Cyber Essentials and the New Normal

TL;DR

• Cyber Essentials has changed and aspects of the new normal are catching many by surprise.
• Increased levels of evidence and stricter controls determining a pass or a fail are in place.
• Be prepared for the increased hurdles
• Ask for assistance before starting the process if you are uncertain or unclear on the detail needed.

2020 – A year of change in how we work and communicate

It’s fair to say 2020 had its challenges, and many companies have had to come to grips with what is termed the “new normal”. Working from home, remote teams and reliance on networks outside the company’s control have all become aspects of surviving as a business in the current pandemic and cyber landscape.

Cyber Essentials was no exception in evolving to this new way of working, and some aspects of the Cyber Essentials structure have caught business owners off guard. In the past, firms were used to a wide variety of Accreditation Bodies, and perhaps due to this distributed administration, there were aspects of the certification that could have been seen as vague and open to interpretation.

Some companies found that things were left unsaid or unreviewed, and as such, the certification itself wasn’t held in the high regard that it should have been. Instead, it was seen perhaps as a minor obstacle to overcome and achieve. Previously, firms were able to obtain Cyber Essentials Plus at the same time as Cyber Essentials; whilst this is still technically possible, the new self-assessment questionnaire requires much more effort to complete, and it is therefore recommended that this is obtained before embarking on Plus.

2020 saw the Accreditation Bodies reduced to a single one (IASME). Clarification on how Cyber Essentials was to be undertaken was distributed via semi-closed assessor networks, which showed many that Cyber Essentials was growing up and adapting to the new normal, and possibly faster than many commercial bodies were.

Many firms have asked, why in these troubled times are the requirements getting stronger and more stringent? Well, they aren’t really. What has changed, is the clarification on the level of detail needed. This has risen significantly and is now much more akin to the formal audit that it was always supposed to have been.

Attackers adapt to the new normal, so does Cyber Essentials

The attackers have adapted to the new patterns of working and are already looking for weak targets in networks normally never associated to your business.

This brings up the first new point that many businesses are unaware of, if your staff have worked at home the majority of the time in the last couple of months, they are deemed home workers. Given the current government guidelines, this means almost all firms now have home workers that they may not have previously considered.

With it comes the requirement to have policies and procedures in place to capture the assets that these users are now using at home, and policies to guide them in secure usage. Are they following the same kind of security you would want them to adhere to in your office environment? Is the VPN solution you are providing always active or can machines access the internet freely without first connecting? These are important distinctions in terms of assessment.

Another significant change, the scope for Cyber Essentials Plus, is now defined by the answers given in the Cyber Essentials questions. This links them more closely, and means the evidence required has increased for purposes of scoping and the ability to complete a sufficient audit.

The scope for Cyber Essentials Plus, is now defined by the answers given in the Cyber Essentials questions

A further issue that can pose problems is the new strict adherence to having a comprehensive asset list of hardware and software, and to ensure all hardware and software packages are fully supported and patched. Many versions of Microsoft Operating System went end of life in 2020 and others are due in 2021.

Mobile hardware support is often over-looked, and sometimes mobile estates have Mobile Device Management (MDM) but no enforcement to patch. This can leave them insecure and failing to live up to the critical patching window required by Cyber Essentials and Cyber Essentials Plus. A full list of software used on the devices is also required along with versions, and this is often not fully understood when answering the self-assessment question.

BYOD is a harder than you may think

This brings me to Bring your Own Device (BYOD) and the difficulty of having this in scope. Often BYOD means a lack of control and oversight of the devices. If they also have access to your business data, this will be a hard thing to achieve in security terms.

Many of the questions you answer have to apply to the BYOD devices, and without controls, you cannot say with certainty what is happening on those devices.  Because of this, passing with BYOD is difficult, unless strict controls are in place, which is often at odds with BYOD principles.

Reach out and ask for help

It is strongly advised that if you haven’t had an IASME based Cyber Essentials assessment previously, you read the guidance notes VERY carefully.  When completing your self-assessment, be sure that anyone without an understanding of your company is able to completely understand the scope of the assessment, and that all areas of ambiguity are clarified or covered by the answers.

If you are unclear, I strongly recommend having some pre assessment consultancy to go over the new level of detail required. If you are an ISO 27001 certified firm, then this will not be new, and should all be in place.

Passing is merely a case of ensuring all answers are of a commensurate level of detail. You will also need to provide evidence of the policies and procedures in place to evidence what you are stating is true, enforced and audited by yourselves, and improved over time.