May 2024


Is your department and supply chain ready for the changes to the Government’s new cyber certification scheme?

By Dave Woodfine, Co-founder and Managing Director at Cyber Security Associates

Earlier this year, the World Economic Forum named cyber security failures as one of the biggest threats facing international governments and business, and the UK is no exception. The UK’s public sector is currently facing a rise in the number of cyber security incidents. The Ministry of Justice revealed that it faced a series of data breaches and ransomware attacks over the course of the 2020-21 financial year, and it will likely face many more in the near future.

How to protect yourself

To help business and government organisations keep themselves safe from the most common cyber-attacks, the National Cyber Security Centre (NCSC) launched the Cyber Essentials certification scheme in 2014. This year, to help increase security across both the public and private sector, the NCSC has updated some of the scheme’s key requirements, which came into effect on the 24th January 2022.

Meeting these new requirements is necessary to pass the Cyber Essentials assessment, which is mandatory for certain Government departments and advised for most other sectors. Although these changes are positive and much needed as cyber threats become ever more sophisticated, they will require extra effort for public sector departments, and accredited third party suppliers, to comply. Companies will be given six months to complete the certifications and ensure their systems are secure, with 12 months’ grace on some requirements.

The certification’s cost

One of the main changes to Cyber Essentials is the new tiered pricing system. Up until this year, the assessment cost the same for companies or organisations of all sizes – just £300. Now, though, the prices vary depending on the amount of employees. After all, the bigger an organisation, the more changes need to be made, and assessments will take longer for them.

Talking about the change, Anne W, the NCSC’s Head of Commercial Assurance Services, said, “While Cyber Essentials is designed to help any organisation attain a minimum level of cyber security, the assessment process can be quite complex. We want to continue to ensure this important scheme remains accessible to every business, no matter their size.” Micro organisations, or those with nine or less employees, will still pay £300. Small organisations, with 10-49 employees, will have to pay £400. Medium-sized organisations, or those with 50-249 employees, pay £450. Finally, organisations with over 250 employees will now have to pay £500 for the assessment.

Changes for remote workers

Many of the updated requirements concern those working from home, reflecting the changes in the workplace landscape over the past couple of years. According to the scheme’s requirements, anyone working from home for any period of time is classed as a ‘home worker.’ Home workers’ devices, such as laptops, tablets, and smartphones, will now fall under the scope of Cyber Essentials, and will need to be secure enough to pass the certification assessment. In fact, all devices used to access your data or services will be in scope, too. However, home workers’ routers won’t be in scope, so any firewalls must be present on their devices rather than the router. The one exception to this is if the business or organisation has provided the router – in this case, it will be in scope too..

Changes for cloud services

All cloud services are now fully integrated into the Cyber Essentials scheme, meaning that your organisation will be held responsible for making sure that controls are implemented to protect any data that’s being hosted on the cloud. Users will need to check the cloud services that they’re using and ensure that they meet the standards of the Cyber Essentials standards.

Multi-factor authentication, or MFA, must also be used by any accounts that can access the cloud services. MFA makes accounts more secure, as rather than just entering a password, the user has to provide more than one method of verification. Four methods are accepted by the updated requirements, including: a known or trusted account, a physically separate token, a managed enterprise device, and an app on a trusted device.

Other changes to note 

There are also a number of smaller updates that need to be implemented. From now on, if they want to pass the assessment, departments will no longer be allowed to pick and choose which software updates they use. All high and critical updates or patches, to both software and devices, will need to be installed within 14 days, and automatic updates should also be enabled. All servers, which includes virtual servers, will now fall under the scope of Cyber Essentials, as will thin clients (or ‘dumb terminals’ capable of accessing a remote desktop). Separate accounts must also be used whenever accessing an administrative account.

While it might seem like a lot of work, all of these new requirements are necessary for those looking to pass the Cyber Essentials assessment and obtain the new certification. Only then will you be able to prove to other departments, organisations, and even companies that your information is secure, and that you’re protected against all of today’s most common online threats.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.