Week Ahead: Cyber Essentials v3.3 Goes Live Tomorrow and Your Certification Just Got Harder
This week we pulled DNS apart. Piece by piece, from five different angles, across six days of content.
If you missed any of it, here is the full series.
This Week’s DNS Series
Monday: It Is Always DNS, Except When It Isn’t covered the podcast episode discussion. What DNS actually does, why it gets blamed for everything, and the five step troubleshooting sequence that saves hours.
Tuesday: DNS Security Threats Are Not Theoretical examined cache poisoning, rogue resolvers, and the 706,000 BIND 9 instances exposed to attack in 2025. The deep dive on why DNS security matters for small businesses.
Wednesday: The NCSC Built Protective DNS for Government saw Mauven analyse the gap between public and private sector DNS protection and what the NCSC’s published guidance means for SMBs.
Thursday: The Five Step DNS Troubleshooting Guide from Graham laid out the practical sequence with specific commands for Windows and macOS. Print it, pin it up, use it.
Friday: The Accountancy Firm That Blamed DNS for Three Weeks was Lucy’s composite case study showing what happens when a compromised router goes undetected because everyone assumed the problem was DNS.
Saturday: Stop Blaming DNS and Start Understanding Your Own Network was the opinion piece arguing that DNS misdiagnosis is really a symptom of a bigger problem: most UK small businesses do not understand their own infrastructure.
Three Things to Do This Weekend
If this week’s content has prompted any action at all, here are three things you can do before Monday.
One: log in to your router. Check the admin credentials. Check the DNS settings. Check the firmware version. If you cannot do this, that is the first problem to fix. Write down what you find.
Two: switch to a protective DNS resolver. Quad9 9.9.9.9 or Cloudflare 1.1.1.2. Change the setting on your router so all devices inherit it. Takes five minutes. Costs nothing.
Three: print the five step troubleshooting card. Another device. Another network. Check resolver. Clear cache. Compare IPs. Put it where IT issues get reported. Next time someone says “must be DNS,” hand them the card.
Next Week: Cyber Essentials v3.3 Goes Live
Tomorrow, Monday 27 April, Cyber Essentials v3.3 takes effect. Every new assessment account created from that date will be evaluated against the updated Requirements for IT Infrastructure, using the new Danzell question set.
This is not a cosmetic refresh. For the first time in the scheme’s history, the assessment includes auto-fail questions.
MFA is now mandatory on every cloud service that supports it. If MFA is available and not enabled for all users, the assessment automatically fails. This applies whether MFA is free, bundled, or only available as a paid upgrade. The availability triggers the requirement, not the cost.
Critical patches must be applied within 14 days. Two new auto-fail questions cover operating systems, router and firewall firmware, and applications. Miss the 14-day window for a critical update and you fail the entire assessment.
Cloud services cannot be excluded from scope. A formal definition has been introduced for the first time. If a cloud service stores or processes your business data, it is in scope. No exceptions.
CE Plus gets tougher. Assessors will resample random devices on retest to catch selective patching. Self-assessment responses can no longer be adjusted after CE Plus testing begins.
Only around 35,000 UK organisations currently hold Cyber Essentials certification, out of approximately 5.5 million businesses. Those with certification are 92% less likely to make a cyber insurance claim. The scheme works. The standard just got stricter. And the evidence says that is the right direction.
We will be covering every aspect of the v3.3 changes across next week’s content, from the MFA auto-fail rule in detail to a practical compliance checklist and a case study of what happens when shadow cloud services catch a business unprepared.
New podcast episode drops Monday. Follow the show so you do not miss it.
How to Turn This Into a Competitive Advantage
If you acted on this week’s DNS content, you are already ahead. A documented DNS configuration, a protective resolver, and a structured troubleshooting process put you in a stronger position than the vast majority of UK SMBs.
Next week’s Cyber Essentials content will extend that advantage further. Understanding the v3.3 requirements before your competitors do gives you time to prepare properly and certify with confidence.
How to Sell This to Your Board
The DNS improvements from this week are low cost, high impact, and immediately demonstrable. Protective DNS costs nothing at the basic tier. A documented troubleshooting process saves measurable hours per incident. Router credential and firmware hygiene reduces a known attack surface.
Present the week’s actions as a completed security improvement: cost incurred versus risk reduced. That is the language boards understand.
What This Means for Your Business
-
Review what you implemented this week. If you changed DNS resolvers, documented your router settings, or printed the troubleshooting card, verify everything is in place and working as expected.
-
Brief your team. Share the five step troubleshooting sequence with anyone who handles IT issues. A five minute conversation now saves hours of wasted debugging later.
-
Prepare for next week. If you hold Cyber Essentials certification or are considering it, gather your current certificate details, your cloud service list, and your MFA status across all platforms. You will need this context for next week’s content on the v3.3 changes.