search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Cybersecurity


What is Cyber Essentials? Cyber Essentials is a scheme designed by the National Cyber Security Centre (NCSC) and backed by the UK Government in order to promote better cyber security practices, making it easier for companies of all sizes to ensure that they are protected against attacks or loss of data. Cyber Essentials comes in two levels – a self-assessment approach called


Cyber Essentials, and one administered by a registered expert called Cyber Essentials Plus. The latter includes a hands-on audit to check for how well Cyber Essentials has been implemented, as well as assistance with any problems. There are five technical controls that you will have to look at: firewalls,


secure configuration, user access control, malware protection and security update management. For firewalls and malware protection, there are a range of products available for businesses of all sizes that can provide protection. Access management involves using multi-factor authentication and setting the right policies on who can access applications and services. The other two areas can be harder to get right, as they require more work


on your processes to keep things accurate over time. Both secure configuration and security update management rely on having an accurate list of all the assets you have in place across the business, and then keeping those assets configured to be secure and any updates deployed. This requires ongoing effort to get it right, from checking your asset inventory for any new devices and regularly auditing your installed software to ensure that the right versions are in place. If there are any problems with these tasks, then a third party – such as a managed services provider – should be able to help.


What to focus on This year, Cyber Essentials has been updated to make the relationship between asset visibility and the five security controls clearer. This emphasis on asset management shows how important it is that you can effectively see everything that you have. You can’t secure what you don’t know about.


“According to the World Economic Forum at Davos, 93% of cyber leaders and 86% of business leaders think a systemic cyber security event is likely within the next two years.”


Another significant change for this year is the simplification of the


malware protection control, which now reflects the use of modern endpoint protection tools. The requirements have been updated to remove references to signature files and scanning of every accessed file, making it more relevant to current security practices. The requirement for sandboxing with the malware protection control has also been removed. The third major change is the addition and clarification of third-party


accounts and devices. With more companies turning to third party services and consultants for their business operations, and with more Bring Your Own Device schemes running, this required some more thought. Alongside this, the industry has seen a growing number of Managed Service Providers and technology suppliers suffer breaches over the last few years. To improve protection, the National Cyber Security Centre has added third party security management processes to the certification to address these changes in working practices. This section now takes up as much space as malware protection within the Cyber Essentials standard, which shows how important it is today. Finally, the concept of ‘Zero Trust’ has been added to the further guidance


section. Zero Trust describes how to compartmentalise security steps so that any single issue does not jeopardise the whole security edifice, making it harder for attackers to progress beyond their initial attack. Previously, Zero Trust was ranked only as backup guidance. While it is important to note that this is only guidance and not part of the technical controls required for certification, it is likely that it will be incorporated into the user access control in the near future. Overall, the Cyber Essentials 3.1 update is focused on modernising the


certification to keep up with the rapid pace of security innovation. By updating the requirements for malware protection, third party accounts and devices, and asset management, the NCSC aims to provide a more comprehensive and relevant certification that meets the changing needs of the security industry. The inclusion of the Zero Trust concept in the guidance section is a step towards a more secure and secure certification for all.


www.pcr-online.biz April 2023 | 25


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52