The National Cyber Security Centre has introduced updated requirements for the Cyber Essentials scheme, including new rules on remote working, device ownership and multi-factor authentication.
The refresh of the government-backed standard tightens expectations around company-managed hardware and additional checks for user log-ins. Cyber Essentials sets a baseline for cyber hygiene used as a reference by many UK businesses, public sector bodies and suppliers in critical national infrastructure.
Under the latest marking criteria, multi-factor authentication is now mandatory for certification. Organisations that rely only on passwords or other single-factor methods will no longer meet the scheme's threshold.
"I welcome the annual updates to the Cyber Essentials marking criteria. This year's change to make MFA a mandatory requirement to pass is long overdue. This won't impact most organisations that are taking their cyber security seriously, as this has been basic practise for some time. But for those who are lagging behind, these are the kinds of basics we need to ensure are in place across the board," said Dominic Carroll, Director Portfolio, e2e-assure.
The revision also places greater emphasis on how quickly organisations apply high-risk or critical security patches. The NCSC now expects covered entities to install such updates within 14 days.
"Additionally, increasing the focus on the timely installation of high-risk or critical security updates and vulnerability fixes is great to see. However, I still feel that 14 days is too long a window for high-risk critical security updates. The speed at which threat actors can move and deploy attacks with the assistance of AI is accelerating at an unprecedented rate, and a 2-week risk period is too long, especially for businesses critical to CNI supply chains," said Carroll.
The NCSC has also widened the scope of Cyber Essentials to cover more aspects of remote working and device use. The update reflects the scale of hybrid and home working since the pandemic, as well as the growing number of personal and unmanaged devices handling corporate data.
Industry responses suggest the shift may compel organisations to reassess their reliance on employee-owned hardware. The revised interpretation places new emphasis on asset visibility, access control and consistent policy enforcement.
"Today's updates to National Cyber Security Centre's Cyber Essentials place greater emphasis on remote working and device ownership. Bringing these into scope is a positive step as organisations are far more secure when they can rely on company-owned, managed devices, where they have visibility of assets, control over access, and the ability to enforce consistent security policies," said Jon Fielding, Managing Director, EMEA, Apricorn.
"Apricorn's research found that only 19 per cent of respondents said their organisation mandates the use of company-provisioned equipment with endpoint controls, which is worrying given that these unmanaged or personal devices introduce gaps that are difficult to monitor and even harder to secure," said Fielding.
The same study highlighted employee behaviour as another weak point in remote security. Almost half of remote or mobile workers admitted to knowingly exposing sensitive information.
"The research also found that 46 per cent of remote or mobile workers knowingly put data at risk, and highlights that backup resilience should certainly have more prevalence alongside these changes. While the guidance references backups, organisations should be adopting the 3-2-1-1-0 model to ensure data can be recovered quickly and reliably. Knowing which devices exist, enforcing secure authentication such as PIN-based access, and protecting against brute force attempts are all part of reducing risk at the endpoint," said Fielding.
He added that the update signals a broader reassessment of how organisations should treat endpoints and data in distributed environments.
"Securing remote work is not just about access, but about trusted devices and controlled authentication. The fact the Cyber Essentials updates now recognise this highlights a clear shift in priorities and the need to ensure critical data remains protected and recoverable wherever it resides," said Fielding.