For years, many UK small business owners viewed Cyber Essentials (CE) as a “badge of honor” – a sticker to put on a website footer or a box to tick for a local council tender. However, as we move into 2026, the landscape has shifted. Cybercrime has industrialised and the UK government’s baseline standards have evolved to meet it.
In April 2025, the “Willow” update to the Cyber Essentials requirements officially comes into force. This isn’t just a minor tweak; it’s a reflection of how we work now in a hybrid, cloud-reliant and increasingly targeted by AI-driven threats.
If you are a business owner or IT manager, here is what you need to know to ensure your organisation remains resilient and compliant in 2025.
The Economic Case for Security
Before diving into the technicals, we must address the “why.” According to the UK Government’s Cyber Security Breaches Survey, the average cost of a cyber attack for a medium-sized UK business is now upwards of £10,000 in direct costs alone—excluding the catastrophic reputational damage.
Furthermore, the Information Commissioner’s Office (ICO) has signaled that “standard” security measures are no longer a defense against GDPR fines. If you haven’t implemented the five technical controls of Cyber Essentials, you are effectively leaving your front door unlocked in the eyes of the law.
1. The Boundary of the Modern Office
In 2025, the “office” is wherever your laptop is. The Willow update provides much-needed clarity on Remote Working.
Previously, there was confusion regarding home routers. The 2025 standard clarifies that while your employee’s home ISP router is out of scope, the endpoint device (the laptop or mobile) and the software firewall on that device are your primary line of defense.
Strategic Action: Transition away from trusting “perimeter” security. Your security must live on the device itself. Ensure that every company-issued laptop has a strictly managed software firewall that cannot be disabled by the user.
2. Moving Beyond Passwords to “Passwordless”
The era of “ComplexPassword123!” is over. The NCSC now actively promotes the use of Passkeys and FIDO2-compliant hardware.
For Cyber Essentials 2025, Multi-Factor Authentication (MFA) is non-negotiable for all cloud services. However, the type of MFA matters. Sophisticated phishing attacks can now bypass SMS-based codes.
“MFA is the single most effective control you can implement. In 2025, if your cloud admin accounts aren’t protected by hardware keys or authenticator apps, you are an outlier in terms of risk.” —NCSC Guidance on MFA.
3. The “14-Day Rule” and the Vulnerability Pivot
Perhaps the most significant change in the 2025 Willow update is the shift in language from “Patch Management” to “Vulnerability Management.” This isn’t just semantics. It acknowledges that security isn’t always about installing a new update; sometimes it’s about changing a configuration or disabling a vulnerable feature. The “14-Day Rule” remains: if a critical vulnerability is identified and a fix is available, you have two weeks to apply it.
The 2025 Reality: Many legacy systems (like Windows 10) are reaching end-of-life. If your hardware cannot run the latest, supported operating systems, you will fail your certification.
4. The Principle of Least Privilege
A common failure point in SME security is the “Global Admin” trap—where everyone in the company has administrative rights to make their jobs “easier.”
In 2025, Cyber Essentials requires a strict audit of user accounts.
- Standard Users should only have the permissions needed for their daily tasks.
- Admin Accounts must only be used for administrative tasks and should never be used for browsing the web or checking emails.
Basic vs. Plus: Which Path to Choose?
For most small businesses, Cyber Essentials (Basic) is a self-assessment that provides a great starting point. However, if you are handling sensitive data or aiming for high-value government contracts, Cyber Essentials Plus is the gold standard.
CE Plus involves an independent technical audit. It proves to your clients—and your insurance provider—that your defenses don’t just exist on paper, but they actually work under pressure.
Conclusion: Building a Culture of Resilience
Cyber Essentials 2025 is not a hurdle to clear; it is a blueprint for survival. By aligning your business with these five controls—Firewalls, Secure Configuration, User Access, Malware Protection, and Vulnerability Management—you aren’t just complying with a UK standard; you are building a resilient business that can thrive in a digital-first economy.
Is your business ready for the April 2025 update? Start by auditing your current “Global Admin” list today. You might be surprised at who has the keys to your kingdom.
Leave a Reply