News

Version 3.2 of the NCSC’s Cyber Essentials standard (IASME codename Willow) will go live from 28-April-2025. This version sees improved question wording and links to additional guidance. An important technical update is the acceptance of passwordless authentication. Checkout the NCSC’s Cyber Essentials v3.2 requirement document here.

Whilst the scope of Cyber Essentials Plus is exactly the same as Cyber Essentials, testing CE+ sees some interesting changes:

• The scope of the CE assessment must be verified by the Assessor.
• When the scope is not ‘whole organisation’, the Assessor must verify that any sub-sets have been segregated correctly.
• The Assessor must verify that the device sample size has been calculated correctly using the method determined by IASME.
• Instead of referring to ‘patches’ the new term is ‘Vulnerability Fixes’ which include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.

The NCSC’s updated Cyber Essentials Plus Test specification, can be found here.

The NCSC have published their annual review for the period Sep 2023 to Aug 2024. The report has a lot to say of interesting news and statistics about Cyber Essentials and the Cyber Advisor (Cyber Essentials) scheme. The report also mentions the NCSC’s Active Cyber Defence services, which we’d recommend to any/all organisations.

If you’re based in Somerset, Devon or Gloucestershire and are looking for cyber security advice, guidance and implementation, please get in touch.

The National Cyber Security Centre have published a blog marking the 10 year anniversary of Cyber Essentials. The blog highlights that organisations with Cyber Essentials certification are 92% less likely to make a cyber-insurance claim compared to those without it – which is an impressive statistic!

IASME have also published their own anniversary booklet, which rightly describes the scheme as “A minimum standard for cyber security”. A key statistic from the brochure is that 89% of Cyber Essentials certified organisations would recommend certifying to Cyber Essentials to other organisations like theirs – another great endorsement!

The NCSC’s Cyber Advisor Scheme has been with us for some time now. The scheme aims to provide small to medium sized organisations with cyber security advice and support. The Cyber Advisor Scheme is operated by IASME, the NCSC’s partner. The initial focus of the scheme is to help organisations implement the technical controls defined by the Cyber Essentials scheme.

To become a Cyber Advisor (Cyber Essentials) the advisor must work for an NCSC assured service provider and pass an assessment which evaluates:

• Knowledge and understanding of the Cyber Essentials’ technical controls.
• Competence in providing practical, hands-on support.
• Ability to understand and work with small and medium sized organisations.

The Cyber Advisor assessment is not a trivial exercise and the current pass rate is only around 50%. Whilst many candidates are technically competent, they often struggle with the consultancy skills aspect of the assessment.

Consult MB Ltd, with its roots in cyber security consultancy and status as a Cyber Essentials Certification Body, has developed a 1-day training course for potential Cyber Advisors. This course covers the technical requirements and consultancy skills needed, aiming to prepare candidates for the Cyber Advisor assessment.

The training course is delivered in-person, but can also be offered as an on-line webinar. If you are interested in preparing for the assessment by attending the 1-day course, please get in touch via our contact form.

From 1^st April 2024 the cost of Cyber Essentials (and IASME Cyber Assurance) certification will increase. Pricing still operates on a tiered structure, determined by the number of employees.

Organisation Size	Current Price (ex VAT)	New Price (ex VAT)
Micro (0-9 employees)	300	320
Small (10-49)	400	440
Medium (50-249)	450	500
Large (250+)	500	600

Vade, an organisation providing threat detection and response, recently published its annual “Phishers’ Favorites” report for 2023. In its list of the top 20 most impersonated brands in phishing attacks, the Facebook brand came top, followed by Microsoft. Other brands well known to UK audiences, included Amazon, PayPal, Instagram, Google, WhatsApp and Netflix.

Phishing attacks using social media brands saw the largest increase rising by more than 113% year-on-year. Alongside the rise in phishing using social media brands, financial services was the most impersonated sector with a number of banks, credit card providers, and PayPal in the top 20 impersonated list.

The 2023 Data Breach Investigations Report by Verizon highlighted that human error remains the leading cause of data breaches with 74% of all breaches associated with such errors. Phishing awareness training must be at the front line of cyber defences.

If you would like to know more about Cyber awareness training, please get in touch.

America’s Cybersecurity and Infrastructure Security Agency (CISA) put out an advisory in December 2023 (see https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a) which detailed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) of the ALPHV Blackcat ransomware as a service (RaaS). Additionally, the advisory goes on to provide useful incident response guidance and potential mitigations.

What stands out, though, are the summary actions listed as:

• Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
• Prioritize remediation of known exploited vulnerabilities.
• Enable and enforce multifactor authentication with strong passwords.
• Close unused ports and remove applications not deemed necessary for day-to-day operations.

Whilst the National Cyber Security Centre (NCSC) Cyber Essentials scheme does not mandate an inventory, it does state that asset management should be considered as a core security function. In all other respects the CISA summary actions are explicitly addressed by Cyber Essentials requirements. It’s good to see this consistent approach between leading cyber security agencies.

If you’re looking for a trusted cyber security partner, are based in the UK and interested in the NCSC’s Cyber Essentials scheme, or are based overseas and interested in the IASME Cyber Baseline scheme, please contact us.

A recent report by the cyber insurance company Covus reveals that threat actors are switching tactics to compromise their victims with ransomware, with more insurance claims arising from attackers exploiting vulnerabilities rather than using phishing emails.

The report says that vulnerability exploitation rose as an initial access method from <5% of ransomware claims in the second half of 2022 to about 30% in the first half of 2023.

Whilst threat actors have exploited zero-day vulnerabilities this year, especially in file transfer software (e.g. MOVEit), the key defence against vulnerability exploits is to stay up to date with your patching.

For very good reasons, patching is a key requirement of the Cyber Essentials scheme.

If you would like to know more about Cyber Essentials, please get in touch.

Consult MB Ltd is pleased to announce that we have become licensed to assess the international IASME Cyber Baseline security standard.

IASME Cyber Baseline, available only for companies outside of the UK, covers fundamental but vital cyber security protection measures. The standard provides a means for international organisations to demonstrate that they take cyber security seriously and have implemented essential cyber hygiene measures.

IASME Cyber Baseline maps to international standards and best practice (e.g. Cobit, CIS v8) but, importantly, allows the organisation to be assessed as meeting the IASME Cyber Baseline Standard.

The scheme is an important first step for many organisations in proving that they are serious about cyber security. It is a pre-requisite to the next step of certifying to the comprehensive risk based and policy driven IASME Cyber Assurance Standard.

The cost for IASME Cyber Baseline Self Assessed (Level 1) is based upon the size of the business:

Micro organisations (0-9 employees)	£300 +VAT
Small organisations (10-49 employees)	£400 +VAT
Medium organisations (50-249 employees)	£450 +VAT
Large organisations (250+ employees)	£500 +VAT

If you’re an international organisation (non-UK) and would like to know more about the IASME Cyber Baseline Standard, please get in touch.