25 Nov What Controls Need to Be in Place to Ensure You Comply?
In the last article we looked at complying with Cyber Essentials and some of the main things to make sure were in order to best help your business comply. We also looked at the differences between Cyber Essentials and Cyber Essentials Plus. In this article we are going to look at some more of the requirements for complying with Cyber Essentials.
- Multi-Factor Authentication (MFA) Must Be Used For Access To Cloud Services
When connecting to cloud services, MFA is necessary to add additional security to accounts. Before you can access an account, the Cyber Essentials accreditation requires that you have two different forms of credentials, at the very least.
- Password and MFA Requirements
The Cyber Essentials Scheme mandates the implementation of additional security in the form of MFA so that you can keep track of the number of password guesses made or lock accounts after a maximum of 10 unsuccessful tries in order to prevent brute-force password guessing.
- Software Licensing, Support, Updating and Removal
Your organisation must make sure that all software on all of your in-scope devices is fully licenced and supported in accordance with the new updated Cyber Essentials standard. When a piece of software is no longer supported, it must also be deleted from devices since failing to do so leaves your systems open to attack.
Wherever possible, you must have automatic updates enabled. One of the most significant changes is that you now have 14 days from the date of release to implement updates that a vendor deems “critical” or “high risk.”
- Device Locking for Physically Present Users
One of the new requirements is centred around device unlocking – you must now use biometrics or a password of at least six characters in length to physically unlock a device.
The credentials on an account need to be protected against cyber attacks. This can be done by limiting the number of opportunities the criminals have by only permitting a certain number of guesses in a set amount of time. You can go one step further by locking devices when there has been a certain number of unsuccessful attempts.
What Changes Were Made to Cyber Essentials Plus?
The Cyber Essentials Plus certification features two new additional exams as part of the assessment process, but otherwise, it is equivalent to the regular certification in terms of security control criteria. In the first, the assessor will check to see if user and administrative accounts are separated, and in the second, the assessor will check to see if your organisation has successfully implemented multi-factor authentication in order to access cloud services.
Even though they may be inconvenient, the modifications align with your organization’s needs for cyber security. Your cyber security procedures must evolve as they get more sophisticated, complex, and effective, and Cyber Essentials makes sure you accomplish this successfully.
Conclusion
So, in conclusion it isn’t that complicated to comply with Cyber Essentials. It normally involves strengthening the security of your business which is always a good thing. Apart from that there is some data confidentiality needed for your business to comply with Cyber Essentials.
IT Specialists
At Netcom we are well-versed in helping companies in various sectors to navigate the often mystifying, jargon-filled world of IT. With over 15 years’ experience covering virtually all aspects of business IT, we can help guide your business to a prosperous future with the right IT at your side every step of the way. We can help you deploy cutting edge solutions that will not only help you weather the storm that is modern IT but also keep your business at the top of its game post pandemic and beyond. Why not book a free, no obligation discovery call today by ringing 0114 361 0062.
