Latest changes to Cyber Essentials
The National Cyber Security Centre (NCSC) released the latest update to the Cyber Essentials security standard requirements yesterday (6th Feb 17) and these will help businesses achieve a good level of defence against Cyber Attacks.
The principal changes are noted below but for the uninitiated on this subject, Cyber Essentials is all about configuring your existing IT infrastructure with security in mind. There are 5 disciplines to consider as follows: -
Office Firewalls and Internet gateways
Use Account Access
Changes to the requirements are explained below: -
Passwords The advice on passwords has been confusing over the last 12 months and the Cyber Essentials requirements have been out of sync with the latest advice. This has now been corrected and the requirements to regularly change passwords has been replaced with i) change passwords when believed to have been compromised; and ii) when accessing remotely, user lockout after 10 unsuccessful login attempts or limit of 10 login attempts within 5 minutes. The usual requirements to change default passwords on all devices remains as you expect.
Two factor authentication (use of a secondary security password or number) This is a new requirement for all administrative access account users. This technology is now easy to install and adds a secure extra level of protection to an area that presents a serious vulnerability if compromised.
Administrative accounts The use of these accounts has always been restricted to admin purposes and day to day use should been prevented. The requirements have been extended to prevent such accounts from having access to email and web browsing.
Malware Protection Previously there were a number of requirements that were difficult to implement such the scanning of all stored data daily. The requirements have recognised the developments in malware solutions and now offer three alternative approaches:
- Anti-malware software requiring on-access scanning, daily updating and web page warnings.
- App Store / Application White listing - limits the user to using known and checked applications only.
- Application sand-boxing - prevents applications from accessing data and devices other than those specifically permitted.
Scope The definition of the scope determines how the requirements should be applied to your business or organisation and further clarity has been added with regard to i) devices used by users regularly working from home; and ii) devices owned and operated outside of the UK, both of which should be included in the Scope.
To download the new Cyber Essentials Preparation Document go to our Information page click here. You will also find other documents recently issued by the NCSC.