Over the last decade, cyber security has experienced significant transformation, which is evident in the UK Cyber Essentials Scheme which is set to change this month.
What is Cyber Essentials?
Cyber Essentials is a certification scheme supported by the UK government, which aims to assist organisations in safeguarding themselves against common cyber threats. It provides a set of guidelines and best practices that businesses can adopt to secure their systems and data. The scheme offers two levels of certification: Cyber Essentials and Cyber Essentials Plus. The former involves self-assessment of an organisation's security controls against a set of fundamental requirements, while the latter involves an independent assessment by a qualified certification body. Obtaining Cyber Essentials certification can help organisations demonstrate their commitment to cybersecurity and enhance their resilience to cyber-attacks.
Why the need for change?
Threat actors have become increasingly innovative, developing an extensive array of techniques to execute devastating attacks. This has forced organisations to rethink their defence strategies. A major contributing factor to this change is the digitalisation of data, making it more vulnerable than ever before. Social media, for instance, has seen a sharp increase in usage, with the average user spending 2 hours and 27 minutes per day on these platforms.
This shift in behaviour has influenced how attackers operate. Instead of primarily targeting networks and overcoming security solutions like firewalls, they are now focusing on individuals and endpoints. This is a logical approach, considering that human error contributes to more than four out of five breaches, as highlighted by Verizon's Data Breach Investigations Report. The key takeaway is that threat actors will continue to adapt and exploit vulnerabilities.
To counter these evolving threats, cyber regulations have had to keep pace. The UK Cyber Essentials scheme, run by the National Cyber Security Centre (NCSC), helps companies protect themselves against cyberattacks.
What are the changes?
On 23 January 2023, updated requirements were published, set to come into force on 24 April.
These new requirements aim to better protect organisations against emerging threats and include:
- Firmware clarification:
The definition of 'software' will now exclusively encompass router and firewall firmware, as opposed to all firmware, due to challenges in obtaining vendor information.
- Third-party devices:
The updated guidance will offer clarity on the treatment of third-party devices, such as those belonging to contractors or students, within applications.
- Device unlocking:
Modifications will aim to address issues surrounding certain default settings in devices that cannot be configured.
- Malware protection:
Anti-malware software will no longer necessitate signature-based detection, and clarifications have been added regarding suitable mechanisms for different device types. Additionally, sandboxing will no longer be an available option.
- Zero trust architecture guidance:
Support will be offered to assist firms in implementing zero trust architecture, and the significance of asset management will be further emphasised.
Wider Changes are Coming
These changes are not exclusive to the NCSC. Cyber insurance providers are increasingly demanding businesses to implement a baseline of protection, tools, and security processes before providing coverage. Similar moves are being made by professional advisory and legislative bodies worldwide, raising their expectations of organisations in deploying appropriate technical measures.
The UK Telecommunications Security Act is one such example, introducing a renewed framework for UK telecom providers to follow legal duties, such as identifying and assessing equipment exposed to potential attackers, understanding network risks, ensuring organisational support for security, defending against malicious signals, and maintaining control over network-wide changes.
The EU has also laid out three new directives set to be introduced in late 2023. The first is the EU Data Governance Act (DGA), focusing on improving security related to data access and sharing with the public sector. The second is the EU Data Act, which will provide easier access to device-generated data and improve unilateral communications during emergencies. The third is the EU Artificial Intelligence (AI) Act, which is likely to place restrictions on AI usage.
In the United States, the California Privacy Rights Act (CPRA) came into effect on 1 January 2023, with stricter amendments than the existing California Consumer Privacy Act (CCPA). New clauses are being added to the Virginia Consumer Data Protection Act and Colorado Privacy Act, while Utah and Connecticut are introducing new data laws this year.
As data protection becomes more critical and the threat landscape more menacing, these changes have been instituted for good reason. However, complex regulations like PCI-DSS, DORA, GDPR, NIST, and SOC2 make it increasingly difficult for organisations to implement the necessary controls to achieve compliance. Many organisations lack the resources to align with the requirements of schemes like the UK Cyber Essentials Scheme and rely on outdated solutions that fail to meet regulatory standards.
How can MSSPs and MDR Providers help?
Managed security service providers (MSSPs) and Managed Detection and Response (MDR) providers can help bridge the growing regulatory and compliance gap. By offering on-demand support remotely, these providers can help organisations rapidly detect, analyse, and contain security incidents. They also ensure organisations achieve and maintain cyber security compliance through proactive reporting, auditing, and remote support.
MSSPs and MDRs can have a significant impact on organisations with limited resources or strained security teams. By providing 24/7 threat detection and an enhanced security stack cost-effectively, MSSPs and MDRs offer numerous benefits to organisations that partially outsource their security to qualified external vendors.
These providers utilise the latest threat intelligence data to comprehend new exploits and attacks, translating this information into actionable recommendations that can be incorporated into an organisation's security setup.
Additionally, MDRs and MSSPs can alleviate the burden on internal security teams by eliminating the need to manage low-value, repetitive tasks, allowing analysts to concentrate on higher-value activities.
MDRs can help organisations significantly enhance their security strategy, improve compliance with evolving regulations, and better align with core guidance, such as the UK Cyber Essentials Scheme. They also facilitate a more effective response to incidents as they emerge. By collaborating with a trusted provider, organisations can address the core risks in their environment and prepare to align effectively with the most stringent regulatory requirements.
Organisations must remain vigilant and adaptable to meet the challenges posed by sophisticated threat actors. Partnering with MSSPs and MDRs can be a valuable solution to help organisations stay ahead of the curve, ensuring they achieve and maintain compliance while enhancing their overall security posture.
By adopting a proactive and dynamic approach to cyber security and leveraging the expertise of external service providers, organisations can better navigate the complexities of the modern cyber threat landscape, ultimately safeguarding their valuable digital assets and maintaining the trust of customers, partners, and regulators alike.
If you are worried about cyber threats or need help in improving your organisation’s compliance please Get in touch to find out how you can protect your organisation.