme, remove pressures and reduces your costs.

Cyber Essentials is still the accreditation that will be looked for in tenders and by insurers; it’s a very valid certification because ultimately the costs and risks of NOT being fully cyber secure could have a very detrimental outcome for your organisation.

This is where RDS can help, as a certification body for Cyber Essentials we are best placed to guide you through the challenges By providing clarity, reducing the pressure and helping you to achieve Cyber Essentials compliance in a what’s set to become a more challenging environment. By starting the journey with someone to guide you through the accreditation is likely to be faster and your IT best placed to achieve the accreditation.

Our answer is YES the challenges can be overcome and more importantly you will be more secure than before you started by nature of their requirements. It’s all about protecting your business, educational institute or charity.