Cyber Essentials 2023 – The arrival of Montpellier!
Cyber security is an essential aspect of any business today. With the rise of digital technologies and the widespread use of the internet, businesses are exposed to various cyber threats that can harm their operations, reputation, and customers. Cyber Essentials is a program designed to help businesses protect themselves against cyber-attacks. In this blog, we will explore Cyber Essentials r and how it can benefit your business.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification program that helps businesses protect themselves against cyber threats. The program provides a set of security standards that businesses can follow to secure their IT systems and data. By implementing these standards, businesses can reduce their risk of cyber-attacks, data breaches, and other security incidents.
The arrival of Montpellier!
The NCSC published that an updated set of requirements for Cyber Essentials will come into play on the 24th of April 2023. Version 3.1 will be known as Montpellier and replace version 3.0 Evendine. Some of the key changes in the release of Montpellier are listed below.
We’ll start with changes that have been implemented with immediate effect, and have involved a change in assessment of the following questions currently active on the portal:
- A2.4 Please list the quantities of laptops, desktops and virtual desktops within the scope of this assessment.
- A2.6 Please list the quantities of tablets and mobile devices within the scope of this assessment.
The model is no longer required when answering the above questions, the make and operating system will be sufficient. Also, Thin clients must now also be listed with their make and operating system.
This will be beneficial to larger companies that use device management solutions that do not record device models. However, for question A2.8, it is still required to list the make and model for network equipment.
One of the most surprising changes is the easing of Multi Factor Authentication requirements, i.e. applicants cannot fail by choosing not to apply MFA unless additional non-compliant responses have also been submitted.
For BYOD, personal devices of employees, volunteers, trustees, and university research assistants are all in-scope if they access company information or services. Whereas those devices owned by students, MSP administrators, third-party contractors and customers are not in-scope, even if they access company information or services.
The definition of ‘software’ has been updated, which now includes firmware. Following on from this, when it comes to firewalls and routers, the applicant will only need to list the make and model, the specific version of firmware will not be required.
Asset management will now be including in Cyber Essentials, The requirements clarify that asset management doesn’t mean making lists or databases that are never used, it means creating, establishing and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision making when you need it.
Clarification on including third party devices, please see below table:
The device unlocking section has been updated to reflect that some configurations cannot be altered because of vendor restrictions. Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements. One example of this is locking the device after 10 failed sign-in attempts. Samsung, possibly the largest provider of smartphones in the world, have set their minimum sign-in attempts at 15, with no option to alter this number. So, in this instance, Cyber Essentials would require that the applicant goes with the minimum number sign-in attempts allowed by the device before locking.
The malware protection section has changed, applicants must ensure that malware protection mechanism is active on all devices in scope. For each device you must use at least one of the options below:
- Be updated in line with vendor recommendations
- Prevent malware from running
- Prevent the execution of malicious code
- Prevent connections to malicious websites over the internet
- Actively approve such applications before deploying them to devices
- Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature
All in all, the release of Montpellier conveys that Cyber Essentials is evolving with the ever changing cyber space, and hopefully continues to be a valuable scheme for businesses looking to improve their cyber security. By implementing the controls required for certification, businesses can reduce their risk of a cyber-attack, enhance their reputation, and gain a competitive advantage.
Let us help you to get certified!
We are an accredited Cyber Essentials Certification Body and have a 100% record of successfully certifying Organisations for Cyber Essentials & Cyber Essentials Plus.
For more information please contact us on 0161 706 0244 or email firstname.lastname@example.org to speak with a member of the team.