As the cybersecurity landscape continually shifts, so too must the standards that are aimed at protecting businesses from new and growing threats.
Cyber Essentials (CE) is a UK government backed scheme crafted to give businesses a clear path to a cybersecurity baseline, helping protect them from the most prolific cyberattacks. From April 2025, things are changing. Several significant updates will take effect, ensuring that the scheme remains relevant and that businesses remain secure through 2025 and beyond.
Key Changes to Expect
1. Zero Trust
Zero Trust model helps stop unauthorised access to your organisations data by assuming that no entity, whether inside or outside the organisation should automatically be trusted.
2. Go passwordless
Passwords can often be forgotten, reused and ultimately compromised. Passwordless authentication uses a factor other than user knowledge – such as biometrics, security tokens, push notifications and one-time codes.
3. Greater importance placed on Cloud Security
A mandatory assessment of cloud security configurations will be required, including enhanced monitoring of third-party cloud service providers. Specific requirements will include multi-factor authentication (MFA) and Single Sign On (SSO).
4. Supply Chain Security Requirements
Supply chain attacks are on the increase, especially in the small and medium (SME) business sector. New requirements in April 2025 will include a need to demonstrate that not only is the organisation itself meeting cybersecurity standards, but its suppliers are, too.
5. Additional security requirements for devices
There will be a requirement for all desktop PCs and laptops to have an up-to-date Endpoint Detection and Response (EDR) solution. This is more proactive that traditional anti-virus (AV), as it includes protection and response to unknown or emerging threats, as well as previously-known threats.
6. Stricter controls over the use of Bring Your Own Device (BYOD) policies
The update looks at securing all access points into your organisation, and this extends to any corporate or personal device that will access your organisation’s data (such as smartphones and tablets). The controls can be either technical or process driven.
7. A firmer approach towards vulnerability management
Whilst patch management and vulnerability scanning has always been a pivotal part of Cyber Essentials (CE), the new changes will require businesses to adopt fully automated patch management with a faster turnaround for implementation of critical updates.
8. A more general alignment with international industry standards
The Cyber Essentials (CE) Framework will begin to align more with other similar standards globally, including the US government agency NIST (National Institute of Standards and Technology). This should make it easier for UK businesses to demonstrate to external parties both within the UK and abroad, that standards are being met.
What should you do, to prepare?
Preparation for these changes will depend on how things are currently configured within your business, but will involve an initial assessment following by remediation steps where appropriate.
Contact us in good time for your renewal date so that we can help you through the process.
For more detailed information about the key changes, please give us a call or enter your contact details here.