Cyber Essentials Ready

A growing construction company based in Berkshire with around 80 employees across office staff, site managers, and field workers was increasingly being asked to demonstrate formal cyber security credentials when tendering for larger contracts. Several recent bids had been unsuccessful specifically because the firm could not provide evidence of Cyber Essentials certification - a requirement that was becoming standard among local authorities and tier-one contractors. Internally, the company had no dedicated IT security resource and limited knowledge of formal security frameworks. There were no documented security policies, password management was inconsistent, personal devices were used for work email without any controls, and the firewall configuration had not been reviewed since installation three years earlier. Software updates were applied sporadically, and several machines were running outdated operating systems. The company recognised that beyond the commercial necessity of certification, they had a genuine exposure to cyber threats that needed addressing before an incident occurred.

Coffee Cup Solutions delivered a structured six-week programme to take the company from an unmanaged security posture to full Cyber Essentials certification. We began with a thorough gap analysis in week one, auditing every device, user account, network component, and software application against the five key Cyber Essentials controls - firewalls, secure configuration, user access control, malware protection, and patch management. The audit identified 47 individual gaps that needed to be addressed. Over the following four weeks, our engineers worked methodically through the remediation plan. We replaced the outdated firewall with a managed next-generation firewall appliance with intrusion detection, configured proper network segmentation to separate office and guest traffic, and implemented a centralised patch management solution to ensure all Windows devices received updates promptly. Every user account was reviewed - dormant accounts for former employees were removed, admin privileges were restricted to only those who genuinely required them, and multi-factor authentication was rolled out across Microsoft 365 and all remote access points. We deployed a managed endpoint protection solution across all devices, including the laptops used by site managers in the field. We also created a suite of security policies covering acceptable use, password requirements, incident response, and remote working. To ensure lasting change, we delivered in-person security awareness training to all staff, covering phishing identification, password best practices, and safe handling of sensitive data. In the final week, we conducted an internal pre-assessment to confirm readiness before guiding the company through the official Cyber Essentials self-assessment questionnaire and certification submission.