News + Resources

Industry news, Astaara press releases & maritime cyber risk resources

Tuesday, January 18, 2022
Good news: doing the cyber security basics just got harder

A recent announcement by IASME (the consortium licensed by the UK’s National Cyber Security Centre – NCSC – to deliver and operate the self-assessment Cyber Security scheme Cyber Essentials, and its externally validated brother Cyber Essentials Plus) of changes to the CE/CE+ scheme shows clear UK Government concern to ensure that the scheme’s coverage continues to meet the evolution of the cyber threats faced by businesses.

The changes widen and deepen the scope and coverage of the standard; close off loopholes; and remind us all that the basics, however unexciting, are critically important to get right. A welcome update – and a stark reminder of the fact that most breaches happen because we do not do the basics right enough.

Detail

The cyber essentials toolkit has just been through a bit of an overhaul. In addition to IASME issuing a marine variant of the Cyber Essentials scheme, they have just announced some tightening of the basics to make the standard fit for the future.  The dedicated reader can find the update statement on the IASME website (Home – Iasme). 

For those short of time, the following observations are of note:

  • Multi-factor authentication is far more important now than ever – and there are some important improvements to guidance on passwords
  • Don’t assume that out-of-the-box cloud services are safe, make sure that the security controls you want are in place
  • Safety and security critical updates and patches must be applied within 14 days (and that’s a maximum)
  • Outdated or un-supported software must be removed from systems within 14 days of it going out of support or be fully isolated from the Internet
  • Admin accounts must not be used for any day-to-day tasks with connectivity to the Internet, such as email or internet browsing;
  • All end-user devices – including bring your own – are now in scope
  • Devices you use at home to access corporate resources are also in scope

That’s the good news?

The Cyber Essentials scheme is a very good starting point for organisations to assess their cyber posture. While it’s relatively basic, that’s the point: it covers the important bases and goes a long way to reducing some of the most obvious risks and vulnerabilities that are usually exploited by the hacking fraternity.

In fact, it is not that basic – indeed it is quite subtle.  A lot of thought has gone into it – and while many organisations try to kid themselves in their self-assessments that they are fully compliant, it is well enough designed to make it very clear – as clear to a self-assessor as it is to an external assessor – where they are coming up short. 

The fact that it has got more complete is in fact a welcome development, since it shows that cyber threats evolve over time and that to take this stuff seriously, organisations have to move with that evolution. Doing cyber essentials properly is not an easy option, and the fact that there are stiffer requirements shows Boards, companies and organisations that the threat is not static and will continue to mutate and evolve.

Doing cyber essentials or cyber essentials plus will not make you immune from cyber attack. But it will make the hacker’s life more difficult.  And Amen to that.

Author: Bill Egerton, Astaara’s chief cyber officer

  • William Egerton
    Chief Cyber Officer