Cyber Essentials Requirements Have Changed: Here’s What You Need to Know

Cyber Essentials Requirements Have Changed: Here’s What You Need to Know…

Cyber Essentials is a government scheme that covers your business and ensures you are protected against IT threats. By holding a certificate, you protect both your clients and your business from potential devastating threats and indicate how seriously you take IT security. If you would like to find out more about Cyber Essentials, read our handy guide here. In April 2021, changes were be made to the Cyber Essentials Requirements.

As a governing body, IASME reviews and makes the relevant updates to Cyber Essentials technical controls so that they are up to date and relevant. This ensures that Cyber Essentials is as effective as possible at protecting your software and devices against threats. Although no major updates have occurred, there is a series of changes to clarify to the requirements, effective from 26th April 2021. Here, we will help you understand exactly what you need to know about the Cyber Essentials requirement changes.


1. New Definitions for a Corporate Virtual Private Network (VPN), organisational services and organisational data.

  • A Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.
  • Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.

Organisational data used to come under the wording “Business Data” but proved a bit too woolly, so two new definitions have been introduced.

  • Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.

Our thoughts..

A VPN (Virtual private network) is a way of securely connecting remote workers to other computers controlled by your organisation. This may be provided with a router that does this for you. The important thing to remember when using a VPN is that all traffic must be passed through your corporate firewall. This is so your organisation can control the traffic going to and from its computer systems and services. However, whilst apps like Nord VPN or Express VPN might be useful for protecting your anonymity online, they don’t give you the same end to end security as one provided by your organisation.


2. ‘Out of Scope’ Update for BYOD.

In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).

Our thoughts…

If your organisation allows employees to access data or services owned by the company on their own personal devices, such as mobile phone, laptop etc, then the organisation must ensure that these devices comply in the same way corporate devices do. For example, they must use strong passwords, enable a firewall, have anti-malware installed and up-to-date, etc. It also quite common for a home user of a BYOD to automatically have full admin privileges on a device they own. However, this is not acceptable as part of CE and the user should have a separate login that does not have permission to install programs or change the configuration of the device. In other words, your home user device will need two accounts one for daily use and one just for admin tasks.


3. Clarifications on Internet Boundaries and Software Firewalls.

“A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol. Alternatively, where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.”

Our thoughts…

Firewalls are found where your device connects to a network, whether that’s from your computer, server, or from your connection to the internet via a router (which sometimes have an integrated firewall). Corporate networks normally have a separate device called a Firewall to protect and monitor traffic in and out of its network.

If you have employees that work from home, or remotely, and do not connect to the corporate network using a corporate VPN, then they must rely on the Firewall installed on the device they are using. For example, a Windows laptop of MacBook.


4. ‘Patch management’ control changed to ‘Security update management’.

Security update management.

Our thoughts…

It was thought that the expression, ‘patch management’ was too technical and ambiguous. The goal is to ensure any updates are made available, especially if they contain a fix for a high or critical vulnerability. This should be done within 14 days of the update becoming available. However, it is advisable to apply updates immediately.



5. Updated security update management control.

The Applicant must keep all its software up to date. Software must be:

  • licensed and supported
  • removed from devices when no longer supported
  • have automatic updates enabled where possible
  • updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
  • the update fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’
  • it has a severity the product vendor describes as ‘critical’ or ‘high risk’
  • there are no details of the vulnerability severity level the update fixes provided by the vendor.

For optimum security and ease of implementation it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.

*It is important that these updates are applied as soon as possible. 14 days is seen as a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.


If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values:

  • attack vector: network only
  • attack complexity: low only
  • privileges required: none only
  • user interaction: none only
  • exploit code maturity: functional or high
  • report confidence: confirmed or high


Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues, then it must be installed within 14 days.

Our thoughts…

Updating the operating system and software is critical as it dramatically reduces the risk of attackers gaining control of your device. Auto update features should always be on, where this feature is available. You still need to check and update all software you have installed on your devices to keep them as secure as they can be. This need to be managed so that released updates are installed within 14 days of release.

There are third party tools that can help with updating your devices, or even just to monitor and let you know when an update is required. At SupPortal, we use Qualys, which gives you full visibility of all the software you have installed and its version. You can also view reports detailing any vulnerabilities that exist on your devices. This can help you to manage and maintain your devices.

6. Third party accounts with access to the certifying organisation’s data and services has been added to User Access Control.

The Applicant must be in control of its user accounts and the access privileges granted to each user account that has access to the organisation’s data and services. Importantly, this includes accounts that third parties use for access (for example, device management or support services). It must also understand how user accounts authenticate and control the strength of that authentication. This means the Applicant must:


  • have a user account creation and approval process
  • authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
  • remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
  • implement two-factor authentication, where available
  • use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
  • remove or disable special access privileges when no longer required (when a member of staff changes role, for example)

Our thoughts…

Having a clearly defined policy that describes the process of keeping your network safe is crucial. Even if your IT is managed by a third party, they still need to comply to this policy. The policy should cover things like password strength and admin access. Users should only have access to what they need, and admin accounts should not be used for day-to-day work. Even the boss doesn’t need to have an admin account for daily use. Two-factor authentications should also be enabled where available and is a common feature of cloud services such as Office 365, G-suite, accounting packages, and banking.

Is there anything you need to do with the clarification changes to Cyber Essentials?

After the 26th April, all Cyber Essentials assessment questions reflect these changes. All questions are now worded differently, with some extra questions that help clarify the information.

Here at SupPortal, we are fully prepared for the new changes and can support you through the Cyber Essentials certification process. If you have any questions about Cyber Essentials, please do not hesitate to get in touch.

Which cyber security certification is right for your business?

Business today relies heavily on the internet, no matter what the industry. The online world is constantly evolving, from an increase in video conferencing and homeworking to ecommerce transactions and contactless payments. With more and more critical data being stored and processed over both private and public networks, it is important to be aware of the risk and take the right steps to protect your organisation. Below we will go through how to choose the right cyber certification to suit your needs.

The Threat of Cyber Crime

Did you know that almost half of UK businesses are affected by cybercrime each year? Security breaches are a very real threat for businesses of any size, whether that’s cybercriminals, viruses, or malwares. Poor judgement and errors made by employees, alongside weaknesses in your security system can often be to blame. It’s easy to think that it won’t happen to you or your business, but anyone can be a target. So, it’s important to take preventative action to protect your business.

Reassurance for Your Clients and Customers

Your customers and clients are trusting you with their data. A cyber certification can lay their fears to rest, as it enables your business to demonstrate that you have appropriate cybersecurity controls in place that not only protect your own data, but also any that you hold about them. Furthermore, it isn’t a one-time fix. Certification provides a solid foundation of best practice to be maintained within your business and will require renewal every 12 months. Upon certification, your business will be listed publicly in the Cyber Essentials directory and also qualifies for £25K optional Cyber cover.

Below we explore how to choose the right cyber certification for your business, looking specifically at the two most popular certifications – Cyber Essentials and Cyber Essentials Plus.

What is Cyber Essentials?

This is a government scheme that covers all types of organisations to make sure they are adequately protected against IT threats. Having this certificate protects both your business and clients from a potential threat and demonstrates that it is taken seriously. In fact, we recommend all parties are encouraged to adopt the scheme to keep the whole supply chain protected. It is essentially a set of security standards that businesses are required to meet to achieve certification.

The scheme covers the following key areas:

  • Protecting your internet connections with firewalls and routers
  • Protecting any device and software your business may use
  • Regulating physical and digital access to your data and services with access control
  • Defending against viruses and other harmful malware
  • Ensuring devices and software are kept up to date

So, how do you choose between Cyber Essentials and Cyber Essentials Plus?

The certification level you choose will vary on who you are dealing with. If your company has contracts with government, or are in the supply chain, no matter how simple your set up is, you will need to have at least Cyber Essentials certification in place. However, Cyber Essentials Plus will give you that added level of security.

Your business IT infrastructure may only consist of a laptop and use of Office 365. However, many companies will still want you to have a certain level of certification to do business with you. The simpler your IT is, the easier it is to implement.

Cyber Essentials

Are you looking for basic level security certification to prove to your potential and current clients that you have sufficient measures in place?

This is the lowest level of certification and is the minimum requirement if your business wants to submit a bid for a public sector contract. This certification is vital if this is an area where you wish to do business, as you will be responsible for handling critical information regarding public sector activity.

If you decide Cyber Essentials is right for you, SupPortal can organise your self-assessment questionnaire. There is a time and resource commitment required internally to provide suitable evidence for the self-assessment. An outsourced provider such as SupPortal can take a lot of this work off your shoulders. Working with you, we can ensure you are prepared to answer the questions and provide the evidence.

Assisted Cyber Essentials

Should you wish to take on the majority of the work in-house, SupPortal can provide an initial external vulnerability scan. However, doing so can not only be time consuming but will require sufficient IT knowledge to fully respond to the self-assessment.

Cyber Essentials Plus

Government organisations and contractors look for this certification when there is considered to be a greater risk. It is more comprehensive version of the Cyber Essentials certificate involving further external auditing and random testing. To gain this certification, you will need to be Cyber Essentials certified first.

As part of this process, the team at SupPortal would carry out tests on your software and systems to check for vulnerabilities to ascertain if you have the adequate protection against cybercrime.

Do you supply goods or services to government departments like the NHS, or MOD? Do you have remote workers? Or do you have third-party businesses that have access to your systems? Does your business require complex IT infrastructure, software and systems? Does your network cover a broad area? If you have answered yes to any of the above, then this may be the most appropriate certification for you.

If you want to truly demonstrate that your business is committed to high standards of cyber security protection, and you take data protection seriously, then this is a great choice for you. With this certification, you are going above and beyond to keep your client’s data safe. Furthermore, if your business commonly processes data of a highly sensitive nature, then it is well worth considering Cyber Essentials Plus.

Still confused about which cyber security certification is right for your business? Then get in touch with the team at SupPortal today.

Is Home Working Exposing Your Corporate Network?

protecting corporate network when homeworking

Is Home Working Exposing Your Corporate Network?

The pandemic of 2020 saw a rise in homeworking and many businesses have realised that this is a viable option for work going forwards. However, did you know that ransomware is one of the fastest growing crimes on the planet? So, ask yourself, is home working exposing your corporate network?

Below you’ll find some important tips on how you can make sure that your corporate network and all of your data stays safe.

What are the threats to your corporate network?

If your corporate network is exposed, and there are not enough IT safety measures in place. You can be exposing your business to unnecessary risk.

Ransomware, a type of malware, or malicious software gives cyber criminals the ability to hold your business to ransom. With this method, these individuals will be able to gain access to the data in your corporate network. Then they demand a ransom for their release, with the threat of permanent deletion if you fail to pay. We advise you to never pay the ransom, as you are not guaranteed to get your data back and you will be targeted again. Instead, ensure you have a good well tested backup. Thankfully, given the right protection across your network, you can put preventative measures in place to stop this and other malicious attacks.

The stats for ransomware are shocking, with one small UK business being hacked successfully every 19 seconds. Your business and corporate network could also be exposed to other malware attacks, spyware and other viruses. For instance, 55% of UK email is spam. If a well-intentioned employee clicks on an innocent looking email, it could be opening the gates to a cyber-attack.

It’s not all doom and gloom, there is plenty you can do to protect your corporate network against cybercrime. As they say, prevention is better than the cure. So, it’s important to develop a long-term strategy to protect against threats.

How can you stop exposure to your corporate network?

There are a few ways that you can help to protect your corporate network against attacks whilst your employees are working from home.

1.     Train your staff

Unfortunately, and unintentionally, your team can cause a security breach. All it takes is a click on the wrong link or replying to a well-crafted phishing email. Human error can occur, especially when distracted or tired. Home working conditions are different to those in an office. That’s why it is vital to have your staff aware and educated on cybercrime.

By training your staff about cybercrime, you can ensure that whilst they are working at home, they know exactly what to look out for to keep your corporate network safe. Make sure your staff are vigilant with suspicious links and emails. Think about giving regular cyber security training. Here at SupPortal, we offer online training, which consists of a series of short sketch animations. These are only around one minute long, and you’ll find a quiz to check what you’ve learned. We believe this format generates particularly high user engagement. As a business owner, you will also be able to see if your users have watched the training.

We also cover more in-depth training, which can be delivered online or on site. Particularly useful for management teams is a desktop stimulation of a cyber-attack scenario. This is to test how well the things you have put in place work. Being prepared and well-practised is key to survival in the event of a serious attack.

By training your staff, they will know to take cybercrime more seriously, which will help to keep your business’ data and files safe. A team well trained is a great first line of defence.

2.    Be vigilant with emails

Think before you click! Spam email is an extremely common access point for cyber criminals. Delete the suspicious emails, don’t enable macros and alert your IT support partner.

It is also important to be aware of the vulnerabilities in your supply chain. It is good security practise to ensure that your supply chain meets the same standard of security you adhere to yourself. Good IT governance standards like IASME Governance require you to make sure your supply chain does as much as you do to protect your business and its data. Cyber criminals are able to gain access to your corporate network, and business data by sending out a genuine looking software update or email masquerading as someone you know.

However, instead of updating, it is a fast destructive virus that could wipe out the operation of your business. That is why it is vital to source suppliers wisely and ensure your IT security is safe.

3.    Back up your data

There are numerous benefits to using cloud computing, however you do still need to make sure security is in place. You can’t be complacent in thinking just because it is in the cloud that it is safe. You should still make backups.

Keep copies of your files, so that if an attack does occur, you will have a copy of the data and files. By backing up and checking your data, you will be able to access versions from before the attack, minimising the potential impact as well as reducing the chance of reinfection. You should also test that you can restore data from the backup. Backups should be encrypted and if you are using a local drive, this should be removed after each backup.  Even though you may have a copy, you still need to do everything to protect your files, as you don’t want it falling into wrong hands.

Organisations should ensure that periodically that all staff update the devices they are working on and install software and system updates. They should also have sufficient anti-virus software up to date and in place. Poor patching of computer equipment is the most common way to fall victim to an attack and Cyber Essentials require updates to be carried out within 14 days of release.

4.    Safe and Secure Passwords

One of the most common mistakes that companies and individuals make, is setting easy and poor passwords. Due to this, many sites and programs are developing new, multi-layered methods to protect their users and this is why multi-factor authentication is now more commonplace. It would be wise to set this up with your company, to protect your network.

Using password managers can also help, as they can generate complex passwords for you that you don’t even need to remember. However, we recommend you steer clear of free software and use a paid one, such as 1Password. Having good technical policies in place will also help, so ensure users have at least eight characters and include upper, lower, numbers and special characters within passwords.

Don’t share passwords with other users, or applications. Instead, see if you can use an API key to provide access instead. This enables different pieces of software to talk to each other without exposing the passwords for each to other users. These need to have strict cyber security measures in place too, so you may need professional support to double check the stringent data encryption and authentication software.

5.    Review your IT infrastructure and VPN (Virtual Private Network)

A VPN (Virtual Private Network) allows your employees to log into your corporate network from home. They are incredibly useful, but only if they are fully secured end-to-end and send all user traffic through the corporate firewall. If the user can be connected to the office but browse the internet through their own firewall, then your business is actually MORE at risk. An IT support partner will be able to advice if you have the right one in place for the needs of your business. They will also be able to advise on whether the devices and software that your employees use is suitable for their roles and have the right security systems in place.

6.    Seek help from an IT Support Partner for your Corporate Network

Gain peace of mind by having an IT security expert involved, who can assist with a range of solutions including security audits and training. This way, you will know that you have the right security and knowledge to keep your corporate network safe and secure. It also means that if there is an emergency, you have a trusted resource to turn to.

Your IT security partner can keep your software and systems up to date, provide invaluable training for your team as well as ensure all of your remote networks and software is running smoothly.

Remote working, without the risks

Get in touch today if you would like to know more about how we can ensure the safety and security of your corporate network, whilst your team are busy working from home.