The National Cyber Security Centre (NCSC) has introduced its latest set of requirements for the Cyber Essentials scheme. Any new assessments going forward must adhere to the new format called Evendine. This scheme was launched in 2014 and this is by far the biggest update to be made since. The Cyber Essentials update is in response to the new world of hybrid work and the cyber security challenges that we now face. So how will this impact home workers?
In a nutshell, passing Cyber Essentials got harder.
Did you know that simply being Cyber Essentials certified can reduce your cyber risk by up to 98.5%? You have to be Cyber Essentials certified, if you’re interested in doing business with the UK Government, did you know that?. Some of the changes to the scheme are significant. And whether you realise it or not, they create an inherent requirement for your business to have a digital transformation strategy that addresses a number of topics.
Home workers and their devices
A key topic focuses on home workers and device attack surfaces. Given how dramatically the business landscape has changed, most organisations would be interested in it. So, what does this mean for you? This scenario about ‘Joe’ explains:
Assume that Joe is a home worker for “Vito’s Pizza Holdings LLC”. Joe accesses company files through Microsoft OneDrive using his own laptop which is connected to his home router.
What falls within the scope of the scheme checkpoints following the new changes?
Joe’s access to organisational data (thus his identity).
One of the user access controls that has become mandatory from a Cyber Essentials perspective is Multi-Factor Authentication (MFA) for access to cloud services.
If Joe’s access to OneDrive is not protected by MFA, then you are not Cyber Essentials compliant and you would fail the audit if you went for the Cyber Essentials certification. The good news is that the scheme knows you may not be there yet, so it gives “Vito’s Pizza Holdings LLC” a grace period until January 2023 to comply.
Remote Worker 1 – Joe:
It doesn’t matter if Joe uses his own devices to access company data. Nor does it matter if he only does this for small amounts of time. This is now in scope and all Cyber Essentials controls would apply.
One of the “device controls” which is audited is device security updates. “Vito’s Pizza Holdings LLC” needs to ensure that all high and critical updates are applied within 14 days of an update being released. What is high and critical? Any updates with a CVSSv3 score of 7 or above.
Now you may think… “Wait – does this mean that I need to enforce device updates on Joe’s personal laptop if he’s accessing his email or data once in a while?”
Short answer: YES.
The Cyber Essentials Evendine booklet states that “All computers, laptops, servers, mobile phones, tablets, and firewalls/routers that can access the internet and are used by the organisation or sub-unit to access organisational data or services, should be considered in scope for Cyber Essentials.” The important word here is ‘scope’ and if something is not up to interpretation, you need to be controlling who, how and from what device your employees access company data.
Note that beyond Joe’s laptop, with the exception of voice calls, text messages or MFA applications (i.e. Microsoft Authenticator), should Joe use his smart phone or tablet to view/use organisational data and / or services (i.e. a HR leave request application using Microsoft Dynamics or a Power BI report using Power BI free licence) Cyber Essentials would apply.
An Essential tool for all home workers – One Drive:
This is now considered an organisational cloud service, and the organisation “is responsible for ensuring that all the Cyber Essentials controls are implemented”.
This is a pretty important change as in the previous iteration of Cyber Essentials, Platform as a Service (PaaS) or Software as a Service (SaaS) elements were not in scope.
The new scheme wants you to “take responsibility for user access control and the secure configuration of their services which would include securely managing access to the different administration accounts and blocking accounts that they do not need”.
Microsoft has a shared responsibility model that you will need to check to ensure end-to-end compliance. This is because the responsibility for the evidence lies on Vito’s Pizza Holdings LLC, not the provider.
What is not in scope in this scenario?
“Home routers provided by ISPs or by the home worker are now out of scope”. The firewall controls are transferred to the home worker’s device. If the router was provided by the organisation, then it would fall in Cyber Essentials scope. If the remote worker has to connect to a VPN, then Cyber Essentials would also be in scope (for the corporate firewall or virtual cloud firewall).
With all these controls and changes in place (and these are not extensive), any size of business trying to comply with Cyber Essentials would need to have a very competent technical team that understands the requirements and can respond accordingly.
Get expert guidance to help you achieve the Cyber Essentials certification
The 848 Group can help you in your digital transformation and cybersecurity journey. We hold the Cyber Essentials certification, as well as advanced Microsoft accreditations in Information Protection and Governance, and Identity and Access Management. Our team will help your business adopt the security controls outlined by Cyber Essentials and meet the requirements to achieve the accreditation first time.
Kay is senior solutions architect specialising in cybersecurity, information protection and governance, identity and access management and zero-trust architecture. He has a long list of accreditations and over 15 years of experience in designing, securing, and scaling cloud-first solutions. In his free time, he uses his knowledge to share information that supports stronger security practices.