What are the controls affecting the home user?

Controlling "your" or "the compute" device is essential

The changes to the requirements in 2022 ensures that the home users router/firewall isn't within the scope of the assessment and other than listing home networks and referencing the home router provided by the ISP, you are required to set a boundary via your controlled device on the home network, namely, the laptop/tablet or compute device the end-user has in their home network.

Home networks are treated like any other network you don't directly control and therefore are "unsafe", thus, you are required to control or ensure controls on the firewall of the device itself that is accessing your company systems. This device should have the firewall enabled, have an up-to-date and supported anti-virus solution installed and your user should be a user and not an administrator of the device.

Account Separation

Unique Admin Accounts

Your home user firewall and anti-virus should be protected from being turned off, either by the user or any malicious software/bad actor who may gain some form of control on the device.

Day to day access should be as a user and not as a local admin

Home User Routers

Now, whilst within the standard, we do not want you to be listing the devices within the SAQ and we will not be testing the devices themselves during any PLUS assessment, we would recommend, for the safety of the home user themselves, that they ensure the standard controls of Cyber Essentials are applied to their device.

  • Default password was changed to something with 12 characters or more (with MFA if possible)
  • Auto-Updates (by default on MSP-provided devices) enabled and active
  • No external port access (no published services on the device) - unlikely if not a power user and more risky, if not a power user.
  • No external access to the router configuration (this is dangerous on home routers, as much as it is for a business device)

There is no reason someone at home, one of your employees, should not consider their cybersecurity safety any less important than your business, therefore education should extend into the home, including BYOD.