Policy Monitor

The need for change: Protect your organisation against cyber threats with revamped Cyber Essentials

In early 2022 the National Cyber Security Centre (NCSC) introduced a major overhaul of Cyber Essentials technical controls to reflect changes in technology since the programme’s launch in 2014.  In this article Nick Denning, CEO of Policy Monitor outlines the need for change and how the latest Cyber Essentials can help protect your organisation. 

A major technical review of the UK’s Government-backed Cyber Essentials programme highlighted new ways to help organisations maintain cyber hygiene against rapidly evolving threats within a changing IT landscape.

Look away now if you want to sleep soundly

If you are looking for some soothing bedtime reading it is best not to Google “cybercrime statistics”. You’ll find a plethora of UK and global surveys and reports with data on the increasing and evolving cyber threats. The numbers vary but the messages are the same – organisations can’t afford to take their eye off the ball – addressing cyber security needs to be an ongoing programme not a one-off event. The recent changes to UK Cyber Essentials will help in the process of keeping your organisation cyber aware and secure.

The latest annual UK Cyber Security Breaches Survey, which informs and aligns with the UK National Cyber Strategy, shows that in the last 12 months 39% of UK businesses identified a cyber-attack. Within the group of organisations reporting attacks, 31% of businesses and 26% of charities estimate they were attacked at least once a week. However, the report also finds that enhanced cyber security in an organisation leads to higher identification of attacks, so it is likely that ‘cyber immature’ organisations are significantly under-reporting.

Other reports take a more global perspective. The annual Cyberthreat Defense Report, which covers 17 countries and 19 industries, found a record 86% of organisations suffered from a successful cyber-attack last year. 69% of surveyed organisations were compromised by ransomware with 57% paying up, which only encourages cybercriminals to increase their attacks.

Is enough being done to catch the criminals?

UK law enforcement has yet to fully gear up to address the increasing challenges of cybercrime and cyber-enabled crime. Including the four most common which are cryptomining, phishing, trojans and ransomware. Action Fraud, the UK’s national reporting centre for fraud and cybercrime, shows via its interactive dashboard that there were 426,996 reported cases over the last 13 months with £3.1 billion in losses. The statistics of crimes reported on Action Fraud leading to convictions is worryingly low. The best policy is to ensure maximum protection from attack rather than needing to rely on procedures that kick in after an attack. 

As criminals exploit the changing IT landscape new defences are needed

The World Economic Forum (WEF), which met virtually in January 2022, warned of the increasing global risks from cyber security failures. The WEF’s 17th annual Global Risks Report cites the world’s growing dependency on digital systems as fundamentally changing societies.

There have been other significant changes to the IT landscape since Cyber Essentials was first launched in 2014. The landscape cybercriminals are working in is very different and the defence mechanisms have changed.  A far-reaching technical review of Cyber Essentials highlighted new ways to help organisations maintain cyber hygiene.

How can the revamped Cyber Essentials help?

The National Cyber Security Centre’s (NCSC) update responded to the increase in cloud computing, changes to multi-factor authentication, increased cyber threats and the move to hybrid working accelerated by COVID-19.

The original principles remain the same but now reflect changed scenarios presented by new technologies and different ways of working. Cyber Essentials continues to provide a baseline standard for cyber security within the UK, employing five technical control areas which are:

  • Firewalls
  • Secure configuration
  • User access controls
  • Protection against malware
  • The application of software updates

All of these areas are now in the context of IT advances since the original publication of Cyber Essentials in 2014. Organisations should revisit the Cyber Essentials information on the NCSC website and review cyber security arrangements in line with these updates.

The refreshed Cyber Essentials provide fresh ideas on cloud services. A shared responsibility model is proposed which makes clear the security obligations of cloud providers and cloud users in the context of the three main kinds of cloud service (IaaS, PaaS, and SaaS) mapped against the five technical controls.

An increase in remote and hybrid working has expanded the security boundaries of organisations greatly since Cyber Essentials was first introduced. Guidance has been expanded to enable organisations to make a more complete assessment of potential issues of home working, including extending firewall controls to end user devices. Password requirements have been updated to match current NCSC guidance which includes the suggestion to adopt ‘three random words’ passwords. There is also advice on choosing the additional factors appropriate for your organisation when introducing multi-factor authentication (MFA).

What to do next?

Your next steps should be to download the updated Cyber Essentials information from the NCSC site and read the blog from IASME which gives an excellent overview of the impact of the changes. Use this information to review your own current cyber security arrangements. Talk to us at Policy Monitor for further advice and to see how our tools can help manage the processes involved in keeping your organisation cyber aware and secure.