What is Cyber Essentials?
Cyber Essentials is a government-backed certification that equips organisations with the core controls needed to defend against today’s most common cyber threats.
It is recommended by the NCSC that Cyber Essentials represents the minimum standard of cyber security for all organisations.
Who Should Follow Cyber Essentials?
Every organisation, from micro businesses to large corporations, should follow Cyber Essentials as no organisation is exempt from a cyber-attack.
Cyber Essential 2025 Updates
To stay relevant and effective in an evolving threat landscape, Cyber Essentials must continue to evolve. The April 2025 IT Infrastructure updates in version 3.2 are designed to do just that, addressing vulnerabilities in outdated security practices, such as traditional password-based authentication, and aligning with modern working patterns like remote and hybrid work. These changes also broaden the scope of acceptable remediation methods and reinforce the certification process itself, ensuring that it carries greater credibility and impact.
A Breakdown to the Latest Cyber Essentials Updates
Passwordless Authentication
The 2025 Cyber Essentials update builds on the 2022 multi-factor authentication requirement by formally embracing passwordless authentication – a more secure and user-friendly approach that eliminates the need for traditional passwords altogether.
Instead of relying on a single, often weak, password, passwordless systems use multiple authentication factors such as biometrics, cryptographic keys, and one-time codes to verify user identity. Even without a password, these systems maintain robust security through behind-the-scenes technologies like digital certificates and secure authentication protocols.
Common examples of passwordless authentication methods include:
- Biometric authentication: Verifies user identity through biological traits of the user eg. fingerprints or facial features.
- Security keys or tokens: Physical hardware devices (e.g., USB keys or smart cards) that validate access.
- One-time codes: Temporary codes sent via email, SMS, or an authentication app.
- Push notifications: Prompts sent to a registered mobile device to approve or deny login attempts.
Redefining Remote Work
The term ‘home working’ is being updated to ‘home and remote working’, a subtle but important shift that reflects the reality of today’s workforce. Employees are no longer confined to home offices; they’re logging in from cafes, hotels, airports, and anywhere in between, hence the new inclusion of the word ‘remote’. This change reinforces the need for organisations to ensure their data security practices are strong enough to protect sensitive information, regardless of location. As part of this update, cloud security configurations will also undergo mandatory assessment, ensuring remote access doesn’t come at the cost of data protection.
Vulnerability Fixes
In the latest Cyber Essentials update, the term ‘patches and updates’ has been replaced with ‘vulnerability fixes’, a broader, more inclusive term that reflects the range of methods used to address security issues. Vulnerability fixes can include patches, security updates, registry edits, configuration changes, scripts, or any other solution provided by the vendor to resolve a known vulnerability.
The Security Update Management section has also been revised to reflect this change. It now clearly outlines that product vendors may issue various types of fixes for supported products, and organisations must ensure these are applied promptly to maintain compliance and reduce risk.
How This Impacts Your Business
The latest Cyber Essentials updates aim to help organisations strengthen their cybersecurity strategies in response to today’s evolving threat landscape. As work becomes more flexible and cyber risks grow more complex, these changes ensure that organisations are proactively addressing emerging vulnerabilities. By adopting measures like passwordless authentication, robust remote work policies, and comprehensive vulnerability management, you not only enhance data protection, but also reinforce trust with your customers, partners, and stakeholders.
How CWSI Can Help
At CWSI, we specialise in helping organisations navigate complex cybersecurity requirements with confidence and clarity.
Our team of experienced professionals have worked across a broad range of sectors, supporting clients in achieving compliance with recognised standards such as Cyber Essentials. We provide end-to-end guidance, from initial gap assessments to the implementation of necessary controls, ensuring a smooth path to certification while enhancing your overall security posture.
Get in touch with us today to begin your journey towards Cyber Essentials certification and a more resilient, secure future.
