Remote Support
Cyber Security

Cyber Essentials is changing in 2022 – Here’s what’s new

16 Dec 2021
Author: Sarah G

Cyber Essentials (if you’re not familiar) is a government-backed scheme that aims to help businesses protect themselves against cyber-attacks. We’ll not be going into detail about this in this blog, but if you’d like to learn more about Cyber Essentials, click here!

What we’ll be talking about today are the changes coming to Cyber Essentials, ones that tighten the requirements to get your certification (don’t worry, we’ll run you through everything).

Our team at Nebula are excited about what’s coming, as they are designed to help businesses remain cyber secure in our modern climate of remote working. While it does make it a little bit more difficult to achieve certification, we believe that it’s a necessary step in the right direction!

When is Cyber Essentials changing?

These new rules come into effect on the 24th January 2022. Don’t panic! While these rules do come into play in January, you’ve got until your renewal date to ensure that everything’s up to standard.

What’s new in Cyber Essentials for 2022?

There’s quite a lot being added to the cyber essentials certification. We’ve gathered it all here to make things easier.

Improved perimeter protection

Cyber Essentials are finally acknowledging that more and more people are working remotely. Perimeter protection refers to protecting your network’s perimeter (surprise!). Think of it as extending your castle walls to make sure that everything is protected from invasion.

This covers:

  • Home working – Working from home poses significant cyber security risks if your network isn’t properly adjusted and secured accordingly. Anyone that works from home for any amount of time is now classed as a home worker, and all company equipment (such as laptops) will now be in scope. Worth noting, this doesn’t cover domestic routers unless they’re supplied by the business.
  • Mobiles & other endpoints – Company phones, laptops, tablets and computers are all in scope if they can access your network in any way. Calls and texts are excluded from this.
  • Cloud services – More remote working has meant an explosion in the use of cloud services. Any cloud service that you use will now be assessed by Cyber Essentials. This means that any cloud service that you use will now require multi-factor authentication (MFA) in order to be deemed secure.
  • Servers – All servers, both physical and virtual, will be in scope.
  • Subsets – A subset is a part of an organisation that is separated from the rest of the network by a firewall or VLAN. Subsets can be used to define what is relevant to Cyber Essentials, and what isn’t. Individual firewall rules per device are no longer permitted.

Passwords and multi-factor authentication (MFA)

In our time, we’ve seen some truly awful passwords. The new Cyber Essentials rules are clamping down on rubbish passwords and are encouraging the use of MFA for an added layer of security.

While the rules stipulate that you only need to implement one of the following, we recommend using multiple:

  • Lock accounts after no more than ten failed login attempts.
  • Making MFA compulsory to accompany every password.
  • Throttle the rate of failed login attempts.

In addition to this, you’ll also need to implement at least one of the following:

  • A password that’s at least eight characters, but is backed up with MFA.
  • A password that’s at least twelve characters.
  • A password that’s at least eight characters, but with automatic blocking through the use of a deny list (a list of common passwords that are disallowed).

Again, the more the merrier – longer, more complex passwords that are backed up by MFA and have a limited amount of login attempts really is the way to go!

Device locking

All devices require a pin or a password with at least six characters. Biometrics (thumbprint or face scan) are permitted as an alternative.

Updates and supported software

There are some new rules on what software is allowed, and how to keep it all updated:

  • Any software your organisation uses needs to be supported and licensed. Unsupported software will have to either be removed from all devices, or put into a subset that separates it from the rest of the network.
  • All software should be updated within 14 days of the update’s release.
  • Automatic security updates must be active if able.

Account management

You should carefully monitor account usage. Admin accounts shouldn’t be used for day-to-day user activities. Your users should ensure that they’re only using admin accounts to carry out admin functions, relying on their other login(s) for any other work.

What do you need to do?

Whether your Cyber Essentials renewal is imminent or not, these are crucial changes to make right now in order to keep your organisation safe.

Getting everything sorted now will take the headache away when it comes to renewing (you can thank us later!).

Cyber Essentials support with Nebula IT

Should you need any support getting your cyber security process up to standard, please don’t hesitate to get in touch with our team here at Nebula. We’re here to ensure that you stay Cyber Essentials certified when the time comes to renew, and to keep you safe in the meantime!

Are you receiving great IT?

A great IT provider will help accelerate your business growth, maximise opportunities and understand your company ethos. If you feel you're not getting maximum value from your IT provider, it could be time to switch.