Cyber Essentials – key changes

Jonathan Ashley, co-founder of etiCloud, outlines what the Cyber Essentials scheme entails, how recent changes to it might affect your firm and how signing up (if you’re not already) is key to remaining one step ahead in the global cyber war.

Irrespective of specialism, size or location, every UK law firm is a potential target for cyber criminals and, as cyber threats continue to evolve, it is more important than ever to be prepared. This is one of the reasons why the Cyber Essentials scheme has made a number of changes to requirements to ensure all businesses, not just law firms, are fully equipped to prevent and protect against cyber criminals in the event of a cyberattack.

What is the Cyber Essentials scheme?

Backed by government and industry, the Cyber Essentials scheme was launched in 2014 with the objective of helping organisations to protect themselves against a range of common cyberattacks.

As outlined in our Waging war against cybercrime e-book, cybersecurity should be a vital part of your business strategy, irrespective of the size or sector you operate in. Cyberattacks are on the increase and becoming more and more sophisticated. As such, it’s extremely important to implement measures that to prevent your company becoming a victim of cybercrime.

A set of basic, technical controls, the Cyber Essentials scheme enables your company to achieve two levels of certification: Cyber Essentials and Cyber Essentials Plus. The first is a self-assessment option that offers protection against the most common cyberattacks. The latter is an extension of Cyber Essentials and stipulates that a hands-on technical verification is fulfilled.

What changes have been made to the scheme?

Six areas of the scheme have been updated and are some of the biggest changes we’ve seen since its initial launch. Key changes include the following.

Cloud services

If your firm’s data or services are hosted on a cloud service, you are now responsible for ensuring that all of the Cyber Essentials technical controls are implemented. Definitions of cloud services have been added to Information as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service.

Multi-factor authentication (MFA)

Cyber Essentials states that multi-factor authentication (MFA) should be used to provide an extra layer of protection to admin accounts when the user is connecting to any cloud service. The MFA password must be a minimum of eight characters. This will apply to all accounts in 2023.

Working from home

If your company has adopted a hybrid working model or if any of your employees ever work from home, any devices they use to access company information or services are in the remit for Cyber Essentials. The same applies for dumb terminals.

Using a corporate VPN will transfer the boundary to the corporate firewall or virtual cloud firewall. A corporate VPN allows you to provide your employees access to a secure, end-to-end encrypted connection to any cloud resources included in your company’s network.

Smart devices

Any smartphone or tablet that is used to connect to your company’s data and services is now in scope of Cyber Essentials. This also applies whenever the user wishes to connect to the corporate network or via mobile internet 4G or 5G.

When unlocking any device, biometrics or a minimum six-character PIN must now be deployed.

Unsupported software

Any software that is utilised on any in scope device must be:

  • licensed and supported
  • removed from the device if it becomes unsupported, and
  • removed from scope or segregated from the main network using a defined ‘sub-set’ to prevent any traffic to and from the internet

In addition, automatic updates must be enabled, and the user must update their device within 14 days of the release of any update.

Account separation

Separate accounts should only be used to perform administrative activities. By doing this, the account will remain separate from any risk that can be avoided such as emailing or web browsing.


If you have any questions about the changes to Cyber Essentials, if you’d like support to gain Cyber Essentials certifications or if you’d like a copy of our Waging war on cybercrime e-book, the etiCloud team can help. Call 0333 358 2222 or email and we’ll get you started.

etiCloud is a partner of the Law Society. For more information, visit the etiCloud offers page.

Maximise your Law Society membership with My LS