Cyber Essentials Update 2022

What has Changed and Why?

Since its launch in 2014 the government backed Cyber Essentials scheme has evolved to ensure that it stays effective and provides appropriate protection as cyber threats evolve. Following the recent review by a team of experts, a series of changes have been introduced to keep the scheme current. Here is our summary of the key changes which apply from January 24th 2022.

Cloud Services are now in scope

This is the biggest and most onerous (but very appropriate) change with cloud services now fully integrated into the 2022 update. Businesses are now responsible for assessing cloud services against the Cyber Essentials standards and applying the controls wherever possible. Previous iterations of Cyber Essentials assumed, to an extent, that security was handled by the provider and that they were secure by default. Applications firmly in scope now are, for example:

Electronic ID services and related onboarding services
Online search providers
Microsoft 365/Office 365
Salesforce
Hosted Practice Management and Case Management systems

Businesses are now responsible for user access control and the secure configuration of these services and for ensuring that security updates and controls are implemented by the provider.

Devices used for home working are more in scope (But routers are not)

If you have employees working from home for any amount of time they are now classified as a ‘home worker’. The devices that they use to access organisational information, whether they are owned by the organisation or are personal devices, are in scope for Cyber Essentials. Thin clients also fall into scope now when they connect to business information or services.

Prior to this update, one of the key issues was trying to secure and configure home routers provided by ISP’s. This requirement has now been transferred directly to the device (PC, Laptop, Mobile Phone etc) where software firewalls should be applied along with other relevant protection.

So, the ISP supplied router is now out of scope, but if the business supplies the router then it is still in scope.

Mandatory Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) MUST now be used for all accounts when connecting to cloud services to provide additional protection. Previously only administrator accounts were mandatory and it was recommended to use MFA for other accounts.

Unsupported Software

All software installed on devices listed as being in scope must be:

Licensed and supported
Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet.
Have automatic updates enabled where possible
Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released.

Organisations now need to apply all high and critical updates for all systems without exception.

Passwords

When using passwords, one of the following methods should be used to protect against brute-force password guessing:

Using multi-factor authentication (MFA)
Throttling the rate of unsuccessful or guessed attempts.
Locking accounts after no more than 10 unsuccessful attempts.

Technical controls must be used to manage the quality of passwords. This will include one of the following:

Using multi-factor authentication (MFA) in conjunction with a password of at least 8 characters, with no maximum length restrictions.
A minimum password length of at least 12 characters, with no maximum length restrictions.
A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list

Smart Devices

All smart phones and tablets connecting to organisational data and services are now in scope when connecting to corporate networks or mobile Internet such as 4G and 5G.

Biometrics or a minimum password/PIN length of 6 characters must be used to unlock a device.
The scope of an organisation must also include end user devices.
There is a grace period of 12 months to allow organisations make the necessary changes for the following requirements:

The requirement for MFA will apply for admin accounts from Jan 2022 and the requirement for MFA for users will be marked for compliance from Jan 2023.
The requirement for support and updates on Thin Clients will be marked for compliance from Jan 2023.
Unsupported software remove from scope will be marked for compliance from Jan 2023

__________________________________

To explore what steps your practice should take now to protect your practice from cyber threats and to ensure that you can comply with these new requirements, get in touch with Frank Manning at Carton & Co. A preliminary discussion in confidence, with no commitment will cost you nothing and could save you and your colleagues financial loss, damage to your reputation and the stress that comes with every breach.

Email: fmanning@cartonconsultants.com

Tel: 07778 572420

Or, you can schedule a 30 minute appoint with Frank at a time that works for you here >>

< Older Post

Newer Post >

Mail

Microsoft 365: A Lawyer’s Guide to Subscription Plans and Document Management

by Frank Manning • 22 April 2025

Microsoft 365 is now the standard for virtually all law firms. Licensing can be complex with all the updates and modifications, so here is your easy guide to license and working options to help you maximise lawyers' productivity, data security, and collaboration.

𝐊𝐄𝐄𝐏𝐈𝐍𝐆 𝐀𝐍 𝐄𝐘𝐄 𝐎𝐍 𝐔𝐒 𝐋𝐀𝐖𝐘𝐄𝐑𝐒: Adoption of Augmented and Automated Intelligence

by Allan Carton • 14 March 2025

Now that use of AI can genuinely deliver results across many areas of practice and is quickly accelerating, a key challenge is getting people engaged and informed about AI's potential and implications. Education & Training, Transparant Communication, Developing Internal Champions.

A laptop computer is open to a law firm website.

Time to Refresh Your Digital Marketing? 30 Practical Tips in this Guide to Help Law Firms Achieve the Best Results!

by Allan Carton • 10 March 2025

Digital marketing remains one of the most cost-effective ways to grow your client base, no matter the size of your firm or the type of legal work. Here, we provide practical guidance on how to get the right balance between all the tools available.

CHECK OUT HIVELIGHT: Proactive Transaction Management for Corporate & Commercial Lawyers

by Allan Carton • 11 February 2025

Legal Project Management for Corporate and Commercial Lawyers: Forward-thinking firms are finding that Hivelight - when implemented effectively - gives clients greater transparency, faster turnaround times, and demonstrable value for money. Also enabling lawyers to increase profitability while managing workloads, however simple or complex the work.

Master Client Listening: A Strategic Imperative for UK Law Firms

by Allan Carton • 12 July 2024

Master client relationships in your law firm: In today's competitive legal market, proactive client engagement is no longer a luxury—it's a necessity. Learn proven best practice and strategies, from active listening techniques to leveraging technology to nurture client relationships. This is blueprint to help you establish and constantly develop enduring client relationships, your services and people in your law firm.

Talking to clients about sustainability - and AI

FREE TEMPLATE to help you lead your law firm's conversation with clients on sustainability

by Allan Carton • 1 July 2024

Sustainability is becoming a crucial component of many law firms' strategies and operations. To drive initiatives in the right direction and build momentum, law firms must engage clients in meaningful discussions about sustainability. This will demonstrate your commitment to clients' values, create opportunities for deeper collaboration, innovative legal solutions, and long-term relationships.

Client at keyboard dealing with onboarding process

CLIENT ONBOARDING: Tackle the complexity of options to make the right decisions with confidence.

by Allan Carton • 1 July 2024

It is a challenge to get everyone to agree and all deal themselves in when a) making decisions and b) staying engaged on implementation of the agreed solution. Particularly as onboarding impacts across all areas of your practice - on lawyers, support staff, compliance, marketing, technology, finance - and because there are so many variations in the options available. This article will help to clarify what you ought to evaluate and compare to decide where best to compromise and balance pros and cons to meet the top priorities for your practice.

Upgrading Technology in Law Firms: A concise guide to get started on the right track.

by Allan Carton & Frank Manning • 12 June 2024

We outline how we recommend that a smaller to medium-sized legal practice should think about and plan any new initiative to replace or upgrade legal technology, thinking primarily about practice and case management systems for law firms with up to 300 people, whatever number of offices and types of legal work. Similar considerations apply when you start to dig deeper into adoption of new CRM and Legal AI (Artificial Intelligence) applications, where our specialist law firm consultants can help too.

New ways for lawyers to make more time for business development

Find More Time for Business Development - A Checklist

by Allan Carton • 11 June 2024

Although many of the challenges are not new, there are new solutions and approaches that can help you and your colleagues find more time to be creative and persistent enough on business development, with that lack of time and confidence on priorities at the root of the problem for many law firms.

DOWNLOAD REPORT: Time to capitalise on positive signs in the Residential Property Market for Conveyancers

by Allan Carton • 5 June 2024

Download this useful free 18-page market report from TwentyCi to inform your discussions in building relationships with estate agents and other introducers. Helpful to understand their challenges and opportunities in the market today.