Cyber Essentials Requirements Have Changed: Here’s What You Need to Know


Cyber Essentials Requirements Have Changed: Here’s What You Need to Know…

Cyber Essentials is a government scheme that covers your business and ensures you are protected against IT threats. By holding a certificate, you protect both your clients and your business from potential devastating threats and indicate how seriously you take IT security. If you would like to find out more about Cyber Essentials, read our handy guide here. In April 2021, changes were be made to the Cyber Essentials Requirements.

As a governing body, IASME reviews and makes the relevant updates to Cyber Essentials technical controls so that they are up to date and relevant. This ensures that Cyber Essentials is as effective as possible at protecting your software and devices against threats. Although no major updates have occurred, there is a series of changes to clarify to the requirements, effective from 26th April 2021. Here, we will help you understand exactly what you need to know about the Cyber Essentials requirement changes.

 

1. New Definitions for a Corporate Virtual Private Network (VPN), organisational services and organisational data.

  • A Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.
  • Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.

Organisational data used to come under the wording “Business Data” but proved a bit too woolly, so two new definitions have been introduced.

  • Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.

Our thoughts..

A VPN (Virtual private network) is a way of securely connecting remote workers to other computers controlled by your organisation. This may be provided with a router that does this for you. The important thing to remember when using a VPN is that all traffic must be passed through your corporate firewall. This is so your organisation can control the traffic going to and from its computer systems and services. However, whilst apps like Nord VPN or Express VPN might be useful for protecting your anonymity online, they don’t give you the same end to end security as one provided by your organisation.

 

2. ‘Out of Scope’ Update for BYOD.

In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).

Our thoughts…

If your organisation allows employees to access data or services owned by the company on their own personal devices, such as mobile phone, laptop etc, then the organisation must ensure that these devices comply in the same way corporate devices do. For example, they must use strong passwords, enable a firewall, have anti-malware installed and up-to-date, etc. It also quite common for a home user of a BYOD to automatically have full admin privileges on a device they own. However, this is not acceptable as part of CE and the user should have a separate login that does not have permission to install programs or change the configuration of the device. In other words, your home user device will need two accounts one for daily use and one just for admin tasks.

 

3. Clarifications on Internet Boundaries and Software Firewalls.

“A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol. Alternatively, where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.”

Our thoughts…

Firewalls are found where your device connects to a network, whether that’s from your computer, server, or from your connection to the internet via a router (which sometimes have an integrated firewall). Corporate networks normally have a separate device called a Firewall to protect and monitor traffic in and out of its network.

If you have employees that work from home, or remotely, and do not connect to the corporate network using a corporate VPN, then they must rely on the Firewall installed on the device they are using. For example, a Windows laptop of MacBook.

 

4. ‘Patch management’ control changed to ‘Security update management’.

Security update management.

Our thoughts…

It was thought that the expression, ‘patch management’ was too technical and ambiguous. The goal is to ensure any updates are made available, especially if they contain a fix for a high or critical vulnerability. This should be done within 14 days of the update becoming available. However, it is advisable to apply updates immediately.

 

 

5. Updated security update management control.

The Applicant must keep all its software up to date. Software must be:

  • licensed and supported
  • removed from devices when no longer supported
  • have automatic updates enabled where possible
  • updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
  • the update fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’
  • it has a severity the product vendor describes as ‘critical’ or ‘high risk’
  • there are no details of the vulnerability severity level the update fixes provided by the vendor.

For optimum security and ease of implementation it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.

*It is important that these updates are applied as soon as possible. 14 days is seen as a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.

Information

If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values:

  • attack vector: network only
  • attack complexity: low only
  • privileges required: none only
  • user interaction: none only
  • exploit code maturity: functional or high
  • report confidence: confirmed or high

Caution

Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues, then it must be installed within 14 days.

Our thoughts…

Updating the operating system and software is critical as it dramatically reduces the risk of attackers gaining control of your device. Auto update features should always be on, where this feature is available. You still need to check and update all software you have installed on your devices to keep them as secure as they can be. This need to be managed so that released updates are installed within 14 days of release.

There are third party tools that can help with updating your devices, or even just to monitor and let you know when an update is required. At SupPortal, we use Qualys, which gives you full visibility of all the software you have installed and its version. You can also view reports detailing any vulnerabilities that exist on your devices. This can help you to manage and maintain your devices.

6. Third party accounts with access to the certifying organisation’s data and services has been added to User Access Control.

The Applicant must be in control of its user accounts and the access privileges granted to each user account that has access to the organisation’s data and services. Importantly, this includes accounts that third parties use for access (for example, device management or support services). It must also understand how user accounts authenticate and control the strength of that authentication. This means the Applicant must:

 

  • have a user account creation and approval process
  • authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
  • remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
  • implement two-factor authentication, where available
  • use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
  • remove or disable special access privileges when no longer required (when a member of staff changes role, for example)

Our thoughts…

Having a clearly defined policy that describes the process of keeping your network safe is crucial. Even if your IT is managed by a third party, they still need to comply to this policy. The policy should cover things like password strength and admin access. Users should only have access to what they need, and admin accounts should not be used for day-to-day work. Even the boss doesn’t need to have an admin account for daily use. Two-factor authentications should also be enabled where available and is a common feature of cloud services such as Office 365, G-suite, accounting packages, and banking.

Is there anything you need to do with the clarification changes to Cyber Essentials?

After the 26th April, all Cyber Essentials assessment questions reflect these changes. All questions are now worded differently, with some extra questions that help clarify the information.

Here at SupPortal, we are fully prepared for the new changes and can support you through the Cyber Essentials certification process. If you have any questions about Cyber Essentials, please do not hesitate to get in touch.

‘Debunking IT security jargon’ – what does it all mean?

it jargon

Cyber threats can be confusing for those with limited IT knowledge. It’s hard enough to understand how to protect your company, without being overwhelmed by all the jargon too. However, with these threats continuously on the rise, it’s vital that you are doing what you can to protect your business infrastructure.

A cyber threat attempts to disable computers, steal data, damage data or to generally disrupt digital life – is a malicious act. With the average cost of a data breach standing at $3.86 million in 2020 and the average cost of a malware attack increasing rapidly over a five-year period, it’s no small matter.

Cyber attacks don’t just cost money either. The practical impact of data breaches are an important consideration, not to mention the time spent dealing with the aftermath. Plus, let’s not forget the potential damage to the company’s reputation, which could take far longer to rectify.

In this latest blog, we’ll walk you through the top five cyber threats you ought to be aware of (without the jargon).

1. Ransomware

Ransomware is a form of malware (malicious software) that blocks access to a computer system until you have paid a sum of money. Usually cyber criminals encrypt, or scramble (to avoid more jargon!) your data and then demanding a ransom to release it.

Ransomware is an illegal money-making system. Scarily, a 3rd party can install ransomware without your knowledge The installation occurs when clicking on deceptive links in emails, social media messages or websites. As soon as you click the link, the ransomware can infiltrate your network, locking up your files causing devastating effects.

Why do you need to be aware of ransomware? It’s unpredictable, difficult to detect and near impossible to prevent except by avoiding the risk in the first place. In the last year, 40% of businesses across the UK, U.S., Canada, and Germany have experienced ransomware attacks. Of these victims, more than a third lost revenue and 20% had to stop their business completely (Spectrum Internet).

2. Phishing

Phishing is a type of cyber attack where victims are misled into handing over sensitive information or installing malware on their own systems. This can happen using email, phone or text message and involves a person posing as someone they are not. They usually pose as a legitimate company or an individual in need of help.

The level of sophistication being used in these attempts has increased recently, over half of cyber attacks in the UK in 2018 involve phishing (PWC).

3. Data Leakage

Data leakage is also known as slow data theft and is most commonly caused by criminal hacking. It occurs when unauthorised individuals access sensitive data. It can also be caused by poor data security practises or worse yet, by accident! This tends to be the type of incident that reaches the mainstream press.

Cyber criminals often look for personal information they can use for identity theft. They can also identify confidential information such as product details or patents that are vital for a business to be competitive in its market. Credit card fraud is another common use of leaked data.

Risk Based Security (2020) reported that in the US a whopping 36 billion records were exposed through 2020. This is over four times the number of records exposed through 2019. This shows that data breaches are a real problem.

4. Hacking

Hacking is a method whereby criminals look for security weaknesses in a computer system or network. They then expose, change, destroy, disable, steal or gain information from the computer system or network.

The reasons for hacking can vary. Criminal hackers can hack to gain profit, to gather information, to protest or even just for the thrill. They often install malware onto a computer system. Sometimes so-called ‘ethical hacking’ is used (with permission) to test security systems to see how robust they are.

5. Insider Threat

This type of threat involves someone from within the targeted organisation intentionally abusing their credentials to steal information. This could be a former employee, board member or business partner. Surprisingly, it doesn’t necessarily mean they still work as an employee for a company.

Insider threats can be difficult to prevent. Many security systems may be designed to keep purely outside threats at bay. However, with some big-name companies recently targeted such as Facebook and Coca-Cola, it is an increased worry for businesses.

Now you’ve deciphered the jargon, how can you stay protected from these five types of cyber-attack?

As our society becomes ever more dependent on technology, it’s likely that cyber security threats will continue to rise. Prevent attacks and save money by making sure that you have the best security procedures in place.

Here at SupPortal, we won’t bombard you with jargon. Our goal is to work with you implement clear cyber security strategies to help protect your IT infrastructure. Take action today to take preventative measures for your business. Get in touch with SupPortal today.