The myths and realities of Cyber Essentials

Jordan Schroeder at Barrier Networks describes common “mythconceptions” around Cyber Essentials certification that are putting businesses at risk

There can be no denying that cyber crime is a challenge for all businesses today. Threats are at an all-time high, while our reliance on digital grows every day.

Not only are organisations implementing remote-working at scale, but their networks are also growing increasingly cloud-based, which has expanded their attack surface far beyond its traditional perimeters.

As a result, many organisations want to demonstrate to their customers that they are cyber-conscious, and even despite their rapidly changing and growing environments, they are still doing everything they can to protect the data they hold.

One of the ways they are achieving this is through Cyber Essentials Certification.

Cyber Essentials is a UK-government-backed scheme which provides guidance and assesses an organisation’s cyber security posture to ensure it meets the minimum cyber security best practices.

However, one of the biggest stumbling blocks many businesses face when it comes to achieving certification is myths surrounding Cyber Essentials requirements.

Yet, these myths cause far more damage than just cyber security-confusion. They actually put businesses off the scheme entirely because they think their infrastructure does not meet the requirements, which in turn means that they will not get the benefit of a Cyber Essentials assessment, which could make them blind to issues that would make them vulnerable to attack.

So, what are the most common Cyber Essentials myths businesses should be aware of? And, most importantly, what is the reality behind them?

Myth 1: Since SaaS is now in scope, then every little site that someone in the organisation uses is now in scope and has to be compliant

Reality - There are a lot of Software-as-a-Service (SaaS) applications that staff within your organisation may use as part of their job. While it would be best if all those sites were Cyber Essentials compliant, the scope that you are responsible for does not include them all. The important rule you need to know about SaaS scoping is that only SaaS that have user accounts that are managed by your organisation are in scope.

So, if a staff member privately uses an image-editing site that your organisation does not subscribe to, then that SaaS does not get pulled into scope. However, if your organisation pays for or subscribes to the SaaS app or in any way manages or assigns user accounts for your staff for the SaaS app, then it is in scope.

Myth 2: Since MFA is now required on cloud services, we can’t use a cloud service that does not have MFA

Reality - MFA is a very important account security control that should be available on all services, but the fact is that MFA is not available on all cloud services and applications. These services will not prevent you from getting Cyber Essentials certified. The rule is: if MFA is offered by the service, then you need to enable it.

Myth 3: The home networks and routers of WFH employees are in scope and need to be inventoried and compliant

Reality - While this used to be true for a short time, the NCSC rolled back this requirement. The only home networking devices that are in scope are the devices that have been supplied by the organisation.

Myth 4: To comply with the new MFA requirements, we must use SMS or TOTP MFA codes

Reality - Multifactor authentication (MFA) is now expected on all accounts, but not all services offer MFA and some users cannot use SMS-based MFA or TOTP or Authenticator-based MFA. There are strong account controls options for these accounts and when there is legitimate reason not to enable MFA for some users, due to disabilities, equipment or device limitations, or other reasons.

Myth 5: All firmware needs to be tracked and updated like software does

Reality – Not all firmware is in scope. The firmware that is in scope is the firmware on network devices, laptops, tablets, and mobile phones.  This firmware needs to be inventoried, tracked, and updated when required. Firmware in IoT, computer peripherals, etc. are not in scope.

Myth 6: The existence of end-of-life operating systems or software in our organisation means we can never be compliant

Reality – This myth is only partly true. Many organisations have business-critical systems that will never pass compliance. If you have end-of-life operating systems or software in scope, then that scope cannot pass compliance. But there are ways to place those systems out of scope and certify the rest of the organisation.

Myth 7: You can achieve Cyber Essentials compliance just by writing compliant corporate policies

Reality – Many organisations who do not have many technical controls in their environment to technically enforce the Cyber Essentials controls have attempted to compensate by writing corporate policies and provided training to act as equivalent controls. This was allowed in limited ways in the past, but since this is contrary to the spirit and intent of the Cyber Essentials scheme, this is no longer permitted, except in the niche case of mobile device controls for small organisations.

Myth 8: All brand-new mobile devices are under support and compliant

Reality - The Cyber Essentials standard says that all devices need to be under active support so that they will receive security updates. Devices that are not under active support are non-compliant.

However, some mobile device manufacturers have abandoned support for some of their new devices shortly after they are released. This may be because the device was not as popular as they hoped, or they lost key suppliers to maintain the product line. The result can be a relatively new device that is non-compliant for being out-of-support.

Myth 9: If I use Remote Desktop Services or VDI environments, then the devices connecting to those services are out-of-scope

Reality - This is not true. Devices connecting to Remote Desktop services, VDI services, or Bastion servers are considered to be devices accessing business services and data and are in-scope. All technical controls for any in-scope device will apply, as with all other mobile devices, and laptops.

Jordan Schroeder is managing CISO at Barrier Networks

Main image courtesy of iStockPhoto.com