Cyber Essentials changes 2026: what the move from Willow to Danzell means for you

By Glen Patrick, Head of Cyber Audit at CyberSmart

From 28 April 2026, significant changes to Cyber Essentials and Cyber Essentials Plus will come into effect, as IASME introduces the new Danzell question set to replace Willow.

These updates represent one of the most important shifts in the Cyber Essentials scheme in recent years - tightening requirements, reducing flexibility, and placing greater emphasis on real-world security.

In this guide, we explain:

• What’s changing in Cyber Essentials 2026
• How Cyber Essentials Plus audits are evolving
• What the move from Willow to Danzell means
• How to prepare for the new requirements

Why Cyber Essentials is changing in 2026

IASME updates Cyber Essentials annually to ensure the framework continues to reflect current cyber threats and best practices.

The April 2026 Cyber Essentials changes are designed to:

• Strengthen cyber resilience across UK organisations
• Improve consistency and reduce interpretation in assessments
• Prevent “last-minute fixes” or selective compliance
• Reinforce Cyber Essentials as a trusted supply chain standard

As discussed in our recent Ask the Auditors session, these changes aim to ensure organisations are genuinely secure - not just compliant on paper.

What is the difference between Willow and Danzell?

The transition from Willow to Danzell introduces stricter controls and removes much of the tolerance that previously existed in Cyber Essentials assessments.

1. Mandatory MFA across all cloud services

Under Danzell:

• Multi-factor authentication (MFA) must be enabled on all cloud services where available
• This includes SaaS platforms, business tools, and systems using single sign-on (SSO)
• Failure to implement MFA will result in an automatic fail

Previously, some MFA gaps could be tolerated. That is no longer the case.

2. Stricter Cyber Essentials scoping requirements

Cyber Essentials scope must now be:

• Clearly defined and justified
• Based on network boundaries (not departments or roles)
• Supported by detailed explanations for any exclusions

All internet-connected organisational devices must be included in scope unless explicitly justified.

3. Evidence must be explicit and verifiable

The new Danzell question set requires:

• Clear, documentable evidence
• Less reliance on assumed or theoretical controls

This reinforces Cyber Essentials as a verifiable security standard, not just a self-assessment exercise.

How Cyber Essentials Plus is changing in 2026

The most impactful changes affecting Cyber Essentials Plus:

New vulnerability sampling process

Under the updated model:

1. A random sample of devices is tested
   
2. If vulnerabilities are found:
   • Organisations must remediate them
   • A second random sample is tested
     
3. If vulnerabilities are found again:
   • The Cyber Essentials Plus audit may fail
   • The underlying Cyber Essentials certification may be invalidated

This replaces the previous model, where passing a single sample could still lead to certification.

What this means in practice:

• Organisations must be fully compliant before audit
• Vulnerabilities cannot be deferred
• Audit preparation must happen earlier
• The risk of failure increases if organisations are not ready

Cyber Essentials is now a “point-in-time” certification

Another key change in 2026 is the move to point-in-time compliance.

This means:

• Certification reflects your organisation’s security posture at that exact moment
• You must be compliant before and during certification
• There is minimal opportunity to fix issues after audit activity begins

How to prepare for Cyber Essentials 2026 changes

To succeed under the new requirements, organisations should:

1. Implement MFA everywhere

Ensure MFA is enabled across all cloud services where available.

2. Prioritise vulnerability management

Address high and critical vulnerabilities quickly, especially within required timelines.

3. Review your Cyber Essentials scope

Ensure all relevant systems are included and exclusions are clearly justified.

4. Start audit preparation earlier

Do not wait until just before your Cyber Essentials Plus audit to begin remediation.

How CyberSmart supports Cyber Essentials and Cyber Essentials Plus

At CyberSmart, we’re already adapting our platform and processes to help organisations and partners succeed under the new Cyber Essentials framework.

A new, guided Cyber Essentials Plus experience

We’re developing a more structured journey that:

• Encourages earlier preparation
• Reduces uncertainty during audit
• Guides organisations step-by-step through the process

Improved audit readiness dashboards

We’re introducing enhanced visibility within the platform, including:

• Real-time vulnerability status
• Clear audit readiness indicators
• Actionable steps before booking an audit

Helping you achieve Cyber Essentials with confidence

Our focus is on helping organisations:

• Avoid last-minute surprises
• Reduce audit risk
• Achieve certification efficiently and confidently

Final thoughts: Cyber Essentials is evolving

The Cyber Essentials 2026 changes mark a significant step forward for the scheme.

While the requirements are stricter, they also increase the value and credibility of certification - particularly as Cyber Essentials continues to play a key role in supply chain security.

For organisations and partners, success will depend on one thing:

Being ready before the audit begins.

Learn more about the Cyber Essentials changes

For a deeper dive into the Willow to Danzell transition and what it means for you, revisit our Ask the Auditors webinar in the CyberSmart Community.

We’ll continue to share guidance, updates, and best practices to help you prepare for April 2026 and beyond.

Download the guide

43% of UK businesses experienced a cyber breach last year. Only 14% assess cyber risk in their immediate suppliers.

That gap is about to close, fast.

The UK government recently published its Cyber Action Plan, backed by £210 million and a new central authority. The plan officially focuses on central departments and arm's-length bodies (ALBs) meeting baseline standards by 2029. But if you're an MSP or IT service provider serving public sector clients, the official timelines matter less than understanding the direction of travel.

Because government plans don't stay contained. What starts as a departmental delivery target becomes a procurement requirement. Then a supply chain expectation. Then a client question you're expected to answer.

Are you going to be ready when this plan affects your clients?

Why MSPs Should Act Now

The government's Cyber Action Plan creates three immediate pressures that will cascade to MSPs faster than the official 2029 timeline suggests:

1. Personal accountability creates budget urgency

Accounting Officers (permanent secretaries, CEOs of government bodies) are now personally responsible for cyber risk across their departments, ALBs, and supply chains. Not departmentally responsible. Personally. When senior officials have personal liability, budgets move faster than policy timelines.

2. The enforcement gap is closing

The Cyber Security and Resilience Bill, introduced in November 2025 and passed its second reading in January 2026, will bring medium and large MSPs into direct regulatory oversight for the first time. The Bill is now in committee stage and expected to become law later this year, introducing several critical requirements:

• The 24/72 Rule: Notify the regulator within 24 hours of discovering a significant incident, provide full report within 72 hours
• Turnover-Based Fines: Up to £17 million or 4% of global turnover for serious breaches (GDPR levels)
• Proactive Supervision: The Information Commission (IC) (formerly the Information Commissioner’s Office, or ICO), which will take on new network and information systems security responsibilities under the Bill, can inspect your security posture before incidents occur
• Registration Requirements: RMSPs will have three months to register with the ICO once relevant provisions commence

3. The urgency mismatch creates competitive advantage

Here's the tension: The NCSC's own messaging in its Annual Review 2025 is "it's time to act," reinforced by thousands of incidents handled last year and a rising threat picture. But the Action Plan's milestones feel cautious: 50% supplier assurance coverage by 2029, two-thirds of assessed systems meeting 75% of CAF outcomes.

The NAO called out similar issues in its January 2025 report on government cyber resilience. This plan responds to many of those critiques, but the pace still lags behind the threat environment the government itself describes.

For MSPs, that gap creates both opportunity and planning challenge. Clients who wait for mandates will be scrambling. Clients who move now can be defensible, not just compliant on paper. But move too early and you're investing ahead of demand; wait too long and you're scrambling to catch up when clients start asking questions.

The skills dynamic makes this urgent:
Government faces a massive skills gap: one in three cyber roles are unfilled, and 70% of specialist roles rely on contractors because government can't match private sector salaries. The plan creates a Government Cyber Profession to address this, but in the meantime, departments will need partners who can deliver.

What the Government Is Actually Doing

The government is establishing the Government Cyber Unit, a centralised function within DSIT that will set standards, provide services, and hold departments accountable. This represents a fundamental shift from fragmented, department-by-department approaches to active central coordination.

The core commitments:

• The Cyber Assessment Framework (CAF) becomes the organising model for assurance, operationalised through GovAssure
• Cyber Essentials positioned explicitly as a baseline control
• Supply chain assurance becomes mandatory, with 50% of ALBs required to implement "some type" of supplier assurance by April 2029
• Accounting Officers now personally accountable for cyber risk in their departments, ALBs, and supply chains
• Evidence and reporting move from policy theatre to practical delivery

The plan also acknowledges something important: legacy systems are hard to defend (28% of government systems are legacy tech), funding is constrained, and cyber incidents are routine, not exceptional.

The Three-Phase Government Rollout

Understanding the government's implementation timeline helps with planning:

Phase 1: Building (by April 2027)

• Government Cyber Unit established with core functions
• Clear standards and targets set for departments
• Government Cyber Profession launched
• Incident Response Plan published

Phase 2: Scaling (by April 2029)

• Departments deliver costed cyber improvement plans
• Central services pipeline established
• Departments fully operating within new governance structures
• 50% of ALBs implement supply chain assurance

Phase 3: Improving (post-2029)

• Continuous improvement based on data insights
• Strategic supplier management at scale
• Profession drives transformation

The demand you'll see won't wait for Phase 2. Procurement teams move faster than policy milestones, and Accounting Officers with personal accountability will act sooner rather than later.

What to Expect: The Cascade Effect

Based on the plan's structure and typical government procurement patterns, here's what to expect:

Cyber Essentials becomes non-negotiable
Not because clients suddenly care about technical controls, but because buyers will use it as a fast, visible way to raise the floor. If you're bidding on work involving public sector clients, regulated industries, or supply chains touching either, CE will move from nice-to-have to table stakes.

CAF becomes the reference model
Even for organisations that never formally adopt CAF, its language and structure will shape how assurance is described, measured, and bought. GovAssure is how this gets operationalised: departments assess critical systems against CAF outcomes and report centrally. If your outputs don't map cleanly to CAF outcomes, you'll spend time explaining why instead of demonstrating value.

Assurance pressure cascades early
Based on how government procurement typically works, requirements cascade like this: government sets requirements for departments, departments push requirements onto their ALBs, ALBs push requirements onto suppliers, and suppliers turn to their MSPs for support. Given the April 2027 and 2029 milestones in the Action Plan, most organisations are likely in the early stages of this process - understanding requirements and planning responses rather than actively implementing yet. But lead departments are now explicitly accountable for the cyber resilience of their ALBs and sectors, which means the timelines say 2029 but procurement processes will move faster.

Evidence replaces effort
The Action Plan emphasises the need to demonstrate compliance through evidence rather than assertions. Clients must show progress to auditors, insurers, and procurement teams. If your service model doesn't produce portable, reusable evidence, you'll be asked to redo work you've already done.

Centralised support creates new dynamics
The Government Cyber Unit will offer services and support to departments at scale. This includes technical advisory, detection services, incident response retainers, and a "partnering function" to help organisations access what they need. For MSPs, this could mean competition from centralised offerings, or opportunities to deliver services through government frameworks.

The Cyber Security and Resilience Bill: Timeline and Preparation

The Bill must pass through both Houses of Parliament before receiving Royal Assent. Once it becomes law, different provisions will be brought into force in phases through secondary legislation (commencement regulations).

This phased approach allows time for:

• Consultation on specific technical requirements and thresholds
• Development of guidance and support materials
• MSPs and regulators to prepare for implementation

For MSPs, this represents a fundamental shift: cybersecurity will move from being primarily a service you sell to also being a regulatory requirement you must live by. The time to prepare is now, before the requirements take effect.

What to do now:

• Review your current incident response and reporting capabilities
• Ensure you have appropriate security measures and documentation in place
• Budget for registration fees and compliance costs

What This Means in Practice

If you're serving public sector clients, regulated industries, or supply chains connected to either, three things shift:

Cyber Essentials becomes the entry point
Fast, standardised, and increasingly expected. Treat it as the gateway to deeper work, not the finish line.

Ongoing assurance becomes the business model
One-off certifications don't match the demand environment. Clients need continuous visibility, not annual audits. Build services that assume compliance is a state, not an event.

Portability and automation win
Manual processes and bespoke outputs don't scale. The MSPs who thrive will be the ones who can turn security work into usable evidence quickly and consistently.

How Leading MSPs Are Responding

Your clients won't wait until 2029 to ask questions about supply chain assurance, Cyber Essentials status, and ongoing compliance evidence. They're asking now.

Over 1,000 MSPs use CyberSmart to answer at scale:

Cyber Essentials certification in as little as 24 hours with unlimited expert support

Continuous compliance monitoring that tracks security posture in real-time

CAF-aligned evidence clients can reuse across tenders, audits, and insurance reviews

Multi-tenant operations with flexible commercial models built for MSP delivery

Security work becomes evidence. Evidence answers questions. Questions answered quickly become revenue.

The Bottom Line

The 2029 milestones are political. The demand is arriving now.

Clients are already facing supply chain assurance requirements in procurement, audits, and renewals. The MSPs who can respond immediately with portable evidence will win that work.

Book a demo to see how leading MSPs are turning compliance demands into scalable revenue streams with CyberSmart.

As of December 3rd, 2025, the Cyber Security Model version 4 is live. If you're in the defence supply chain, the Defence Cyber Certification (DCC) is the assurance framework the MOD expects you to use.

The MOD's letter to industry makes clear that Defence Cyber Certification is the assurance framework the MOD expects defence suppliers to use. Begin your certification journey, or risk being locked out of MOD opportunities.

What Actually Changed on December 3rd

The new cyber security standards launched via Industry Security Notice 2025/07. These standards were developed in partnership between the MOD and defence suppliers through the Defence Cyber Protection Partnership.

The Defence Cyber Certification scheme was announced in May 2025, with Level 0 going live in July and Levels 1-3 following in August. December 3rd marks the official launch of CSMv4, providing defence suppliers with a structured assurance framework for demonstrating cyber security compliance.

Why This Matters Now

The Strategic Defence Review stated bluntly that UK Defence continues to carry intolerable levels of cyber risk. The Defence Industrial Strategy sets out the ambition to develop a resilient UK industrial base. Recent attacks on Marks & Spencer, the Co-op, and Jaguar Land Rover demonstrate the threat is real and immediate.

The UK Defence supply chain is a priority target for adversaries. Your subcontractors, suppliers, and partners are all potential entry points. The MOD is closing those gaps.

Understanding the Four Certification Levels

The DCC operates across four levels, each corresponding to the cyber risk profile of your contracted work:

Level 0 (Very Low Risk) – The entry point. Beyond Cyber Essentials, you'll need two additional basic controls. This is the very minimum defence contractors will need. Suitable for suppliers providing low-risk goods like stationery or facilities management with minimal MOD system interaction.

Level 1 (Low to Moderate Risk) – Many defence suppliers will land here. Requires 101 controls covering governance, risk management, protective controls, incident response, and staff training. Cyber Essentials remains the technical baseline. Typical for IT support services, standard software solutions, training, consultancy, or logistics where you have some access to MOD systems or official data.

Level 2 (High Risk) – Demands 139 controls with sophisticated governance, continuous monitoring, and robust technical assurance. Cyber Essentials Plus becomes mandatory. Aimed at suppliers regularly handling sensitive MOD data, providing managed IT services for defence operations, or developing bespoke software integrating with MOD infrastructure.

Level 3 (Substantial Risk) – The highest level, requiring 144 controls and expert cyber security capabilities. Reserved for mission-critical work: command and control systems, cloud infrastructure for classified operations, weapons systems components, or advanced defence technology where compromise could have severe operational impact.

Start with Level 0, Plan for Higher

The MOD encourages defence suppliers to seek certification, beginning with Level 0. Individual contracts may specify higher levels as appropriate to the work being undertaken.

A single DCC certificate can be used across multiple MOD contracts that specify DCC, provided the contracts require a level at or below your certification level. If you achieve Level 1, you can use that certificate for Level 0 or Level 1 contracts, eliminating repeated contract-by-contract security assessments.

Certification lasts three years, subject to annual attestations and maintaining valid Cyber Essentials certification.

Common Pitfalls to Avoid

Letting Cyber Essentials lapse – If your Cyber Essentials certification expires during the DCC assessment process, you'll automatically fail. Even if everything else is perfect.

Scoping too narrowly – You can't exclude parts of your organisation that don't directly handle MOD data. The scheme demands organisation-wide compliance.

Assuming certification means you're set for three years – You must complete annual attestations confirming ongoing compliance and renew Cyber Essentials annually. At the three-year mark, full recertification is required.

Treating it as a checkbox exercise – Assessors will interview staff, request demonstrations, and verify operational evidence. Policy documents without proof of implementation won't suffice.

What You Actually Need to Do

This is where suppliers typically hit friction. Many organisations already follow good security practices but lack documentation. DCC assessments are evidence-driven. You need policies, logs, training records, and proof of implementation for each control.

Here's the systematic approach:

1. Confirm your required level – Check your MOD contract to determine whether you need Level 0, 1, 2, or 3. If you're preparing to bid without a current contract, consider which level aligns with your anticipated work.
2. Get Cyber Essentials certified – This is the baseline for all DCC levels. It covers firewalls, secure configuration, user access control, malware protection, and security update management. Levels 2 and 3 require Cyber Essentials Plus.
3. Define your scope – DCC takes a whole-organisation approach. You can't certify only the team handling MOD work directly. Every business critical system and department must be in scope. Document this clearly in your Statement of Scope.
4. Conduct a gap analysis – Compare your current security measures against the required controls for your level. Level 1 alone requires 101 additional controls beyond Cyber Essentials. Create a tracker listing each control, its status, supporting evidence, and outstanding actions. CyberSmart provides a gap analysis framework as part of our Defence Readiness Package to streamline this process.
5. Address the gaps – Develop or update security policies, implement technical measures like logging and vulnerability scanning, establish new processes for risk assessments and supplier vetting, and assign clear roles for administering security measures.
6. Collect evidence – Organise written policies, training records, system configuration screenshots, patch management reports, access control lists, incident logs, backup logs, risk registers, and supplier security questionnaires. Cross-reference everything against specific controls.
7. Build your risk register – Document your information assets, threats, vulnerabilities, existing controls, and risk treatment decisions. DCC requires systematic risk management with periodic reviews.
8. Run an internal review – Before formal assessment, have someone outside the direct process review your scope definition, compliance documentation, staff awareness, and evidence quality. Identify weak spots while you can still address them.
9. Book your assessment –Engage an IASME-accredited DCC certification body like CyberSmart. We'll review your submission, conduct interviews or demonstrations to verify controls, and issue your certificate upon successful assessment.

What the MOD Expects Beyond Certification

The December letter also highlights two foundational approaches the MOD wants to see embedded across supplier organisations:

Active Cyber Defence – The NCSC's framework for protective DNS, mail check, web check, and early warning systems that actively defend against cyber threats rather than simply reacting to them.

Secure by Design – Building security into products and services from the ground up rather than bolting it on later. This approach reduces vulnerabilities and creates more resilient systems.

These approaches represent the MOD's expectation that cyber security becomes fundamental to how defence suppliers operate, embedded in everything from product development to daily operations.

Why Early Adoption Matters

Many prime contractors are already requesting certification from their subcontractors ahead of any formal mandate. This creates adoption pressure across the entire supply chain.

Some prime contractors are requesting certification from their subcontractors. Individual contracts may specify DCC as a requirement, making it valuable to understand the scheme and your readiness to pursue certification if needed.
Certification takes time. Understanding the requirements now means you can respond quickly if a contract opportunity specifies DCC. Prime contractors are asking subcontractors about their certification status during procurement discussions.es.

Practically, early adoption also positions you to respond quickly when contract opportunities begin factoring DCC into their evaluation criteria. Prime contractors are already asking subcontractors about their certification status during procurement discussions, signalling that the commercial landscape is shifting ahead of any formal mandate.

According to Thales' 2024 Data Threat Report, 93% of organisations in the critical national infrastructure sector observed an increase in cyber-attacks in 2024. The threat environment continues to worsen. Getting ahead of certification requirements means building genuine resilience, not just meeting compliance obligations.

Cascade This to Your Subcontractors

The MOD letter explicitly asks that you cascade this information to all defence subcontractors within your supply chain. If you work with other suppliers on MOD contracts, they need to know these requirements apply to them too.

Your certification doesn't insulate you if your subcontractors present security weaknesses. The defence supply chain is only as strong as its weakest link.

Getting Support

If you don't have a dedicated in-house cybersecurity team, preparing for DCC can feel overwhelming. Working with an experienced certification partner simplifies the process significantly.

Look for partners offering guidance at every stage, scoping support, policy and documentation advice, technical implementation assistance, and training programmes to embed security awareness across your teams.

The right partner translates technical jargon into actionable steps, provides templates and examples for policies, recommends appropriate tools and configurations, and helps you understand what good evidence looks like for each control. Certification bodies assess your compliance but cannot implement solutions. The scheme requires this separation to maintain assessment independence.

CyberSmart's Defence Readiness Package

CyberSmart is the UK's most trusted certification body, delivering more certifications than any other provider. Our Defence Readiness Package combines DCC and Cyber Essentials certification with year-round protection in a single purchase, eliminating the complexity of coordinating multiple certification bodies.

What sets us apart:

Rapid turnaround – Our experienced assessors move you through the certification process efficiently, understanding exactly what's required at each stage.

Pre-assessment preparation – We review your current cybersecurity posture and identify vulnerabilities or gaps before formal assessment, saving you time and avoiding failed attempts.

Expert Support – Utilise our team of cybersecurity experts for technical queries, guidance on preparing evidence for the Applicant Guide, and renewal advice throughout your certification journey.

Continuous protection and monitoring – We go beyond assessment day with continuous monitoring, actionable alerts, and regular compliance reporting to help maintain your cybersecurity posture year-round. This includes CyberSmart Active Protect for 24/7 protection and comprehensive asset management.

Integrated tools and training – Smart Policies provides trackable DCC-aligned governance policy creation and distribution, while CyberSmart Learn Lite delivers simple, easy-to-implement security awareness training that embeds best practices across your teams.

The Bottom Line

DCC provides defence suppliers with a clear framework for demonstrating cyber security competence. Some contracts already specify DCC as a requirement. The MOD encourages suppliers to understand the scheme and consider certification where appropriate to their defence work. Their message to industry is to: "start seeking certification now…your proactive engagement and leadership are critical in continuing to safeguard the UK's defence and national security."

Don't wait for the mandate. Start now.

CyberSmart's Defence Readiness Package combines DCC and Cyber Essentials certification with year-round protection, continuous monitoring, and unlimited expert support. We help defence suppliers navigate the certification process from initial gap analysis through to successful assessment and ongoing compliance.

Download our DCC Playbook for a deeper look, and book a call with our team to get started on your DCC journey!

Regardless of your specialism, sector, or size, if you’re a managed service provider (MSP), chances are a customer will have asked you at some point to help them with their Cyber Essentials Plus certification. For many MSPs, it’s a regular job. But supporting customers to prepare for and pass Cyber Essentials Plus isn’t without its challenges.

As any MSP can attest, Cyber Essentials Plus audits can turn into a complicated round of remediations, resubmissions, and delays. However, it doesn’t have to be this way. Most of the time, Cyber Essentials complications are caused by easily avoidable mistakes. To help you and your clients experience smoother, faster audits, we’ve pulled together the six most common challenges MSPs face with Cyber Essentials Plus and how to avoid them.

1.  Missing high-quality vulnerability management

In a time of tightened budgets, many MSPs use what they have or what they can find cheaply for vulnerability management. And that usually means an RMM tool or the least costly solution available. This might not sound like much of a problem. After all, isn’t it just good business sense to use what you have if it’ll do the job?

However, when it comes to a Cyber Essentials Plus audit, it does cause problems. The problem is that RMMs or unapproved tools often don’t check for all the same vulnerabilities the CE+ audit looks for. So, when the Assessor runs their approved scan, new or higher-risk issues suddenly appear, even though the MSP thought everything was fine.

Or, to put it another way, it’s a bit like using your car’s dashboard gauges to check you’re roadworthy; the MOT test will still find things your dashboard never told you about. 

Unexpected vulnerabilities discovered during audits trigger rapid, unplanned remediation tasks, resulting in delays, additional costs, and increased stress for both you and your customers.

What to do about it

Use approved, comprehensive vulnerability scanning tools like Qualys Guard, Nessus, or CyberSmart Vulnerability Manager. This not only makes for a smoother audit process; it also means your clients will benefit from a better level of year-round protection.

2. Device configuration errors

Many people go through life with devices configured to the default settings they came with. However, as well as posing a security risk, this is a sure-fire way for your clients to experience problems during a Cyber Essentials Plus audit.

Misconfigured devices or default settings, such as passwords, outdated .NET versions, or unused open ports, are some of the most common causes of audit failure. Plus, default settings and misconfigurations provide entry points for cybercriminals to exploit. Research from SOCRadar released in 2023 estimated that security misconfigurations are responsible for as much as 35% of all cyber incidents ever.

What to do about it

Look to standardise configurations across your client’s business using clearly documented baselines. The easiest way to do this is to use a tool that can automatically detect configuration issues, so you can address them as and when they arise, rather than working through all of them come audit time.

Alongside this, you should regularly audit client systems, removing default passwords and applying secure configuration standards, such as those from the Centre for Internet Security.  

3. BYOD and shadow IT

Bring Your Own Device (BYOD) has been a boon for businesses, especially since the COVID-19 pandemic. However, it’s not without security risks and can cause problems for Cyber Essentials audits. Personal devices often have less robust security measures than those configured and managed by businesses. What’s more, some research suggests that employees are less likely to engage in cyber secure behaviours when using personal devices (although other studies propose that the opposite is true)

Shadow IT poses many of the same problems for MSPs. Unmanaged or unlisted devices can lead to uncontrolled data leakage, malware infections, and exposure of sensitive data. Plus, when it comes to audit time, you’ll need every device used within the business to comply with Cyber Essentials controls, potentially adding remediation time, delays and costs.

What to do about it

Use solutions like CyberSmart Active Protect for Mobile, which offers privacy-first monitoring of personal devices, verifying compliance without infringing user privacy. Establish clear BYOD policies and regularly review asset registers. If technical solutions aren't available, MSPs may manually validate configurations through documented screenshots provided by users.

4. MFA on cloud accounts

MSPs and their customers often face issues fully rolling out multi-factor authentication (MFA) across all cloud-based accounts. Tracking this across your client base can prove a challenge, and, somewhat inevitably, some administrative accounts end up getting missed.

This is a problem for a couple of reasons. Firstly, a lack of MFA increases the likelihood of unauthorised account access and data breaches – particularly for administrative accounts, which have wide access privileges. Secondly, as MFA on administrative accounts is a Cyber Essentials requirement, they could fail their audit.

What to do about it

Enable MFA across all cloud-based administrative accounts, prioritising accounts with higher privileges. Clearly document your MFA implementation policies, regularly audit accounts, and provide users with practical support to simplify adoption.

5. Lack of account separation (users running as admin) or incorrectly configured JIT solutions

The importance of access control and account separation won’t be news to most MSPs. Nevertheless, it’s often something customers get wrong. Businesses commonly grant users permanent administrative privileges when they don’t need them. Or, even when they use just-in-time (JIT) privilege management, they configure it poorly.

Once again, this poses a couple of issues. Most importantly, permanent administrative rights significantly increase the chance of malware installation, unauthorised changes, and major incidents due to human error. Alongside this, it can lead to failed Cyber Essentials Plus audits.

What to do about it

Adopt the principle of 'just enough' privilege (providing the minimal required permissions for daily operations) rather than 'just in time' (temporary elevation for tasks). Cyber Essentials explicitly accepts ‘just enough’ approaches. Review Privileged Identity Management (PIM) and Privileged Access Management (PAM) configurations carefully to ensure compliance.

6. Industry-specific challenges

While Cyber Essentials Plus might be beneficial to just about every sector you can think of, the simplicity of the audit process can vary wildly based on industry. For example, clients in industries such as education, construction, or legal frequently use external contractors, temporary staff, or need to grant access to students.

This can dramatically complicate asset control and compliance. Worse still, it often introduces non-compliant devices into organisations, creating security risks and making your client less likely to pass their audit.

What to do about it

Maintain clear, documented asset registers, policies, and user agreements specifically designed for temporary or external users. IASME guidance provides specific information tailored for managing contractors, students, and single-person entities effectively within Cyber Essentials guidelines. MSPs should carefully define the compliance boundaries and regularly audit or confirm device security status with temporary or external personnel.

The challenges MSPs face with Cyber Essentials Plus aren’t insurmountable

Hopefully, your top takeaway from this blog is that the challenges you’re likely to face in leading clients through the Cyber Essentials Plus process aren’t insurmountable. With each challenge, proactive steps ahead of the audit can significantly simplify the Cyber Essentials Plus certification journey, giving you happier clients and stress-free staff.

CyberSmart Patch helps you reduce vulnerabilities by keeping third-party software up to date — without the hassle. Try it today.

Frequently asked questions

The leaves are turning, there’s a chill in the air, and autumn is here in the UK. For the cybersecurity world, this means one thing: the National Cybersecurity Centre’s annual review is about to drop. As in previous years, we’ve gone away, reviewed the report and stripped out the key points to save you the time. So, without further ado, here are our key takeaways from the NCSC Annual Report 2025.

1. The number of attacks on the UK has increased (again)

It’s rare to read a cybersecurity sector report with good news to share, but still, the NCSC’s findings make for alarming reading. The past 12 months have seen a significant rise in cyberattacks, with a 50% increase in highly and nationally significant attacks compared to the previous year.

Digging a little further into those numbers, the NCSC reported 204 “nationally significant” cyber incidents between September 2024 and August 2025. That’s significant because it’s the highest ever number, and it’s a huge increase (130%) from the previous year’s 89 incidents. In all, the NCSC received 1727 incident tips in the period, with 429 of those classified as cyber incidents which required the agency’s support.

2. The biggest cyber threats to the UK

The report also tackles what the NCSC regards as the greatest threats to the UK’s cybersecurity, ranging from state-backed actors to artificial intelligence and large language models.

State actors

Given the geopolitical turmoil currently raging across the globe, it’s not a surprise to see crimes linked to a number of state-backed cybercriminals mentioned in the report. However, of more interest is the specific threats the NCSC has linked to each state.

• China: The Flax Typhoon group, linked to several attacks on the UK
• Russia: The Authentic Antics malware, which steals victims’ login details and tokens to enable long-term access to email accounts
• Iran: Attempted attacks on US and UK critical national infrastructure (CNI) as part of the Iranian-Israeli conflict
• North Korea: Fake IT worker scams, designed to funnel money from UK companies to the DPRK state

Ransomware

Ransomware remains one of the most acute threats to UK organisations. The NCSC highlights the retail attacks on Marks & Spencer and the Co-op as high-profile examples. However, the report stresses that while it might seem that retail has become a key target, in reality, most cybercriminals are sector agnostic, picking victims based on:

• Who is most likely to pay a ransom
• Who is most vulnerable to operational downtime
• Who holds sensitive data that would cause significant harm to UK citizens if leaked

AI

You can read more about the specific threats and opportunities presented by AI in our blog on the subject. But, needless to say, the NCSC is very concerned about the use of AI, both by cybercriminals (particularly state-backed groups) to supercharge their attacks and by companies for everyday tasks. The latter presents a huge risk due to problems like slopsquatting and businesses unwittingly creating vulnerabilities through their use of LLMs and other tools.

Cyber proliferation

This is perhaps the most interesting of the threats discussed by the NCSC. Cybercrime has been going through a transition in recent years, from something largely practised in the margins by the highly tech-literate and cyber spies to a full-blown black market industry.

The rise of malware-as-a-service and DIY cybercrime has democratised hacking. No longer do cybercriminals need advanced coding skills or any real knowledge of how malware works to launch attacks. Instead, anyone can simply head to a dark-web marketplace and buy off-the-shelf malware and ransomware. This is a trend the NCSC expects to accelerate further over the next five years, particularly as regimes like the DPRK continue to back innovation among criminal groups.

Threats to critical national infrastructure

The cyber threat to the UK's critical national infrastructure (CNI) remains high. The NCSC notes the attacks by the DragonForce ransomware group (Coop, Harrods, M&S) as the current most likely kind of attack. However, the report also notes that hacktivist activity has shifted to low-skilled attacks against operational technology.

3. It’s time to act

The report represents a real hardening in the rhetoric used by both the NCSC and the government more widely. The NCSC stresses the urgency for every organisation – big or small – to act now by making themselves harder to successfully attack.

Notably, this places the responsibility firmly with businesses themselves. As Richard Horne, the NCSC’s chief executive, put it, “cybersecurity is now a matter of business survival and national resilience”.

How should firms do this? Well, one of the key recommendations from the report is for businesses to ensure suppliers meet Cyber Essentials standards to reduce supply chain vulnerabilities. Alongside this, it also draws attention to the importance of cyber insurance (and the fact that it’s often included with Cyber Essentials). The report also urges businesses to use the NCSC’s free early warning service to keep on top of emerging cyber threats.

4. Cybersecurity must become a boardroom priority

Much like DSIT’s Cyber Breaches Survey earlier this year, the NCSC makes it clear that cyber risk management is now a boardroom priority and responsibility. In the past, many businesses treated cybersecurity as a task for technical teams with little in the way of board oversight or direction.

The report makes it clear that this has to change. Boards now need to take a proactive approach to cybersecurity, both in terms of setting strategy and oversight of technical teams. It’s also worth noting that it’s highly likely this will be formalised in the upcoming Cybersecurity and Resilience Bill currently going through its last legislative stages.

5. High-profile attacks are a wake-up call for all businesses

When we look back on 2025 in years to come, it’ll almost certainly be remembered as the year societal attitudes to cybersecurity shifted. The attacks on Co-op, Harrods, M&S, Jaguar-Land Rover and now rail operator LNER have awoken the public to the potentially crippling impact of large-scale cyberattacks.

The same is true for businesses. While the business community has made huge strides in cyber preparedness and how it treats security in recent years, the last few months have really brought home the importance of cybersecurity. As a result, the NCSC expects all organisations, no matter the sector or size, to treat cybersecurity as a priority going forward.

6. The UK government is taking action

Finally, the NCSC and the UK government as a whole have been spurred into action by the events of this year. Most notably, following the publication of the NCSC’s report a ministerial letter has been sent to the CEO’s (or leaders) of FTSE 350 companies. The letter outlines several things the UK government expects business leaders to do, including:

• Make cyber risk a Board-level priority using the Cyber Governance Code of Practice
• Require Cyber Essentials across your supply chain
• Sign up for the NCSC’s Early Warning service

Where does that leave ordinary businesses?

Of course, not everyone has the resources of an FTSE 350 company. In fact, 90% of businesses in the UK don’t. However, that doesn’t mean that the NCSC’s findings don’t apply. Cybersecurity is everyone’s responsibility, so here are a few things any business can do.

• Focus on the importance of ‘Cyber basics’ like phishing awareness, security training, and technical controls such as multi-factor authentication
  
• Complete Cyber Essentials certification at a minimum, especially if you’re part of a larger supply chain
  
• Sign up for free-to-use tools like the NCSC’s Early Warning and Takedown Services
  
• Consider purchasing specialist cyber insurance (often included with Cyber Essentials), which can help you recover far quicker following a breach
  
• Use the Cyber Governance Code of Practice to implement board-level responsibility for cybersecurity

For managed service providers, the onus is on you (and partners like CyberSmart) to help businesses understand and adopt a good cybersecurity baseline. It’s often overlooked how many of the high-profile cyber incidents we’ve seen in 2025 stem from breaches at smaller suppliers, and we all have a part to play in making the UK a safer place to live and do business.

CyberSmart Patch helps you reduce vulnerabilities by keeping third-party software up to date — without the hassle. Try it today.

Frequently asked questions

With Cyber Security Awareness Month firmly underway, the National Cyber Resilience Centre Group (NCRCG) has proudly welcomed CyberSmart on board as a National Ambassador.

Funded and supported by the Home Office, policing and Ambassador business partners, NCRCG is bringing together all those who have a vital responsibility for combating cybercrime to help strengthen the cyber defences of small and medium-sized enterprises (SMEs). The organisation forms part of the Cyber Resilience Centre (CRC) network alongside nine, regional and police-led Centres, which engage directly with the SMEs in their localities. 

A leading cybersecurity specialist, CyberSmart is perfectly placed to join the ranks of NCRCG’s National Ambassador Programme. With over 1,000 Managed Service Providers (MSPs) and over 6,000 SME customers in the UK, it is primed to act as an enabler to this crucial sector within the digital economy. 

In partnering with NCRCG, CyberSmart will empower MSPs and SMEs around cyber resilience and signpost the support offered by the CRC network and the national technical authority, NCSC.  

SMEs are the backbone of the UK economy, making up around half of the turnover in the UK private sector. As a result, SMEs must be made aware of the need to protect themselves and the steps they can take, as well as the value of cybersecurity. CRCs provide vital resources and advice for SMEs, making cyber resilience accessible to everyone, even those with limited in-house IT resources or knowledge. 

As seasoned industry experts, CyberSmart will also be using its platform as a National Ambassador to share its wealth of cybersecurity knowledge and research with SMEs across the country, including through NCRCG’s CyberVersed podcast series.

Jamie Akhtar, CEO of CyberSmart, said:

“At CyberSmart, we’re proud to join NCRCG as National Ambassadors. Our mission to support, educate and empower UK SMEs, and the MSPs that serve them, on the importance of cybersecurity aligns with that of NCRCG. Whereas many advanced cybersecurity solutions primarily cater to enterprises, SMEs are often underserved, lacking affordable access and dedicated support, despite being major targets. Through initiatives like the UK government Cyber Essentials scheme, we’re able to help establish a baseline security standard for SMEs, which is crucial for supply chain integrity. As SMEs find themselves targeted more heavily by cybercriminals, it is essential that we educate and support these critical organisations.”

Joanna Goddard, Chief Experience Officer at NCRCG, said:

“CyberSmart is a fantastic asset to our National Ambassador cohort and, with the organisation’s links to Managed Service Providers in particular, will enable us to tap into a sector which plays a critical role in contributing to the UK’s cyber resilience. 

“Millions of small and medium-sized businesses across the country rely on the IT support and advice provided to them by their MSPs, however many are still not benefiting from any cyber security support which is a significant missing piece of the puzzle. It is therefore essential that we raise awareness amongst MSPs of the CRC network and where their customers can go for additional, police-backed help.  

“We are so pleased to be working with CyberSmart on this and to be welcoming them on board at such an opportune moment in the cyber security calendar.”

It's 3 am on a Tuesday. Your phone buzzes with urgent alerts – systems are down and customers can't access their accounts. After a bit of investigating, it turns out the culprit is yesterday's "minor" security update that nobody thought needed testing. Sound familiar?

Patches are a bit like dental check-ups. You know they're essential for your health, but it’s always tempting to put them off until a more convenient time. Suddenly, months pass and you’re on the wrong end of a painful (and expensive) procedure.

Ignoring patches or failing to test them before installation can prove similarly costly. The good news is that, by following these nine patch management best practices, you can protect your systems and avoid the 3 am wake-up calls.

What is patch management?

Before we dive into patch management best practices, let's quickly clarify what we're talking about. 

Patch management is the process of distributing and applying updates to software, firmware, and drivers. Developers release these updates or “patches” to correct vulnerabilities or bugs in their systems and add new features to their products.

Patch management best practices

1. Stay up to date on device and software vulnerabilities

When it comes to patch management, knowledge is your first line of defence. After all, you can't patch what you don't know about.

Keep an eye on the latest cybersecurity threats and patch releases by:

• Subscribing to vendor security bulletins
• Monitoring vulnerability databases like the European Union Vulnerability Database
• Following cybersecurity news and threat intelligence feeds
• Maintaining an accurate inventory of all your assets

Create a detailed inventory of all hardware, software, endpoints, and connected devices. Full visibility is necessary to maintain consistent patch compliance across your tech stack.

2. Prioritise patches based on risk

Effective patch management starts with understanding which vulnerabilities pose the greatest threat to your business.

Start by categorising patches into three tiers based on their severity and the importance of the affected systems:

• Critical – security patches that address actively exploited vulnerabilities
• Important – updates that fix significant bugs or security issues
• Optional – feature updates or minor improvements

For example, a critical patch for an internet-facing server handling customer data needs immediate attention. A similar patch for an isolated test machine can wait. Keep a record of your prioritisation decisions to justify your choices, if questioned, and provide valuable context for future patching cycles.

Between patches, monitor vendor announcements closely. Subscribe to security bulletins so you know when urgent patches are released.

3. Automate where possible

Automation transforms patch management from a burden to a background process. Modern patch management tools can:

• Scan for missing patches
• Schedule deployments
• Alert you to critical vulnerabilities
• Generate compliance reports

Resist the temptation to automate everything. Start with low-risk or routine patches, like antivirus definitions, then expand gradually as you build confidence in your automation tools.

4. Test patches before installation

Whether you deploy patches manually or automate the process, always test first. Start with a small pilot group of tech-savvy users who can spot and report issues before you roll out to everyone. 

For important updates to critical systems, patch management best practices recommend testing them first in a controlled environment. This doesn't have to be expensive. Simple virtualisations can help you create realistic test scenarios without breaking the bank. The key is to ensure it matches your production environment as closely as possible.

5. Make patch management routine

Without an established routine, patch management becomes a reactive rather than a controlled process.

Microsoft provides a great anchor point with Patch Tuesday (or Update Tuesday). It releases security updates and software patches on the second Tuesday of every month, providing a predictable schedule for deploying updates across your organisation.

But don’t stop there. Create dedicated maintenance windows to keep on top of updates. Maybe that's Sunday mornings for your servers, or Tuesday evenings for workstations. The key is consistency – when people know when updates are coming, they can plan around them.

6. Define responsibilities

A patch management process without clear ownership is like a ship without a captain. When there’s no clear chain of command, critical tasks get missed. 

Document who's responsible for each task, activity, and process. Define who:

• Identifies and assesses new patches
• Approves patches for testing
• Conducts testing and validation
• Manages deployment schedules
• Handles emergency patching decisions
• Documents the entire process
• Keeps users informed about upcoming patches

Regular cybersecurity training ensures everyone understands not just their role in patching, but why it matters for overall security.

7. Look beyond software

Many businesses focus solely on operating systems and application patches while ignoring the foundation everything runs on – firmware and drivers. But these updates are just as critical as software patches.

Firmware

Firmware vulnerabilities can provide attackers with deep system access that persists through OS reinstalls. These vulnerabilities often go undetected by traditional security tools, making them a prime target for supply chain attacks.

Drivers

Driver updates are equally important. Outdated drivers don't just cause performance issues – they can contain security vulnerabilities that give attackers kernel-level access to your systems. Whether it's graphics drivers, network adapters, or printer drivers, keeping them current is essential for both security and stability.

Don't forget about third-party applications. Simply turning on Windows and Apple updates won’t protect you from the open-source and third-party vulnerabilities that account for up to 80% of the global total. Password managers, for example.

Incorporating firmware vulnerabilities and third-party applications into your patch management strategy ensures you don’t overlook these vital updates and leave your systems exposed.

8. Establish standard and emergency patching policies

Not every patch can wait for your next maintenance window. Having separate procedures for routine and emergency patching ensures you can respond quickly to emerging threats, without sacrificing control.

Your standard patching policy should cover:

• Regular maintenance windows
• Testing requirements
• Approval processes
• Communication protocols

Define clear triggers for emergency patching, such as active exploitation or zero-day vulnerabilities in internet-facing systems, and a deployment window. For example, within 48 hours of seeing the notification.

Document your procedures thoroughly. This should include who can authorise emergency patches and how to communicate urgent changes to affected users. 

Establishing clear emergency procedures is particularly important for critical vulnerabilities that include a risk of collateral damage to other assets.

9. Implement a rollback plan

Even with the most thorough testing, patches can (occasionally) create unanticipated issues in your systems. A solid rollback plan helps you bypass potential complications and maintain system stability when things don't go as planned.

Your rollback plan should cover:

• Clear rollback triggers – define what constitutes a failed patch
• Communication plans – who needs to know about the rollback and when 
• Step-by-step procedures – document exactly how to reverse the patch
• System backups – essential for data recovery and system restoration

Keep records of any rollbacks you perform. Understanding why patches failed helps prevent similar issues in future deployments.

From 3 am panic to proactive patch management

Implementing all of these patch management best practices in one go probably seems like a daunting prospect. The good news is you don’t have to.

Start small. Pick one or two best practices that address your biggest pain points and build from there. Remember, patch management isn't about achieving perfection once. It's about establishing consistent, controlled processes that keep your systems safe and stable day in, day out.

CyberSmart Patch helps you reduce vulnerabilities by keeping third-party software up to date — without the hassle. Try it today.

Frequently asked questions

When you think about business phishing attacks, what comes to mind?

Most people imagine a hooded hacker in a dark room draining the company bank account. But the true impact of phishing extends far beyond stolen funds. A single attack can have consequences that cascade through your entire organisation for weeks, months, or even years.

Charting the real impact of phishing

From costly productivity losses and regulatory fines to damaged customer relationships, phishing attacks strike at the very foundation of your business.

Financial consequences that compound quickly

The most obvious impact of phishing is theft. Once cybercriminals have tricked victims into handing over sensitive information, like bank account details, they can use it to steal company funds. But as scary as that thought is, the hidden expenses often dwarf these initial losses.

When phishing attacks take your systems down, productivity plummets. Employees can't access essential files, emails, or applications. You can’t process orders or service requests, and business grinds to a halt.

According to research on UK SME downtime, the median cost ranges from £1,800 for micro business to £15,000 for medium-large ones. So, a phishing attack that takes your systems offline for even half a day could cost you tens of thousands in lost productivity alone.

Then there are the recovery costs, which include:

• Investigating the incident
• Repairing or rebuilding your systems
• Retrieving or recreating lost data
• Upgrading your cyber defences
• Regulatory fines
• Legal fees

It all adds up. You may also have to pay a higher cybersecurity insurance premium following an attack, depending on your provider.

Learn how CyberSmart Phish can help your team spot phishing attempts before they cause harm

Reputational damage that erodes customer trust

Falling victim to a phishing attack can seriously harm your reputation. When customers discover that a phishing attack has compromised their personal data, trust evaporates almost instantly.

Among businesses that have experienced a cyberattack, 47% said they struggled to attract new business and 43% said they lost existing customers as a result.

Bad news spreads quickly. Negative reviews appear online, cautionary tales permeate through industry networks, and potential customers choose competitors they perceive as more secure. The impact on your brand persists long after you restore your systems and improve security.

Phishing attacks are particularly damaging to financial and professional services firms. Responsible for highly sensitive information, their clients expect the highest data privacy and security standards. A single breach can completely erode trust and destroy relationships you've built over years.

Regulatory repercussions that cost time and money

Under data privacy regulations like GDPR, you have a legal duty to protect it with “appropriate technical and organisational measures”. If you suffer a phishing attack and regulators determine that you didn’t have reasonable safeguards in place, you could face serious penalties. GDPR fines can reach up to €20 million or 4% of global annual turnover – whichever is higher. 

The compliance impact of phishing is about more than financial penalties. Under GDPR, you have just 72 hours to report certain types of data breaches to regulators. But when you’re trying frantically to understand the full scope of an attack and contain the damage, this can fall through the cracks.

Lastly, regulators may decide to investigate a data breach – particularly if it resulted in the loss of sensitive information, affected a large number of people, or both. Investigations take time and can cause significant disruption.

7 phishing prevention tips to protect your business

1. Train employees to spot red flags

Your employees form your first and most important line of defence against phishing. Host regular cybersecurity awareness training sessions to teach them to spot red flags, like:

• Urgent demands for action
• Unexpected payment requests
• Obvious spelling mistakes
• Requests for sensitive information

2. Implement multi-factor authentication

Multi-factor authentication (MFA) provides added layers of security to sensitive accounts and documents. 

A skilled and determined hacker can crack even the strongest passwords. Reinforcing your defences with supplementary verification methods (like an authenticator app or one-time SMS code) helps to keep them at bay. Most cloud services – including Microsoft 365 and Google Workspace – offer MFA at no extra cost.

3. Verify requests through separate channels

One of the most effective defences against sophisticated phishing is surprisingly low-tech. If someone requests a payment change, bank transfer, or sensitive information via email, verify the request through a separate channel. For example, by calling a colleague.

This simple step is particularly effective at stopping CEO fraud and spear phishing attempts by neutralising the attacker’s primary weapon – urgency and authority.

4. Enable email security

Most major email providers offer some level of phishing protection as standard. Gmail, Outlook, and other major email services have spam and phishing filters that flag malicious emails before they reach your inbox. 

Ensure you configure these features properly and install patches as soon as they’re available to protect against emerging phishing techniques.

5. Keep systems updated and patched

Outdated software provides easy entry points for attackers. Configure devices and software to update automatically to take the pressure off your team.

This simple step closes many vulnerabilities that phishing attacks attempt to exploit, such as outdated web browsers or unpatched email clients. Regular vulnerability management helps you identify and address these security gaps.

6. Control access and privileges

Not everyone in your organisation needs access to everything. Review who has access to financial accounts, administrative dashboards, customer databases, and other critical systems – updating permissions based on the principle of least privilege. 

By restricting access rights, you limit the potential damage if someone falls victim to a phishing attack.

7. Create an incident response plan

t’s impossible to eliminate the threat of phishing attacks entirely. Whether it’s a momentary lack of concentration or a sophisticated scam that would fool the most diligent employee, someone will click a phishing link eventually. 

To minimise the damage, create an incident response plan that outlines the steps employees should take if they fall victim to an attack. Make reporting easy and blame-free so employees feel comfortable sharing potential incidents immediately rather than worrying about getting in trouble.

Shield yourself from the impact of phishing

The impact of phishing reaches far beyond your bottom line – reputation, operations, and regulatory compliance are all at risk. The good news? Most attacks exploit simple gaps rather than sophisticated systems. 

Basic steps like employee training, multi-factor authentication, and strong email security can prevent most of these threats. By focusing on these fundamentals, you can dramatically reduce the impact of phishing and keep your business secure.

Want to give your people the skills to recognise phishing scams before they turn into breaches? Check out CyberSmart Learn, our cybersecurity focused learning management system.

Frequently asked questions

The bad news: you've just clicked on what might be a phishing link.

The good news: you're not alone, and you're not doomed. 

Nearly 1 billion phishing attacks hit inboxes in Q1 2025, and even IT professionals fall for them. The difference between a close call and a costly breach? What you do next.

1. Document the incident
2. Disconnect from the network 
3. Don’t enter any credentials 
4. Notify your IT team
5. Scan your device for malware
6. Change passwords where necessary
7. Monitor company accounts and systems 

Here's what to do if you click on a phishing link

Disconnect from the network

If you suspect your device has been compromised, disconnect it from Wi-Fi or wired networks immediately. This helps prevent malware from spreading across company systems.

Do not enter any credentials

If the phishing site asks for login information or payment details, close the browser immediately. Never enter your company or financial credentials.

Notify your IT team

Report the incident to your internal IT department or cybersecurity team straight away. Include details like:

• The exact URL (if you can access it safely)
• How you received the link (email, text, social media)
• What time you clicked it
• Any information you might have entered

Under GDPR, you have 72 hours to report certain breaches. The UK's National Cyber Security Centre (NCSC) recommends reporting phishing attempts and suspicious emails to report@phishing.gov.uk.

Learn how CyberSmart Phish can help your team spot phishing attempts before they cause harm

Scan your device for malware

Run a company-approved antivirus or anti-malware scan. Follow the instructions provided by your IT team to ensure no malicious software remains.

Change passwords where necessary

If there’s any chance credentials were exposed, immediately change passwords for affected company accounts. IT may need to enforce a company-wide password reset following password best practices.

Monitor company accounts and systems

Keep an eye on any unusual activity in financial accounts, internal systems, or shared drives. Report anomalies immediately to IT.

Document the incident

Record the time, the link, and the steps you took to address the threat. This helps your security team investigate and prevent future attacks.

Protecting your company’s most vulnerable systems

After clicking a suspicious link at work, certain business systems need immediate attention to prevent widespread damage, such as:

Company email

Check your sent folder immediately. Phishing attacks often use compromised accounts to spread further. One compromised email can infect an entire organisation.

Financial systems

UK businesses lost £1.17 billion to fraud in 2024. If you've accessed any financial platforms recently, alert your finance team. They may need to implement additional security measures or freeze certain transactions.

Shared drives

Malware can spread through shared folders. Your IT team may need to isolate affected areas to prevent infection spreading.

Caught, but not hooked

Clicking a phishing link isn’t the end of the world – it’s what you do next that matters. Acting quickly, reporting to your IT team, and securing your accounts can turn a potential disaster into just a learning moment.

Want to give your people the skills to recognise phishing scams before they turn into breaches? Check out CyberSmart Learn, our cybersecurity focused learning management system.

Frequently asked questions

Cyber threats don’t wait. And, for most small and medium-sized businesses, keeping on top of vulnerabilities can feel overwhelming. Too many tools are complex, full of jargon, or require a dedicated IT team you might not have.

That’s why we provide CyberSmart Vulnerability Manager (CSVM): to give you clear visibility, simple guidance, and the confidence that your business is protected and compliant.

Now, CSVM has been improved to deliver faster insights, greater accuracy, and an even smoother experience — making it easier than ever to stay in control of your cyber risks.

What’s improved in CSVM?

Faster updates

Your dashboard now refreshes multiple times per day, so you can see vulnerabilities sooner and act before they become problems.

Smoother experience

We’ve upgraded the platform to load faster and respond more smoothly, meaning you spend less time waiting and more time fixing what matters.

More accurate results

We’ve reduced false alarms and improved accuracy, so you can trust what you see and focus on the issues that really need attention.

Built-in support

You’re never on your own. Our team is here to help you with onboarding, reports, and any questions along the way.

Why this matters for your business

• Stay compliant with confidence – CSVM supports frameworks like Cyber Essentials Plus, ISO 27001, and NIS2, with audit-ready reports at your fingertips.
  
• Reduce risk without the jargon – Clear dashboards tell you what to fix and why, no IT expertise needed.
  
• Save time and stress – Automated updates mean you don’t have to chase reports or scramble at audit time.
  
• Grow safely – Whether you have a handful of devices or hundreds, CSVM scales with your business.

What’s next?

We’re continuing to invest in CSVM, with plans to expand patching coverage, add more automation, and provide even more resources to make staying secure simple and stress-free.

Ready to get started? Head over to our CSVM page, or get in touch to find out more.