How will the UK Cyber Essentials Scheme change in April 2023?

African American female student studying from home during lockdown
Image: © Drazen_ | iStock

Cybersecurity has been subject to a wave of change over the last decade and is reflected in the UK Cyber Essentials Scheme

Threat actors have developed extremely innovative ways of performing devastating attacks – an expanding arsenal of techniques that has forced a rethink in how organisations develop and deploy their defence strategies.

Digitalisation has played no small part in this changing dynamic. Today, more data is online, meaning more data is vulnerable. Take social media as an example – where we were referring to using such platforms in hours per month in 2010, the average user today now spends 2 hours and 27 minutes of their day on them.

Changing behaviours such as these have influenced how attackers operate. Where previously nefarious actors had been primarily focused on targeting networks by devising ways to overcome security solutions such as firewalls, they are now targeting individuals and endpoints much more frequently.

It’s a logical approach for them to take. Indeed, Verizon’s latest Data Breach Investigations Report shows human error is a contributing factor in more than four out of five breaches.

However, the key takeaway here is that threat actors will continue to adapt to find what works. When one vulnerability is addressed, they will look for another.

Updates to the UK Cyber Essentials Scheme

For this reason, cyber regulations have had to evolve.

Indeed, several notable changes are happening this year that organisations need to be aware of to stay on top of their compliance and regulatory obligations.

Take the UK Cyber Essentials scheme, run by the National Cyber Security Centre and designed to help companies protect themselves against cyberattacks. On 23 January 2023, an updated set of requirements were published, advising organisations to realign their security practices to protect themselves against new threats better; these are set to come into force as of 24 April.

According to the NCSC, some of the key updates include:

  1. Clarification on firmware: We will change all firmware from being included in the definition of ‘software’ to just router and firewall firmware due to difficulties with vendor information.
  2. Third-party devices: This will clarify how third-party devices, such a contractor or student devices, should be treated in applications.
  3. Device unlocking: Changes will aim to mitigate issues around some default settings in devices being unconfigurable.
  4. Malware protection: Anti-malware software will no longer need to be signature-based, clarification has been added around which mechanism is suitable for different types of devices, and sandboxing is being removed as an option.
  5. Guidance on zero trust architecture: Support will be provided to help firms, while the importance of asset management is also being further emphasised.
Black businessman, Asian businesswoman and Hispanic businesswoman are programming in an open plan office together. They are using computer, laptop and digital tablet.
Image: © AzmanL | iStock

Changes in cyber compliance are widespread

Critically, major changes in guidance are not exclusive to the NCSC.

Interestingly, cyber insurance providers are also driving greater governance. As attacks advance and their impacts grow, insurance companies have had to become more pragmatic, requiring businesses to have a baseline of protection, tools and security processes in place before they will even consider offering coverage.

Further, we’re seeing similar moves being made by other professional advisory and legislative bodies across the globe that are equally raising their expectations of organisations in deploying appropriate technical measures.

The UK Telecommunications Security Act is a prime example. Where UK telecom providers had previously, to a large extent, been able to determine their own security standards, that changed with the introduction of a renewed framework in October last year.

Come the 2024 deadline, telcos will then be required to follow the legal duties specified, including:

  • The identification and assessment of any equipment that is directly or could be directly exposed to potential attackers.
  • Having a good understanding of the risks faced by their networks.
  • Ensuring that the organisation is properly supporting security by having security champions and making boards and leadership accountable.
  • Defending against malicious signals coming into a network which could disrupt services.
  • Maintaining tight control over who can make network-wide changes.

Similarly, the EU has laid out three new directives which are set to be introduced in the latter stages of 2023, the first of these being the new EU Data Governance Act (DGA) which will focus on improving security in relation to data access and sharing with the public sector. This essentially marks the introduction of safeguards for the transfer of non-personal data – it will demand that public sector entities can identify such data, where it is stored, and how it is being used.

Second is the EU Data Act, which will give data subjects easier ways to access device-generated data and provide the public sector with access to private sector data to improve unilateral communications during emergencies such as natural disasters. Alongside these, we have the EU Artificial Intelligence (AI) Act which is likely to see restrictions placed on what AI can be utilised for.

Over in the United States, the California Privacy Rights Act (CPRA) came into effect on 1 January 2023, including stricter amendments than the existing California Consumer Privacy Act (CCPA). New clauses are also being added to the Virginia Consumer Data Protection Act and Colorado Privacy Act, which will require organisations to provide an opt-out process for consumers. At the same time, Utah and Connecticut will introduce new data laws this year.

Considering support for complex regulations

These changes are indicative of the fact that data protection is becoming increasingly important, and the threat landscape is increasingly threatening.

They are being instated for a good reason. However, as regulators develop more complex regulations, from PCI-DSS to DORA, GDPR, NIST, SOC2 and beyond, organisations find it increasingly difficult to implement the controls needed to achieve overall compliance.

Yes, schemes such as the UK Cyber Essentials Scheme are there to help firms. Yet many lack the staff and resources to align with their requirements, relying on ineffective and outdated solutions that do not meet regulatory requirements. With organisations already on the back foot and regulations only set to evolve further, this is a key challenge.

Here, support from a managed security service provider (MSSP) or managed detection and response (MDR) provider can help to bridge this ever-expanding regulatory/compliance gap.

Specifically, MSSPs and MDRs offer enterprises a way to benefit from cutting-edge security technologies and expertise without the costly subscriptions and wage packets that would be needed to develop the same level of security maturity in-house.

Rapidly detect, analyse and contain security incidents

By offering organisations on-demand support remotely, service providers can help their customers rapidly detect, analyse and contain security incidents, either directly or through meticulous and detailed guidance.

They’re not just helpful for combatting threats, however. Equally, MDRs and MSSPs ensure organisations can achieve and sustain cybersecurity compliance by providing them with complete visibility of the security environment via proactive reporting, auditing and remote support.

Transforming security compliance with MSSPs and MDRs

Any static cyber security strategy will become outdated and obsolete quickly, making it imperative that organisations work to improve and upgrade their defences continuously. For cash-strapped entities (such as government bodies or those in the public sector) and already pressurised security teams, however, this is easier said than done.

It is here that MSSPs and MDRs can have the greatest impact, acting as an expert extension of the in-house security team.

Offering 24/7 threat detection alongside an enhanced security stack in a cost-effective manner, the benefits that can be realised from partially outsourcing security to a qualified external vendor are numerous.

An effective provider will leverage the latest threat intelligence data to understand new exploits and attacks, translating this into actionable recommendations that can be incorporated into your security setup. Not only that, but MDRs and MSSPs will further ease the load on internal security teams by eliminating the need to manage low-value, repetitive tasks, freeing analysts up to focus on higher-value activities.

In this sense, MDRs can help organisations dramatically enhance their security strategy, improve compliance with changing regulations and alignment with core guidance (such as the UK Cyber Essentials Scheme), and better respond to incidents as and when they emerge.

By working with a trusted provider, you can combat the core risks in your environment and prepare to align effectively with the most stringent regulatory requirements.


Written by Carl Shallow, Director of Compliance, Risk and Assurance (CRA), Integrity360


Please enter your comment!
Please enter your name here