New security requirements for Cyber Essentials businesses

Cyber Essentials is the government approved standard for security in technology through businesses; essentially the UK government’s rubber stamp of approval for organisations using technology as securely as possible. This standard is required for businesses who want to work with the NHS, or any government service, but the certification has also become a benchmark for the minimum that organisations should meet in order to operate securely. 

On Sunday 26th April, some new requirements for Cyber Essentials come into effect. This means that to get a Cyber Essentials certification, or to keep your Cyber Essentials certification, there are a few more things that you need to do as a business. We had a chat to IT support engineer Dave Kennedy about the new requirements, and how businesses can use Cyber Essentials to prioritise their cyber security. 

One of the most important changes is that Multi-Factor Authentication (MFA) has been made mandatory, when it is available. Multi-factor authentication is an extra step for users when logging in, where they need another piece of information to access an account. This might be biometric data like a fingerprint, or a code sent to your mobile or email.

With the new requirements, Cyber Essentials have stated that when MFA is provided as an option by an application or service, organisations must implement it. MFA must be enabled regardless of whether it is a free, or paid for service. Dave says that he agrees with the changes, ‘Previously, with businesses seeking Cyber Essentials certification, if using MFA was an additional charge, you didn’t have to use it. Now, you do.’

‘MFA exponentially increases security,’ says Dave. ‘Whilst some businesses might have had to pay extra to use multi-factor authentication, most MFA will be free within the service or app that you’re using.’

As part of Cyber Essentials certification, there are some rules around what organisations must do with services and data stored in the cloud; information that is stored and accessed by a business over the internet, rather than on a server or hardware within an office that the business owns. Cyber Essentials is making explicit that any cloud services used by the business falls under the certification requirements. 

Dave says that businesses will need to list all of the cloud services that they use, so that they can verify that MFA is working on each system. ‘Typically, anything that is physically within your business is probably not using a cloud service. If something is actively stored on a server in your office, for example, it’s probably not using a cloud service.’

‘Comparatively, an email service, or One Drive storage is going to be a cloud service. There are some trickier things to identify; for example, a printer that connects to the cloud, or your accounting and book keeping.’

Ensuring all of your cloud services are compliant with Cyber Essentials might feel like a big task for businesses; however, Transcendit can help. ‘We can help you to establish a list of the services and apps that you use,’ says Dave, ‘and we can even connect to your computer to see what apps and products you’re using on a daily basis, to find out which services are using the cloud.’ 

In the updated guidance, there is ‘greater emphasis on passwordless authentication’ and that ‘Passkeys…offer an easier, faster and more secure way to log in.’ Whilst passkeys haven’t been made mandatory, they are now highly recommended.

‘A passkey is another factor of authentication that can be used,’ says Dave. ‘It can be biometric, like your fingerprint, or your face. It can be a physical device that you plug into the device or uses Bluetooth. A passkey is a replacement for a password, it’s something that becomes your primary login authentication.’

‘When people create passwords, they’re often made as short as possible, and users repeat them so that they’re easier to remember. With a passkey, you don’t have to remember it; it’s just your fingerprint. It’s as secure, or more secure than a password, and it’s more convenient.’

Dave says that businesses should be using passkeys, ‘Passkeys make things faster and easier for the end user, and when security is made more convenient and more reliable, users will be more secure.’

One of the significant changes is the way that Cyber Essentials Plus is assessed. Previously, businesses who had self-assessed their systems, and been Cyber Essentials certified could request to be assessed for Cyber Essentials Plus. For Cyber Essentials Plus, an external assessor would review their systems and processes. If the business failed their assessment for Cyber Essentials Plus, they would still retain their Cyber Essentials certification.

‘Now, if the assessor does find something in your systems that doesn’t meet the criteria, then you’ll fail your Cyber Essentials Plus certification, and lose your pre-existing Cyber Essentials certification,’ says Dave. ‘This might seem harsh for businesses, but ultimately it helps enforce strong security standards. That’s the goal with Cyber Essentials, to ensure that businesses are as secure as possible, and client and customer data is as safe as it can be.’

How can my business improve cyber security?

‘The best suggestion I have for businesses looking to improve their cyber security is to use a service like Huntress,' says Dave. 'Huntress is 24/7 monitoring software for your internal systems, so if your computer starts to do something it shouldn’t as a result of some malicious script, it's stopped in its tracks.’

'For example, everything that businesses do on Microsoft 365 is cloud based. For most customers that means all of their storage, and the whole of their email service is vulnerable to cyber attacks that target cloud services. Cyber Essentials has an increased focus on security for Cloud, and so we’d recommend Huntress to help support that.'