Cyber ​​​​essentials – key changes

Regardless of specialisation, size or location, every UK law firm is a potential target for cybercriminals and as cyber threats continue to evolve it is more important than ever to be prepared. This is one of the reasons why the Cyber ​​Essentials made a number of changes to the requirements to ensure that all businesses, not just law firms, are fully equipped to prevent and protect against cybercriminals in the event of a cyberattack.

What is the Cyber ​​Essentials program?

Backed by government and industry, the Cyber ​​Essentials program was launched in 2014 to help organizations protect against a range of common cyberattacks.

As stated in our Waging war on cybercrime e-book, cybersecurity should be an essential part of your business strategy, regardless of the size or industry in which you operate. Cyberattacks are multiplying and becoming increasingly sophisticated. As such, it is extremely important to implement measures to prevent your business from falling victim to cybercrime.

A set of core technical controls, the Cyber ​​Essentials program allows your business to achieve two levels of certification: Cyber ​​Essentials and Cyber ​​Essentials Plus. The first is a self-assessment option that provides protection against the most common cyberattacks. The latter is an extension of Cyber ​​Essentials and stipulates that a practical technical verification is carried out.

What changes have been made to the plan?

Six areas of the program have been updated and are some of the biggest changes we’ve seen since its initial launch. Major changes include the following.

Cloud services

If your company’s data or services are hosted on a cloud service, you are now responsible for ensuring that all Cyber ​​Essentials technical controls are implemented. Cloud service definitions have been added to Information as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service.

Multi-factor authentication (MFA)

Cyber ​​Essentials states that Multi-Factor Authentication (MFA) should be used to provide an additional layer of protection to administrator accounts when the user logs into any cloud service. The MFA password must be at least eight characters. This will apply to all accounts in 2023.

Work at home

If your company has adopted a hybrid working model or if any of your employees work from home, any devices they use to access company information or services fall under the purview of Cyber ​​Essentials. The same goes for dumb terminals.

Using a corporate VPN will forward the boundary to the corporate firewall or virtual cloud firewall. A corporate VPN allows you to provide your employees with access to a secure end-to-end encrypted connection to all cloud resources included in your corporate network.

Smart devices

Any smartphone or tablet used to connect to your company’s data and services now falls within the scope of Cyber ​​Essentials. This also applies whenever the user wishes to connect to the company network or via 4G or 5G mobile internet.

When unlocking any device, biometrics or a minimum six-character PIN must now be deployed.

Software not supported

Any software used on an affected device must be:

  • licensed and supported
  • removed from the device if no longer supported, and
  • removed from scope or separated from the main network using a defined “subset” to prevent all traffic to and from the internet

Additionally, automatic updates should be enabled and the user should update their device within 14 days of the release of any update.

Separation of accounts

Separate accounts should only be used to perform administrative activities. By doing so, the account will remain separate from any avoidable risk such as emailing or web browsing.


If you have questions about changes to Cyber ​​Essentials, want help obtaining Cyber ​​Essentials certifications, or would like a copy of our Waging war on cybercrime e-book, the etiCloud team can help you. Call 0333 358 2222 or email [email protected] and we’ll help you get started.