Cyber Attacks Are Not Just a Big Business Problem
When major cyber attacks make the headlines, it is usually household names that dominate the coverage. The attacks on M&S, Harrods, and the Co-op in recent years demonstrated that even large organisations with substantial IT budgets are vulnerable. But here is the reality that often gets overlooked - small and medium-sized businesses are targeted just as frequently, and often more successfully, because they tend to have fewer defences in place.
The UK Government's Cyber Security Breaches Survey consistently finds that a significant proportion of businesses experience cyber attacks each year. For SMBs, a single successful attack can be devastating - not just financially, but in terms of lost customer trust, operational disruption, and regulatory consequences. The good news is that there is a clear, practical framework designed specifically to help businesses protect themselves against the most common threats. It is called Cyber Essentials.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme that helps organisations of all sizes protect themselves against the most common cyber threats. Developed by the National Cyber Security Centre (NCSC), the scheme focuses on five key technical controls that, when implemented correctly, prevent the vast majority of commodity cyber attacks. It is not about achieving perfection - it is about getting the fundamentals right.
The scheme is administered by IASME, the official Cyber Essentials partner of the NCSC, and is recognised across government, industry, and the insurance sector as a baseline standard for cyber security hygiene.
Two Levels of Certification
The scheme offers two levels of certification, each with a different assessment approach.
Cyber Essentials
The standard Cyber Essentials certification is based on a self-assessment questionnaire. Your organisation completes a detailed questionnaire covering the five technical controls, which is then reviewed and verified by an accredited certification body. This level provides a solid foundation and is suitable for businesses that want to demonstrate their commitment to cyber security without the cost and complexity of an external audit. It is the entry point for most organisations and is often sufficient to meet supply chain requirements.
Cyber Essentials Plus
Cyber Essentials Plus builds on the standard certification with an independent, hands-on technical audit. An accredited assessor visits your organisation (or conducts a remote assessment) and tests your systems directly to verify that the five controls are properly implemented. This includes vulnerability scanning, configuration checks, and practical tests such as sending simulated phishing emails. Cyber Essentials Plus provides a higher level of assurance and is increasingly requested by larger organisations and government bodies as a supply chain requirement.
The Five Key Controls
At the heart of Cyber Essentials are five technical controls. Together, they address the most common attack vectors and provide a robust baseline for cyber security.
1. Firewalls
Firewalls act as the boundary between your internal network and the internet. The Cyber Essentials requirements ensure that your firewall is properly configured to block unauthorised access, that default passwords have been changed, and that only necessary network services are exposed to the internet. This applies to both hardware firewalls and security appliances at the network perimeter and software firewalls on individual devices.
2. Secure Configuration
Computers and network devices are often shipped with default settings that prioritise ease of use over security. Secure configuration means removing unnecessary software, disabling unused features, and changing default credentials. The goal is to reduce the attack surface by ensuring that every device in your environment is configured with security in mind, not just convenience.
3. Access Control
Not every user in your organisation needs access to every system and data set. Access control ensures that user accounts are managed properly, with appropriate privileges assigned based on role. This includes enforcing strong passwords or multi-factor authentication, disabling accounts when staff leave, and ensuring that administrative accounts are only used for administrative tasks. The principle of least privilege - giving users only the access they need to do their job - is central to this control.
4. Malware Protection
Every device that connects to your network needs protection against malware. This can be achieved through anti-malware software, application whitelisting, or sandboxing, depending on the device and operating system. The key requirement is that malware protection is active, up to date, and configured to scan files automatically. For most businesses, a modern endpoint detection and response (EDR) solution provides the best combination of protection and visibility.
5. Patch Management
Unpatched software is one of the most exploited attack vectors in cyber security. The Cyber Essentials scheme requires that all software and operating systems are kept up to date with security patches applied within 14 days of release. This includes not just Windows and macOS updates, but also third-party applications like web browsers, PDF readers, and business software. A robust patch management process is essential for closing the vulnerabilities that attackers actively target.
Why Certification Matters for Your Business
Implementing the five controls is valuable in its own right, but formal certification delivers additional benefits that make the investment worthwhile.
Government Contracts
Since 2014, Cyber Essentials certification has been a mandatory requirement for any organisation bidding for UK government contracts that involve handling sensitive or personal information. In practice, the requirement is applied more broadly than this, and many government buyers now expect Cyber Essentials as a minimum for all suppliers. If your business works with the public sector or aspires to, certification is not optional - it is a prerequisite.
Insurance Requirements
Cyber insurance is becoming increasingly important, and insurers are becoming more demanding about the security controls they expect policyholders to have in place. Many cyber insurance providers now ask whether your organisation holds Cyber Essentials certification as part of the underwriting process. Holding certification can lead to reduced premiums and better coverage terms, while a lack of basic controls may result in higher costs or exclusions.
Supply Chain Confidence
Larger organisations are increasingly scrutinising the security posture of their suppliers. Cyber Essentials certification provides a recognised, independent verification that your business takes security seriously. It is a straightforward way to demonstrate compliance without lengthy security questionnaires or bespoke audits. For SMBs looking to win business with enterprise clients, certification can be the differentiator that tips the balance in your favour.
Customer Confidence
In an environment where data breaches regularly make the news, customers are more aware of cyber security than ever before. Displaying the Cyber Essentials badge on your website and marketing materials sends a clear message that you take the protection of their data seriously. It builds trust and sets you apart from competitors who cannot demonstrate the same commitment.
Competitive Advantage for SMBs
Many small and medium-sized businesses assume that cyber security certifications are only relevant to larger organisations. The opposite is true. Because fewer SMBs hold certification, those that do stand out. It demonstrates professionalism, maturity, and a proactive approach to risk management - qualities that clients and partners value highly.
The Certification Process
Achieving Cyber Essentials certification is designed to be accessible for businesses of all sizes. Here is what to expect.
Step 1 - Assess Your Current Position
Before starting the formal certification process, it is worth conducting an honest security assessment of where your organisation currently stands against the five controls. This helps identify any gaps that need to be addressed before you submit your application. Common areas that require attention include outdated operating systems, inconsistent patch management, overly broad user permissions, and missing multi-factor authentication.
Step 2 - Remediate Any Gaps
Based on your assessment, address any shortcomings. This might involve updating software, tightening firewall rules, reviewing user access, deploying endpoint protection, or establishing a formal patching schedule. The scope of work varies depending on your starting point, but for most well-managed businesses, the remediation required is manageable.
Step 3 - Complete the Assessment
For standard Cyber Essentials, you complete the online self-assessment questionnaire through the IASME portal. The questions are detailed but straightforward if you have done the preparation work. For Cyber Essentials Plus, an accredited assessor conducts the hands-on technical audit, testing your systems against the requirements. The assessment typically takes one to two days depending on the size and complexity of your environment.
Step 4 - Maintain Your Certification
Cyber Essentials certification is valid for 12 months and needs to be renewed annually. This is not just a bureaucratic exercise - it ensures that your security controls remain current and effective as your business and the threat landscape evolve. Annual recertification also provides a regular checkpoint to review and improve your security posture.
How Coffee Cup Solutions Can Help
At Coffee Cup Solutions, we hold Cyber Essentials Plus certification ourselves - so we understand the process from the inside. We help UK businesses achieve and maintain certification through a structured, supportive approach.
Gap assessment - We evaluate your current security posture against the five controls and provide a clear report on what needs to change.
Remediation support - Our team implements the technical changes required to meet the standard, from firewall configuration to patch management and access control policies.
Application and submission - We guide you through the self-assessment questionnaire or coordinate the Cyber Essentials Plus audit, ensuring a smooth process with no surprises.
Ongoing support - Security is not a one-off project. We provide continuous monitoring, patch management, and annual recertification support to keep your business protected year-round.
Whether you are starting from scratch or looking to upgrade from Cyber Essentials to Cyber Essentials Plus, our team can guide you through every step. Learn more about our Cyber Essentials certification support or get in touch for a free initial assessment and find out how close your business is to certification.