Introduction
As cyber threats continue to evolve, so too must the frameworks designed to protect against them. The Cyber Essentials scheme, a cornerstone of the UK’s cybersecurity strategy, is set to undergo significant updates in April 2025. These changes aim to address emerging threats, incorporate new technologies, and ensure that organisations remain resilient in an increasingly digital world. In this blog, we’ll explore the key changes to the Cyber Essentials requirements and what they mean for your organisation.
1. Enhanced Focus on Cloud Services
One of the most notable updates in the 2025 Cyber Essentials requirements is the increased emphasis on cloud services. As more organisations migrate to cloud-based infrastructures, the new requirements will mandate stricter controls around cloud security. This includes:
- Multi-Factor Authentication (MFA): All cloud services must now enforce MFA for user access, adding an extra layer of security beyond just passwords.
- Data Encryption: Organisations will be required to encrypt data both in transit and at rest within cloud environments.
- Access Controls: Enhanced guidelines on who can access cloud resources and under what conditions, ensuring that only authorised personnel can access sensitive data.
2. Strengthened Mobile Device Management (MDM)
With the proliferation of mobile devices in the workplace, the 2025 updates will introduce more rigorous Mobile Device Management (MDM) requirements. Key changes include:
- Device Encryption: All mobile devices used for work purposes must be encrypted to protect data in case of loss or theft.
- Remote Wipe Capabilities: Organisations must have the ability to remotely wipe data from lost or stolen devices to prevent unauthorised access.
- Regular Updates: Mobile devices must be kept up-to-date with the latest security patches and software updates.
3. Expanded Scope for IoT Devices
The Internet of Things (IoT) is becoming increasingly integral to business operations, but it also introduces new vulnerabilities. The updated Cyber Essentials requirements will now include specific provisions for IoT devices:
- Default Password Changes: All IoT devices must have their default passwords changed upon installation to prevent unauthorised access.
- Network Segmentation: IoT devices should be segmented from the main network to limit the potential impact of a breach.
- Regular Firmware Updates: Organisations will be required to ensure that IoT devices receive regular firmware updates to address security vulnerabilities.
4. Stricter Requirements for Software Updates
Keeping software up-to-date is a fundamental aspect of cybersecurity. The 2025 updates will introduce stricter requirements for software updates:
- Patch Management: Organisations must have a formal patch management process in place to ensure that all software is updated promptly.
- End-of-Life Software: The use of end-of-life software that no longer receives security updates will be explicitly prohibited.
- Automated Updates: Where possible, software updates should be automated to minimise the risk of human error.
5. Improved Incident Response Planning
In the event of a cyber incident, having a robust response plan is crucial. The new requirements will place greater emphasis on incident response planning:
- Incident Response Plan: Organisations must have a documented incident response plan that outlines the steps to be taken in the event of a cyberattack.
- Regular Testing: The incident response plan must be tested regularly to ensure its effectiveness.
- Post-Incident Review: After an incident, organisations will be required to conduct a post-incident review to identify lessons learned and improve future response efforts.
Conclusion
The upcoming changes to the Cyber Essentials requirements in April 2025 reflect the evolving nature of cyber threats and the need for organisations to stay ahead of the curve. By focusing on cloud services, mobile device management, IoT security, software updates, and incident response planning, the updated framework aims to provide a more comprehensive approach to cybersecurity.
For organisations, now is the time to start preparing for these changes. Review your current cybersecurity practices, identify any gaps, and begin implementing the necessary measures to ensure compliance with the new requirements. By doing so, you’ll not only meet the updated standards but also enhance your overall cybersecurity posture, protecting your organisation from the ever-growing threat landscape.
If you have any questions or need assistance in preparing for the new Cyber Essentials requirements, feel free to reach out to our team of experts.
