Cyber Essentials & Infrastructure Recommendations
25th May 2022 In News By Scott Thornhill

This year has seen the National Cyber Security Centre (NCSC) introduce an update to the Cyber essential’s scheme, reforming the set of requirements for the programme. This update is the biggest revamp of the scheme since its launch in 2014 and is in response to the evolving challenges cyber attackers now pose and to battle the growing issues organisations now face because of this.  

Remote Working & The Cloud  

In recent years a more flexible approach to work has been introduced, companies are now allowing employees to use their own devices for work purposes and gain access to organisational data and/or services. Using personal devices creates a degree of complexity as this freedom makes it challenging for organisations to implement consistent controls over how the data is being used. Homeworking brings the same challenges as home routers are seen as out of scope and can be targeted by attackers. Cyber Essentials has updated to advise that protection software needs to be added on the device rather than the network or using a VPN is required.  

The new update has put a lot on emphasis on the organisations using the cloud to store and back up data. Stating it is the applicant’s responsibility to ensure all the controls are implemented, with some exceptions that can be done by the cloud service provider is appropriate. The update on Cyber essentials required cloud services to be in scope. For more information about who is responsible please see below. 


Infrastructure as a service (IaaS), e.g., Rack space, google computer engine and amazon EC2  

Platform as a service (PaaS) e.g., Azure web apps & Amazon web service lambda  

Software as a service (SaaS) e.g., Microsoft 365, drop box Gmail.  


Both Applicants and cloud provider  

Cloud provider and sometimes also the applicant  

Cloud Provider  

Service Configuration  

Both Applicants and Cloud Providers  

Both Applicants and Cloud Providers 

Both Applicants and Cloud Providers 

User Access Control 




Malware Protection  

Both Applicants and Cloud Providers 

Cloud provider and sometimes also the applicant 

Cloud Provider 

Security Update Management  

Both Applicants and Cloud Providers 

Both Applicants and Cloud Providers 

Cloud Provider 



All devices run network services, which create some form of communication with other devices and services. An effective firewall strategy can achieve security during this communication by restricting the access to these services, reducing the exposure for potential attacks. Network devices such as boundary firewalls restrict inbound and outbound traffic to services on its infrastructure, these restrictions (known as firewall rules) allow or block traffic according to its source, destination, and type of communication protocol. 

Alternatively, a software firewall must be configured on a device if a network is untrusted, this works on same principle as a normal firewall but only covers one device. This approach can tailor the firewall rules to better fit the device, which can be more effective but comes with a lot more an administrative duty of setting up and managing firewall rules on an individual basis.  

For all firewalls (or equivalent network devices), the applicant organisation must routinely change any default passwords to a complex alternative — or disable remote administrative access entirely. Applicants must prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by controls such as a multi-factor authentication or an IP allow list that limits access to a small range of trusted addresses.  

Applicants must also block unauthenticated inbound connections by default and ensure inbound firewall rules are approved and documented by an authorised individual since auditing the firewall policy and rules will help maintaining it in the future easy and overall, more effective. As mentioned prior an essential part cyber essentials scheme is data minimising so make sure all unnecessary firewall rules are quickly removed, when they are no longer needed and use a software firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots. 

These requirements ensure that only safe and necessary network services can be accessed from the internet, no matter what type of device you are working on or if you are a remote or not. A strong firewall policy will also prevent cyber attacked from starting as this will act as your first line of defence against cyber-attacks.  

Secure configuration 

Hardware and software are not at their most secure when on default settings, such as a predetermined IDs and security passwords, with these accounts sometimes having special access privileges and preinstalled but unnecessary applications or services. With these setting being predetermined, they are often known by the cyber attacker, or least easy for him to gain this information and gives them a variety of opportunities to gain unauthorised access to an organisation’s sensitive information.  

The applicant must be active in its management of computers and network devices. It must routinely remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used) to keep the infrastructure as organised and minimal as possible. Applicants are required to change any default or guessable account passwords) and remove or disable unnecessary software (including applications, system utilities and network services) to ensure a more secure and efficient configuration. Applicants must disable any auto-run feature which allows files to open or be downloaded without authorisation to reduce the risk of unauthorised access.  

 Another way to reduce the risk of unauthorised access is to ensure authentication of users before allowing access to organisational data or service the ability to unlock the device, biometric tests, passwords, and PINs must be protected against brute-force attack by implementing software that makes users wait between attempted logins after several failed attempts (also known as throttling) or implementing a rule that locks devices after no more than 10 unsuccessful attempts. 

 The new Cyber Essentials update requires at least one of these to be used to protect the device. Technical controls must be used to manage the quality of credentials. If credentials are solely to unlock a device a minimum password or PIN length of at least 6 characters must be used, to protect accounts against direct password guessing. 

The objectives of an effective Secure configuration strategy is to reduce the level of vulnerability when initially introducing the device to the network but also make sure the device provides only the services required to fulfil their role, in a mission to combat any weak points the standard, out-of-the-box configurations may have.  

User Control Access  

Every employee in an organisation has access to devices, networks and applications which can hold sensitive information. Cyber essentials now require organisations to assess their business and ensure that only the authorised individuals have the correct visibility and only the permissions needed to perform their role.    

If needed accounts will have special access privileges with enhanced access to the business information, or have the privileges to create other accounts, make changes to the software or operating systema and change security permissions.  When such accounts are compromised, they can be exploited to facilitate largescale damage and theft.  

The applicant must manage all user accounts and the permissions granted to make sure each account has only the data/information they need. All accounts must be approved at the point of creation and each individual account must be password protected, a password personal to the individual as soon as they have been given the account. Accounts no longer needed must be removed, i.e., if someone leaves the business or after a certain period of inactivity and amend accounts when roles change, or certain visibility are no longer needed. The NCSC has heavily advised the use of multi-factor authentication (MFA) when possible and an essential requirement whenever using the cloud. Use separate accounts to perform administrative activities only.  

As mentioned prior all user accounts require the user to use a password to authenticate. As cybercrime is forever evolving the NCSC suggests using, device locking software mentioned above (e.g. throttling locking devices after 10 attempts etc.), Managing the quality of passwords effectively (using a role such as minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.) and educating and encouraging staff to generate complex and unique passwords and change passwords if it has or suspected it has been compromised. 

As well as providing extra protection for passwords that are not protected by other technical controls (above), multi-factor authentication should always be used to provide additional protection to administrative accounts, and accounts that are accessible from the internet. There are four types of additional factor that may be considered: 

  • a managed/enterprise device  

  • an app on a trusted device  

  • a physically separate token  

  • a known or trusted account  

The objective of having a strong user access control strategy and why it is so important for the Cyber essentials is that it ensures that accounts are assigned to the correct individual and these accounts provide the correct access to perform the jobs needed, by limiting the account to only the information they need you reduce the risk of information being stolen or damaged. 

Malware Protection  

Malware, such as computer viruses etc, is software that has been written and distributed deliberately to perform malicious actions and can appear is forms such as emails, downloads, and direct installation of unauthorised software. The aim of malware is to cause disruption on the business activities and theft of data. It is important to avoid the potential damages by detecting and disabling the malware before it makes any real damage or put things such as allow listing and sandboxing (executing untrusted software in a controlled environment).  

The applicant must implement a malware protection strategy on all devices that are in the infrastructure. For each such device, the applicant must use at least one of the following: 

  • Anti-Malware software:  software must be kept up to date (with files updated daily), scan files and websites automatically when accessed and must prevent connections to malicious websites.  

  • Application allow listing: Only approved applications, restricted by code signing, are allowed to execute on devices, approval is required, and a list of current maintained with no application being approved if suspicious.  

  • Application sandboxing: Improve security by isolating and shielding the application from outside intruders or malware. It's also used when preventing system resources or other applications from interacting with the protected app is necessary. 

The execution of software downloaded from the internet can expose a device to malware infection, so have an effective malware protection strategy will help restrict the execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.  

Security Update Management 

Any device, regardless of age and brand can contain security flaws, better known as vulnerabilities and once spotted by attacked they can be used to gain unauthorised access using these weaknesses.  

The application must ensure all software used in the infrastructure/scope is: 

  • Kept up to date (most recent) 

  • Licensed and supported 

  • Removed once it becomes unsupported  

  • Updated, including applying any manual configuration changes required to ensure all vulnerabilities pointed out are patched over.  

Applicants need to have an effective Security Update management to ensure that devices and software are not vulnerable to known security issues for which fixes are available it is common for criminals to develop the way they attack networks so constant management of security updates can help organisations keep as secure as possible.  

Backing up your Data  

Backing up means creating a copy of your information and saving it to another device or to cloud storage (online) meaning you will always have a recent version of your information saved. This will help you recover quicker if your data is lost or stolen. You can also turn on automatic backup. This will regularly save your information into cloud storage, without you having to remember. If you back up your information to a USB stick or an external hard drive, disconnect it from your computer when a backup isn’t being done and make sure it is encrypted for added protection in the case of theft, damage of loss. Backing up your data is not a technical requirement of Cyber Essentials; however, we highly recommend implementing an appropriate backup solution.   

For more information on the new update on cyber essentials and how it may affect your business or current application, please visit