Skip to content
January 24, 2022
2 min read time

Cyber Essentials Changes: What You Need To Know

Executive Summary

The Cyber Essentials scheme provides business and organisations with a certification that assures customers and clients that they’re committed to cybersecurity, and guarding their data against the most common online threats. As the way in which we work has changed dramatically in recent times, the requirements for the scheme have recently been updated, and come into effect on 24th January 2022. This is the final part in our series of blogs that take a close look at some of these updates, where we have already covered the biggest changes to come.

What’s changed?

The new update is the biggest change to the Cyber Essentials scheme since it was launched by the National Cyber Security Centre (NCSC) back in 2014. While some of the changes may seem smaller than others, they’re no less important, and you’ll need to meet all of them if you want to ensure your firm meets the Cyber Essentials standards. All of them will also help to keep your information safe from the constantly-evolving threats of cyber criminals. Below is a list of some of the updated requirements.

  • When unlocking a device, you must use biometrics, or a password or PIN at least six characters long.
  • Thin clients, or ‘dumb terminals’ capable of accessing a remote desktop, fall under the scope of the scheme when connecting to your organisation’s data or services.
  • All phones and tablets used to access your organisation’s data or services are in scope.
  • All servers, including virtual servers, are also in scope.
  • A new definition of ‘licensed and supported software’ defines it as software that the vendor has committed to supporting with regular patches and updates.
  • Software that doesn’t meet this definition should be moved into a zone without internet access.
  • You must use separate accounts to perform any administrative tasks.

Backing up your data isn’t a requirement of Cyber Essentials, but there is guidance on backing up any important data, and it’s highly recommended. There are also two new tests that have been added to the Cyber Essentials Plus Audit. The tests confirm account separation between user and admin accounts, and confirm that multi-factor authentication is required when accessing cloud services.

Missed the other blogs in our Cyber Essentials update series? No problem, you can read our first blog on home routers, our second blog on cloud services, our third blog on multi-factor authentication, and our fourth on critical updates. To find out more, or get some advice on how your business can meet the new requirements, you can get in touch with us.