Cyber Essentials
Paul Waring (paul@xk7.net)
20th June 2026
whoami
- IT Director, Chief Security Officer, Freelance PHP Developer
- Specialise in legacy code/systems and financial services
- I like trains, history and technology (@pwaring@social.xk7.net)
- You may know me from: Geek Walks, Currybeer (but not golf or
moths)
Topics
- What is Cyber Essentials?
- Backups
- Bring your own device
- Third parties
- Firewalls
- Software
- Multi Factor Authentication
- Questions at any time
What is Cyber Essentials?
- Baseline cyber security requirement in the UK
- Updated most years
- Run by National Cyber Security Centre (part of GCHQ)
- Requirement for some cyber insurance
- Includes basic cyber insurance if you pass
- Example: .uk domain registrars
What is Cyber Essentials?
- Two certifications: Cyber Essentials + Cyber Essentials Plus
- Cyber Essentials: Self-assessment, reviewed by assessor
- Plus: Independent technical audit
- Scope: Can be whole IT infrastructure or just a subset
- Does include cloud services, but responsibility may be shared
Backups
- Not required by Cyber Essentials(!)
- Highly recommended
- No idea why this isn’t included
Bring your own device
- User devices which access organisation services are in scope
- Native voice is excluded
- Native text is excluded
- MFA applications are excluded
- If you ‘just’ have your email on your device, it’s in scope
- Working from home devices also in scope
- Home routers excluded, unless you provide them
Third parties
- All accounts owned by your organisation are in scope
- Even accounts used by third parties are in scope if owned
- Devices loaned to third parties are in scope
Firewalls
- Every device in scope must be protected by a firewall
- Can be network / boundary firewall or software firewall
- Must not use default passwords
- Remote admin access must be disabled unless business need + MFA / IP
list
- Unauthenticated inbound connections must be blocked
- Inbound rules must be documented
Software
- Applies to all software on in-scope devices
- Must be licensed and supported (tricky for open source?)
- Remove once unsupported, or prevent all Internet traffic
- Automatic updates must be enabled
- Apply updates within 14 days of release (if CVSS score >= 7)
Multi Factor Authentication
- MFA is now compulsory for all accounts on all services
- Includes internal and external services
- Cloud services are explicitly in scope
- If MFA is a paid extra, you have to pay for it
- Problems for open core products (e.g. Metabase)
Multi Factor Authentication
- Good idea, challenging to implement
- Users need devices
- Make sure you have reset options
- Many services only allow one device to be registered
- Best to worst: Key, phone, SMS, email (not really MFA)