Cyber Essentials is the UK government's baseline cybersecurity standard, backed by the NCSC (National Cyber Security Centre).
It defines five technical controls that, when properly implemented, protect against the vast majority of common cyber attacks — including the opportunistic, automated attacks that affect most businesses.
Certification demonstrates that your organisation has taken meaningful steps to secure its IT infrastructure.
Many public sector contracts, insurance policies and supply chain agreements now require it.
It is not a guarantee against all attacks, but it closes the most commonly exploited gaps.
A boundary firewall acts as a security checkpoint between your business network and the internet. It controls what connections are allowed in and out, and blocks everything that hasn't been explicitly permitted. Without it, your network is directly accessible to anyone on the internet.
We ensure every internet connection passes through a properly configured firewall with a default-deny inbound policy — only specifically approved traffic is permitted through. All default passwords are changed before deployment, every open port has a documented business justification, and firewall rules are reviewed regularly to remove anything no longer needed.
Automated tools scan millions of IP addresses every hour looking for unprotected systems. An unguarded network can be found and probed within minutes of going online. Open management ports, unprotected services and default credentials are all trivially exploitable once a boundary firewall is absent or misconfigured.
A small accountancy firm in the Midlands had their server directly accessible from the internet after a router was misconfigured during a routine maintenance visit. Automated scanning tools found the exposed management port within 48 hours. Over the following two weeks, 18 months of client financial records were exfiltrated before the breach was discovered during a routine review.
Every device and piece of software ships with default settings designed for ease of use, not security. Default passwords, unnecessary services running in the background, features enabled that no one uses — these all create attack opportunities. Secure configuration means hardening every device before it goes into your environment.
We follow a hardening checklist for every device deployment: default accounts removed, default passwords changed, unnecessary services and protocols disabled, AutoRun turned off, screen lock enforced. We maintain a full software asset register, ensure all software is properly licensed, and eliminate any end-of-life products that no longer receive security updates.
Default credentials are publicly documented by manufacturers and well-known to attackers. Search engines like Shodan index millions of internet-connected devices still running on factory settings. Unnecessary services and protocols create additional entry points. End-of-life software with no security patches is a permanent, unfixable vulnerability.
A regional estate agency was breached after a new VoIP phone system was installed without changing the manufacturer's default admin password — a password publicly listed in the product manual on the manufacturer's website. An attacker logged in remotely, used the phone system as a foothold on the network, and deployed ransomware six hours later. The firm lost access to all client records and correspondence for nine days.
Software vulnerabilities are discovered every day. When a weakness is found, the vendor releases a security update to fix it — but only organisations that apply the fix are protected. Cyber Essentials requires all high and critical security updates to be applied within 14 days of release, covering operating systems, applications, and firmware.
We implement automated patch management covering operating systems, all installed applications, browser extensions, frameworks, and network device firmware. Critical and high-severity updates — those with a CVSS score of 7.0 or above — are applied within the 14-day window required by Cyber Essentials. We maintain full visibility of patch status across every device and receive alerts for anything falling behind.
Once a vulnerability is publicly disclosed, exploit tools often appear within days. Automated scanners probe networks for known unpatched systems at scale. A system that was safe on Monday can be actively exploited by Wednesday. The longer a critical patch goes unapplied, the more widely available the exploit becomes — and the more attackers are using it.
The WannaCry ransomware attack in May 2017 infected over 230,000 computers in 150 countries, causing billions of pounds of damage and severely disrupting NHS services across the UK. The underlying Windows vulnerability it exploited had a published security patch available for two months before the attack. Every organisation that had applied the patch was completely unaffected. Those that hadn't faced days of disruption, lost data, and in the NHS's case, cancelled appointments and diverted ambulances.
User access control covers two things: what accounts can access, and how they're protected. Users should only have the permissions they need for their current role — no more. And every account, especially those accessing cloud services, should be protected with multi-factor authentication (MFA) so a stolen password alone isn't enough to break in.
We enforce MFA on all cloud services without exception — under the latest Cyber Essentials requirements, failing to do so where MFA is available is an automatic failure. We apply least-privilege access so every user has only what their current role requires, create separate administrator accounts for IT tasks, remove access on the day someone leaves, and conduct regular access reviews to catch accumulated permissions.
Stolen or guessed credentials are involved in the vast majority of data breaches. Without MFA, a password obtained through phishing, a data breach on another site, or simple guessing gives an attacker immediate full access. Accounts with excessive permissions amplify the damage — one compromised account with admin rights can affect every system in the organisation.
A financial services firm's office manager received a convincing phishing email and entered their Microsoft 365 credentials on a fake login page. With no MFA in place, attackers immediately had full access to the company's email, Teams conversations, SharePoint files and customer records. Over the following three weeks they monitored all communications, waited for the right moment, and intercepted a legitimate payment instruction — diverting £34,000 to a fraudulent account before the fraud was detected.
Malware — ransomware, viruses, spyware, trojans — can arrive via email attachments, malicious downloads, compromised websites, or USB drives. Anti-malware software monitors for known malicious files and behaviours and blocks them before they can execute. Under Cyber Essentials it must be centrally managed, kept up to date, and configured so users cannot disable it.
We deploy enterprise anti-malware to every device, managed from a central console that gives us visibility of coverage and alerts on any devices where protection is not active. Real-time scanning is enabled and locked via policy so users cannot disable or bypass it. DNS filtering blocks connections to known malicious domains before they can load. We also enforce application controls to prevent unauthorised software from executing.
Ransomware has become the dominant cyber threat to UK businesses of all sizes. A single malicious file opened by one employee — often disguised as an invoice, delivery notification or shared document — can encrypt every file on every device connected to the network within hours. Recovery without recent offline backups frequently means paying the ransom or losing the data permanently.
A 14-person construction firm opened what appeared to be a routine invoice PDF from a regular supplier — the supplier's email account had been compromised by attackers. The PDF contained ransomware. Within three hours, every file on the company's server and all six connected laptops was encrypted. Files included contracts, drawings, project records and client correspondence going back eight years. The ransom demand was £45,000 in Bitcoin. Without adequate backups, they paid.