The 2023 Cyber Essentials Update: What You Need to Know

Introduction 

When it comes to running a business, it can sometimes feel like your to-do list never ends.  

But there are some items which you really can’t afford to skip—and cyber security is one of the biggest.  

With a 77% increase in UK cyberattacks in 2022, it’s no wonder organisations are looking for ways to mitigate and ideally avoid cybersecurity breaches altogether. That’s one of the reasons that the NCSC’s Cyber Essentials scheme was created—and it’s also the reason it’s been updated several times since its launch in 2014.  

With the latest update in April 2023, several changes have been made to bring the certification up to date with today’s cyber climate, and we’ve got everything you need to know below.  

What is the NSCS Cyber Essentials? 

As we’ve explored previously here on the Get Support blog, Cyber Essentials is a government-endorsed initiative which helps businesses safeguard themselves against the ever-growing threat of cyberattacks. Cyber Essentials offers a comprehensive framework which details the fundamental controls organisations should implement to bolster their defences. By ensuring their operations comply with the NCSC’s best practices, UK companies can become Cyber Essentials certified.  

The Cyber Essentials scheme was developed by the National Cyber Security Centre (NCSC) back in 2014, and the certification itself is delivered by the IASME (Information Assurance for Small and Medium Enterprises) Consortium. It’s regarded as an initial (and crucial) step towards establishing a more secure network, effectively shielding organisations from the most common forms of cyberattacks and breaches. 

The latest requirements, version 3.1 also known as the Montpelier question set, came into force on April 24^th 2023.  

The April 2023 Cyber Essentials update: What’s changed? 

As we mentioned above, the version 3.1 of the certification wasn’t quite as extensive as previous updates, but it’s still worth knowing about it you’re even considering Cyber Essentials.  

Here are the key updates you need to know.  

The use of third-party devices 

It can be difficult to decide exactly which devices your employees use would fall under the remit of the Cyber Essentials certification. Company-issued devices might be a given, but what about an employee’s personal smartphones, devices belonging to students, or devices being used on a Bring Your Own Device (BYOD) basis?  

With the April ’23 update, the NSCS has clarified exactly which devices are ‘in scope’ (i.e. covered by the certification) and which are not. They’ve updated the guidelines with a straightforward table for quick reference.

A new approach to malware protection 

With the 3.1 update, the NSCS has added a couple of different options for how organisations approach malware protection for their in-scope devices. 

They can either: 

• Ensure that all in-scope devices have fully updated anti-malware software installed which is able to prevent malicious code from executing, prevent malware from running, and prevent connections to malicious websites.  
• Use a so-called “allow list” approach, which effectively allows users to only install very specific approved applications to their device.  

An update to device unlocking rules 

Most modern devices have some sort of failsafe system whereby if a user attempts to log in unsuccessfully too many times, the device will lock either until an admin intervenes or for a set period of time. 

With previous versions of the Cyber Essentials specification, the maximum number of login attempts was set at 10. However, it’s become clear that some manufacturers—including Samsung—have higher minimums which cannot be changed. For this reason, the new specification requires that organisations set the device to lock after the minimum number of attempts allowable by that device.  

Clarifications around firmware requirements 

Previously to this update, it was a requirement that organisations list the specific firmware for all of their in-scope devices. Firmware is like software, except that it operates on the lowest layer of your device—below the operating system itself. Under the previous Cyber Essentials certification, it was a requirement that all firmware on all in scope devices be kept up to date at all times.  

For many organisations, it was difficult and time-consuming to maintain firmware updates for every single device, so the NSCS will now require only the firmware details for the organisation’s router and firewall. 

Is Cyber Essentials worth it for UK businesses? 

It’s easy to dismiss things that might seem to be simply ‘nice-to-have’, but, while Cyber Essentials is an optional certification, we still recommend it for almost all UK businesses.  

Here’s why:  

• Simply better cybersecurity. The biggest benefit is naturally that your business will be far better equipped to understand, recognise, and mitigate the most common cyberattacks in today’s world. Cyber Essentials gives you a simple roadmap to implement key security measures to keep your business safe.  
• You’ll be more attractive to potential business partners. Whether you’re prospecting for new customers or simply looking to retain existing ones, a Cyber Essentials certification signals to everyone that their data will be safe with you.  
• Long-term cost savings. When your workforce is all equipped with the knowledge required to recognise cyberattacks, you can prevent them from ever happening. This culture of cybersecurity awareness can protect your business from the huge cost of remediation following a successful attack.  

If you’re new to Cyber Essentials and you’d like to know more about getting your business certified, be sure to ask your Get Support account manager for more details.