Cyber Essentials Plus scheme will undergo another set of updates
Interest in cybersecurity has exploded, with efforts to protect business-critical data and policies to stave off cyber-crime now a core focus for businesses of all sizes and across all verticals. This growing awareness of cybersecurity can be attributed in part to the growth of the government-backed Cyber Essentials (CE) scheme, which offers help for UK-based organisations to mitigate against cyber-attacks.
Cyber Essentials is managed by the British government’s National Cyber Security Centre (NCSC), an organisation which supports government bodies, the public sector, large corporations, and SMEs to operate safely and securely online. Businesses can seek Cyber Essentials certification via a consortium of advisors and assessors overseen by IASME, the official CE partner.
The Importance of Staying Up-to-Date
Cyber Essentials is a government-backed scheme designed to help businesses protect themselves from the most common cyber attacks. With five core technical controls, the scheme offers a minimum level of security that signals trustworthiness to customers, partners, and supply chains. To stay effective, the framework is regularly reviewed.
In 2022, the scheme experienced a significant overhaul, driven by the shift towards remote working and cloud reliance. In 2025, further enhancements will ensure businesses can better protect their IT infrastructures.
What’s New in Cyber Essentials Plus for 2025?
Passwordless Authentication
One of the most significant additions is the introduction of passwordless authentication as an accepted method for securing user access. Passwords, while traditional, are increasingly seen as a weak point in security due to their susceptibility to attacks. Cyber Essentials now includes guidance for organisations to adopt passwordless technologies, such as:
- Biometric authentication: Leveraging physical traits like fingerprints or facial recognition.
- Security tokens: USB keys or smart cards.
- One-time codes: Generated through apps or delivered via email or SMS.
- Push notifications: Sent to smartphones to verify login attempts.
Vulnerability Fixes
Previously, Cyber Essentials primarily focused on patches and updates to address vulnerabilities. Now, the scheme has expanded to include other methods of vulnerability mitigation, such as registry fixes and configuration changes. These methods provide more flexibility in addressing threats, particularly for high-risk vulnerabilities that require quick intervention.
This change reflects the growing sophistication of cyber threats and the need for comprehensive approaches to security update management.
Remote Working
Another important update is the expanded recognition of remote working risks. The term “home working” has been replaced by “home and remote working,” acknowledging that employees increasingly access company networks from untrusted environments, such as cafes, hotels, and public transportation.
With this change, businesses are encouraged to strengthen their security controls, particularly when it comes to network equipment and access management.
Key Technical Control Updates
- Software Definitions: A clearer distinction between software extensions and plugins.
- Security Updates: New emphasis on applying not only software patches but also vendor-recommended configuration changes.
Access Control: The principle of least privilege access is reinforced, ensuring employees only have the necessary permissions to perform their roles.
Preparing for the Future
These updates to Cyber Essentials Plus are a step forward in securing businesses against the most prevalent cyber threats. They also align with broader security trends, such as the adoption of zero-trust models and the shift towards automated security solutions.
At Appurity, we’re committed to helping businesses navigate these changes. We provide guidance on implementing the new requirements and offer a range of services to ensure compliance with the updated Cyber Essentials framework.
Get in touch with us today to learn how we can help secure your organisation’s infrastructure in line with the latest Cyber Essentials updates.