02 Mar 2023

Small Business Cyber Essentials Update 2023

Small Businesses approaching Cyber Essentials as a renewal, or for the first time should be aware of new requirements relating to the certification.

This year, the changes to the scheme are as follows:

The definition of software has been updated to clarify where firmware is in scope

Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall, and router firmware.

Firewall and router firmware is the operating system of those devices. As firewalls and routers are key security devices, their operating systems and whether they are kept up to date are extremely important from a security perspective.

Cyber Essentials will require that all applicants list their laptops, desktops, servers, computers, tablets, and mobile phones, with details of the make and operating system. However, when it comes to firewalls and routers, the applicant will only be asked to list make and model, but not the specific version of the firmware. By asking for the make and model on these devices, the assessor will be able to determine if the devices is still receiving security updates to the firmware.

Asset management is important in Cyber Essentials

In a similar vein to backing up data, asset management isnt a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.

The requirements clarify that asset management doesnt mean making lists or databases that are never used, it means creating, establishing, and maintaining authoritative and accurate information about your assets that enables efficient decision-making when you need it.

Clarification on including third-party devices

All end-user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope. A new table gives clarity on which third-party devices are in scope for Cyber Essentials. It aims to answer frequent questions about consultants, volunteers, and third parties. When the third-party device has a green tick, it is in scope and the applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy. For example, if an in-scope third-party BYOD connects to an organisational Office 365, the organisation can create a conditional access policy that says if the device doesnt have a supported operating system, it wont connect until the operating system is updated.

Device unlocking

This section has been updated to reflect that some configuration cant be altered because of vendor restrictions. Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements. One example of this is locking the device after 10 failed sign in attempts. Samsung, the largest provider of smartphones in the world, has set its minimum sign-in attempts at 15, with no option to alter this number. So, in this instance, Cyber Essentials would require that the applicant goes with the minimum number sign in attempts allowed by the device before locking.

An updated Malware protection section

You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products these options are built into the software supplied. Alternatively, you can purchase products from a third-party provider. In all cases, the software must be active, kept up to date in accordance with the vendors’ instructions, and configured to work. If you use anti-malware software to protect your device, it must be configured to:

  • Be updated in line with vendor recommendations
  • Prevent malware from running
  • Prevent the execution of malicious code
  • Prevent connections to malicious websites over the internet
  • Application allow listing (option for all in scope devices)

Home Routers

Home routers no longer being in scope. This means that any firewall controls will be transferred to the individuals device. The only exception to this change is if the home workers router is supplied by their organisation, in which case it must have Cyber Essentials controls applied to it. The impact of this is to ensure that user devices have a satisfactory level of protection in place. So, ensuring that solutions such as antivirus are up to date is imperative.

Further Reading

https://www.ncsc.gov.uk/information/cyber-essentials-technical-controls-grace-period-update

For more about Cyber Essentials changes and implementing new security measures, please contact your FOS.net account manager