In 2022, National Cyber Security Centre (NCSC), the UK’s technical authority for cybersecurity, released a major update to the government-backed Cyber Essentials (CE) accreditation, bringing the scheme to version 3.0. In the latest move by the authority, a 2023 update (version 3.1) has now been released – which has already watered down the requirements introduced only a year ago.
This article will examine the changes version 3.1 has introduced and what they mean in real-world terms for businesses seeking CE accreditation.
Understanding Cyber Essentials 3.0 and The Latest Revision
In line with CE’s remit of helping protect organisations from cyber attacks, the 3.0 updates were introduced in response to major changes in working practices (notably, the current prevalence of working from home, increased use of personal devices and major cloud adoption), which have all introduced significant security challenges to businesses. The revisions to CE sought to tighten many infrastructure controls and provide enhanced protection in response to these changes.
In summary, the key elements addressed in the 3.0 revision included;
- Added guidance on how home working/BYOD devices change the scope of an organisation’s information security system
- Inclusion of all cloud services (Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS))
- Extended multi-factor authentication requirements in relation to cloud services
- Thin clients now being in scope and added to the ‘devices’ definition
- New device unlocking requirements added to the ‘secure configuration’ control
- Inclusion of all servers (rather than servers running key infrastructure assets such as email, domain controllers etc)
- A clarification on terms, wording and a general broadening of the scope, moving to a model where assets should be considered in scope by default rather than out of scope unless explicitly included.
It is worth noting that this enhancement of CE was also accompanied by an increase in price (up to £500 from £300 for the basic self-certified CE, with CE+ – the highest level of certification offered under the Cyber Essentials Scheme- coming in at £2000 – up from £1500).
Updates in Cyber Essentials Version 3.1
The April 2023 update (version 3.1) is less of an overhaul and more of a significant clarification on terms – albeit one which rolls back a number of the controls published in the 2022 update. That means adherence to CE+ is easier than last year – but also, critically, means it holds less value in meeting its aims to help businesses improve cyber security.
It is worth bearing in mind that even the more stringent 3.0 2022 version of the accreditation was a low bar. The controls specified in 3.0 provided only limited protection from the least sophisticated of cyber attacks. This is because CE outlines only the most basic cyber security practices that all businesses should have in place, without accounting for other critical measures to prevent damage from threats, such as penetration tests and threat monitoring. Ultimately, aligning to CE alone offers no real resistance against the bulk of security risks in the world today.
Controls included in the CE 3.0 revision such as password policies, multi-factor authentication, least privilege principals for administrative accounts, having a firewall are all good starts – but fall in line with recommendations you’d make to the average home user of any internet connected device. Any business which has an online footprint or uses technology – in reality essentially all businesses – will need more robust controls than CE alone provides.
Regarding the changes in version 3.1, in summary, they consist of the following:
- Software Definitions – in 2022, the definition of in-scope software included operating systems, off-the-shelf apps, plug-ins and all firmware. The ‘firmware’ stipulation now only applies to routers and firewalls. The explanation for this rollback from the NCSC was the difficulty in cataloguing all firmware updates.
- Malware Protection – Where previously the controls specifically called for signature-based malware protection (and the maintenance of the signature database) this has been adjusted to simply state that malware protection must be:
- Active on all “in-scope” devices;
- Updated in-line with vendor recommendations;
- Prevent malware from running;
- Prevent the execution of malicious code; and,
- Prevent connections to malicious websites.
The reason for this change was not specified, but it is likely due to the prevalence of other detection methods (heuristics, AI, machine learning etc) which are commonly integrated into endpoint protection tools – and their criticality in detecting zero-day and more advanced threats. In summary, this control boils down can be summarised as requiring organisations to “purchase endpoint protection, keep it up to date and have some mechanism for ensuring end users cannot turn it off”.
- Device Unlocking – In version 3.0, organisations you had to explicitly configure devices to lock after 10 unsuccessful password attempts. The NCSC have explained that this has been scaled back due to limitations in configurability on some devices. You no longer need to meet this requirement if you’ve implemented MFA or have “reasonable” brute force throttling restrictions in place. The latter recommends “no more than 10 guesses in five minutes”.
New Guidance in 3.1
In addition to the changes explained above, (along with general re-wording and ordering of some sections) there are two new pieces of guidance included in version 3.1: Asset Management and Zero Trust Architecture. Despite being seemingly positive changes, they are seriously deficient.
On the subject of asset management, the new guide makes clear that this is not a mandatory CE control. This may appear a strange oversight, given that without some form of asset management, it’s not possible to assess what is considered in scope for CE, nor confirm adherence to the controls.
The NCSC do publish separate recommendations and guidelines for asset management on their website, which can be found here: https://www.ncsc.gov.uk/guidance/asset-management. This resource also further clarifies an organisation’s requirements in relation to third-party devices, contractors who may need access to your assets, and hosted applications and platforms.
In short, this clarification states that any device owned by your company is in scope – along with employee devices, which use or access company applications (for BYOD scenarios – and only in cases where access isn’t just basic voice calls, text or messenger apps native to the device in question).
It is also recommended that you ensure third-party devices are secure, but as this also falls outside even the scope of CE+, implementing this wouldn’t be required to achieve accreditation. The published guidance does recommend ensuring that the third party adheres to some form of ratified standard, specifically naming ISO27001 and NIST but – perhaps strikingly – does not recommend using a third party’s adherence to CE as a benchmark for good security principals.
In-house apps, or internally developed extensions and tools which interact with commercial applications, are also explicitly excluded from the scope of CE. This is perhaps one of the reasons that CE is not one of the named standards you should use to assess whether a third party is utilising good security practices.
On the subject of Zero Trust, version 3.1 of CE helpfully informs us that lacking adherence to Zero Trust is no barrier to CE certification. This is unsurprising given that Zero Trust architecture is extremely stringent and structured, and many organisations find it difficult or expensive to implement. The NCSC ‘s guidelines do, however, outline the following 8 principles for organisations wishing to embed zero trust:
- Know your architecture, including users, devices, services and data;
- Know your user, service and device identities;
- Assess user behaviour, service and device health;
- Use policies to authorise requests;
- Authenticate and authorise everywhere;
- Focus your monitoring on users, devices and services;
- Don’t trust any network, including your own; and,
- Choose services that have been designed for zero trust.
As a consequence of these exacting requirements, if you happen to be in what Gartner estimates to be the 1% of businesses who have implemented zero trust architecture (as of January 2023), you likely have controls and tooling in place which far exceed what is required to obtain CE accreditation.
In conclusion, although the latest CE revisions seek to address the changing environment in which companies are operating in, by design, the IT controls specified in the standard are broad and generic. This allows almost any organisation of any size in any vertical to achieve the standard – it’s a one-size-fits all approach which unfortunately fits no one very well.
Key Takeaways
- CE (and the slightly more stringent CE+ accreditation) are a useful start for organisations with low levels of cyber maturity – but, at best, they demonstrate that a business has implemented only the most basic of security controls.
- The new modifications to CE make the accreditation even easier to obtain – but the additional abstraction and scope restriction weakens an already lightweight cybersecurity standard.
- When you are risk assessing potential third parties and vendors it is not recommended (even by NCSC themselves) to use CE or CE+ as an indication of adequate security maturity and controls.
- If you have a robust cyber security strategy, you should meet all the requirements of CE by default – but avoid using adherence to it as a guideline. The controls included are not stringent enough to protect most organisations from cyber threats.
If want to understand how your organisation can achieve a robust cyber security stance, speak with one of our cyber security consultants, who will be happy to help.