H2 Newsletter - News from the Cyber Security Industry

For those of you who either have Cyber Essentials, or are considering getting Cyber Essentials, you need to know that NCSC has just announced changes to the technical requirements as part of a regular review of the scheme’s technical controls.?The changes aren’t huge but just might be significant for some.?They are:

·?????User devices. Except for network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.

·?????Clarification on firmware. All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.

·?????Third party devices. More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated in your application.

·?????Device unlocking. We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it's now acceptable for applicants to use those default settings.

·?????Malware protection. Anti-malware software will no longer need to be signature based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.

·?????New guidance?on zero trust architecture for achieving CE and a note on the importance of asset management.

·?????Style and language. Several language and format changes have been made to make the document easier to read.

·?????Structure updated. The technical controls have been reordered to align with the updated self-assessment question set.

·?????CE+ testing. The?CE+ Illustrative Test Specification document?has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.

It’s being forecast that the evolving threat landscape will maintain pressure on organizations to broaden and deepen their cybersecurity defences, expand detection capabilities, and improve incident response in 2023. “Ransomware remains the biggest threat to organisations from an operational, financial and brand perspective. But the emergence and abuse of generative AI models, such as ChatGPT, will increase the risk to another level in 2023,” said Matthew Ball, Chief Analyst at Canalys, an independent analyst company. “This will enable and accelerate the creation of malicious code on an industrial scale by more threat actors and increase the frequency and range of attacks. Organizations are already struggling to deal with current threat levels and cannot afford to cut back on spending as it will leave them even more vulnerable. Instead, they will need to work more closely with channel partners to make smarter investments.”??An interesting downside to the growth of AI.

This has produced a forecast that spending on cyber security will increase by 13.2%.?Now I will admit some scepticism about that figure where it applies to the SME market.?SMEs traditionally spend far less on cyber security, pinning all their hopes on a few standard products, such as anti-malware/virus and firewalls.?Will this be enough??Frankly no, but given the economic outlook, many will take some convincing.

I hope they don’t have to learn the hard way, and next week I’ll be exploring the continuing threat from Phishing, some very nasty ransomware gangs, and a new threat called SwiftSlicer which looks really nasty.

Finally a little bit about our forthcoming series of podcasts. I’m interested in dispelling myths and preconceptions and finding out more about the pain points within the SME market regarding cyber security. So, I’d like to invite you to ask me any questions you like about cyber security.?Tell me what you find difficult and ask what I think you should do about it. This is no holds barred, let’s be honest with each other.?I’ll discuss the questions and answers in a series of podcasts starting in February.

This is about educating people so the more questions the better. It is not my intention to upset anyone, but if answering your question honestly does, then so be it. I think it’s going to be fun!

If you want to ask a question just message me on LinkedIn and I'll collate it all together and let you know when the podcast will be available to listen to.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide please click here?https://www.hah2.co.uk/

Please feel free to give us a call or email

Alternatively, you can book a slot using our Calendly link,?https://calendly.com/kevin_hah2

T: 0845 5443742

M: 07702 019060

E:?[email protected]

Trust H2 – Making sure your information is secure