This article aims to provide a comprehensive guide to the upcoming changes in Cyber Essentials for 2025. It will assist organizations in understanding the anticipated updates to the certification scheme, ensuring they are well-prepared to meet the new requirements.
The UK's Cyber Essentials certification will undergo several updates starting April 28, 2025. These changes aim to improve cybersecurity resilience, especially for small businesses addressing evolving cyber threats.
Key Changes:
- Terminology Adjustments: The term "plugins" has been updated to "extensions" to encompass a broader range of software, including browser add-ons. Additionally, the scope for remote work has expanded from being limited to "home working" to include all remote working scenarios, reflecting the growing trend of working from untrusted networks such as cafes and hotels.
- Passwordless Authentication: The certification now officially supports passwordless authentication. This allows businesses to implement biometric systems, security keys, or push notifications for enhanced security measures.
- Vulnerability Management: The section on security updates has been expanded to cover configuration and registry changes, not just software patches. This requires businesses to address all vulnerabilities comprehensively, which may increase the complexity of maintaining compliance.
- Least Privilege Access: There is now a stronger emphasis on least privilege access. This ensures that employees have only the necessary access to perform their tasks, thereby minimizing potential damage in the event of a breach.
Impact on Small Businesses:
SMEs may encounter extra operational overheads to comply with these new standards. Specifically, the shift towards comprehensive vulnerability fixes necessitates active management of software updates as well as technical configurations. The adoption of passwordless authentication might require investment in new hardware or systems, such as biometric readers or security tokens.
- Preparation Tips for SMEs:
- Review Infrastructure: Audit and document network equipment, including routers and firewalls.
- Evaluate Authentication: Consider passwordless options and ensure remote systems comply with updated requirements.
- Enhance Patch Management: Establish a process for addressing security vulnerabilities and maintaining compliance.
- Train Staff: Educate on least privilege principles and update access rights as roles change.
By taking these steps, small businesses can ensure they are well-prepared to meet the 2025 Cyber Essentials criteria.
Further guidance can be found by visiting the Government’s National Cyber Security Centre