blog

Cyber Essentials Changes: Critical Updates

Written by Cyber Security Associates | Jan 20, 2022 5:00:00 AM

Executive Summary

Cyber Essentials is set to receive its biggest update yet soon, on 24th January 2022. The government-backed scheme, which is organised by the National Cyber Security Centre (NCSC), is a way for businesses to showcase their cybersecurity credentials, and reassure their customers and clients how committed they are to protecting all of their sensitive information from the most common online threats. With the update fast approaching, we’ve put together a series of blogs to explain what all of the biggest changes are.

What’s changed?

To get the Cyber Essentials accreditation, your company or organisation will need to meet all of the NCSC’s key requirements. Since the workplace landscape has changed so much over the past few years, these requirements have had to evolve as well. One of the major changes concerns software updates. All high and critical updates to your software and devices must be applied within 14 days, and automatic updates should be enabled wherever possible. Any software on devices that fall under the scope of the scheme, meanwhile, must be licensed and supported, and any unsupported software must be removed.

Why has this changed?

The critical updates are defined by Cyber Essentials as ones that fix vulnerabilities described by the vendor as ‘critical’ or ‘high risk’; address vulnerabilities with a CVSS v3 score of 7 or above; or if there are no details on the level of vulnerabilities being fixed. There used to be a set criteria updates needed to meet, but now organisations need to apply all high and critical updates to their systems.

Organisations can no longer be selective about which patches they use, as even the smallest vulnerability could leave them susceptible to cyber attacks. Recently, a vulnerability in the Microsoft Exchange System made headlines, and quickly escalated from a complex state actor attack to a ransomware attack. It’s for this reason that, if businesses want to meet the Cyber Essentials requirements, then they’ll need to ensure every update is applied as soon as possible.

Make sure to check out the rest of our Cyber Essentials blogs, which cover everything from home routers and cloud services to multi-factor authentication, and keep an eye out for the last in the series. To find out more about the new requirements for Cyber Essentials, or learn how we can help your business to make all of the necessary updates, get in touch with us.