Colleges are Now Required to Obtain Cyber Essentials

What’s the impact on Colleges?

College IT leaders have now been given a clear mandate to deliver improvements to cyber security. For the first time cyber security is a directly measurable compliance requirement to receive government funding.

All too often we see that the education sector is understaffed and under-resourced. We regularly speak with college staff who are struggling to find enough hours in the working week to address “important but non-urgent” jobs. Routine maintenance in areas like patching and vulnerability management is frequently one of the first areas to fall behind as its time sensitivity is often underestimated.

Depending on the cyber security maturity level within the college, this new requirement from the ESFA may now force college leadership to re-consider how best to use their IT staffing, and where it might make sense to buy in support for some areas.

It is worth remembering that Cyber Essentials sets a non-negotiable timeline that systems must have all critical and high severity vulnerability fixes applied within 14 days of release. Colleges without automated tooling and an established vulnerability management programme will very likely be struggling to deliver this.

The April 2025 update to Cyber Essentials (Willow) includes some clarifications that will particularly impact colleges. The most significant of which is that cloud services must now always be within scope for cyber essentials assessment. ANSecurity knows from our own college customers that colleges are extensive users of numerous SaaS platforms for both staff and students. Effective Single-sign-on, conditional access and MFA configuration will now be a requirement that colleges can’t delay. The UK’s National Cyber Security Centre are keen to see Passwordless sign-in technology adoption rates increase.

Colleges will often support BYOD which if not carefully implemented, will make obtaining Cyber Essentials impossible. Cyber essentials requires that student-owned devices with access to organisational data, networks or services are placed within scope of the assessment. Furthermore, the latest updates to Cyber Essentials have made clear that to receive certification colleges will be expected to show how they control these devices effectively and ensure compliance standards are maintained.

The most obvious place to start is with a Cyber Essentials Gap assessment. ANSecurity’s expert consultants have worked with many organisations, including schools and colleges on Cyber Essentials projects. Our consultants understand the unique challenges faced by schools and colleges when meeting compliance requirements.

A typical Cyber Essentials engagement with ANSecurity will see one of our consultants assess the current level of compliance through interviews, technical tests and evidence gathering before producing a step-by-step action-plan to certification success.  This is an excellent starting point as it leaves the colleges IT Team and leadership with a clear list of projects that must be delivered. Most importantly, this process encourages an open and supportive relationship where a named consultant can check-in on the colleges journey, validate remediations as they happen and even deliver some of the more complex projects if that’s helpful.

ANSecurity can leverage and combine our vast experience of different authentication technologies and device management systems to deliver a seamless BYOD implementations that surpasses the security requirements of Cyber Essentials

Furthermore, we can work with college staff to build and integrate effective vulnerability management programmes, making use of their existing technologies and licensing where possible. Colleges that are still establishing an effective vulnerability management programme may also find that our Managed-vulnerability-management service is the best way to make immediate progress with limited staffing.