In the UK, more than 80% of cyber-attacks on businesses could have been prevented by implementing basic security controls. To address this issue, the government introduced the Cyber Essentials Certification scheme in 2014. The scheme, run by the National Cyber Security Centre (NCSC), is a government-backed and industry-supported initiative aimed at helping businesses combat common cyber threats by implementing basic security controls. Industry support for the Cyber Essentials (CE) scheme was strong at launch, with backing from organizations such as the Federation of Small Businesses, the CBI, and several insurance companies that offered incentives to businesses. Since its inception, the scheme has awarded over 120,000 certificates to a range of organizations, including businesses, charities, and educational institutions.


As of 1 October 2014, suppliers bidding for contracts that involve handling sensitive information must be Cyber Essentials certified. Ensuring the integrity of government information not only protects against potential breaches but can also provide a competitive edge when competing for public sector tenders. By obtaining certification, businesses demonstrate their commitment to cybersecurity. Although the CE scheme focuses only on the fundamentals of cybersecurity, it offers tremendous benefits to those who become certified. By following the scheme’s guidelines, businesses can prevent the vast majority of cyberattacks.


CE has five key controls that businesses need to adhere to. These are:


Firewalls are crucial in preventing unauthorized access to private networks; however, their effectiveness is dependent on their correct configuration. By utilizing boundary firewalls and Internet gateways, you can control access to your system and limit users’ access to specific areas. Antivirus software serves as protection against viruses and malware, while firewalls safeguard against external threats. It is possible to adjust the level of security provided by the firewall, including the “rules” governing its operation, as with other control functions.


Proper configuration of web and application servers is critical in ensuring cybersecurity. Failure to manage server configurations can lead to various security issues. Configuring computers and network devices to minimize vulnerabilities and provide only necessary services to prevent unauthorized actions is essential. By doing so, each device will only reveal the minimum information required for the Internet. Performing scans can help identify areas of insecure configuration that can be exploited.


Minimizing access to data and services is critical for cybersecurity. By doing so, unauthorized access to sensitive information can be prevented. Hackers aim to gain administrator rights to break into applications and access confidential data. However, providing administrator rights to multiple users for convenience creates the potential for exploitation. Therefore, special access privileges and user accounts should only be assigned to authorized individuals. These accounts must be managed effectively and provide the minimum level of access required to access applications, computers, and networks.


Safeguarding your business from malicious software is crucial as it can attempt to gain access to sensitive files on your system. Malware can wreak havoc by stealing confidential information, damaging files, and denying access unless a ransom is paid. Employing measures to defend against a wide range of malware is imperative to protect your computer, your privacy, and your critical documents from malicious attacks.


Technical vulnerabilities are a common weakness in all devices and software. Cybercriminals are quick to exploit any vulnerabilities that are discovered and shared publicly. Criminal hackers can exploit known vulnerabilities if operating systems and third-party applications are not properly patched or updated. Updating software and operating systems is essential to fix these known weaknesses. It is crucial to act quickly and close any opportunities that could be used to gain unauthorized access.


There are four main steps to becoming CE certified:

  • Complete the self-assessment questionnaire online at your own pace
  • Confirm compliance of your company’s IT systems with the 5 essential cyber security controls
  • Provide assurance of protection against the most common cyber-attacks to a certification body
  • Successful organizations then receive a certificate and a CE branding package

On average, small businesses take around 2 weeks to complete their Cyber Essentials assessment. Once the assessment is submitted, it typically takes about 3 days for the certification body to provide a response. If the assessment is satisfactory and all requirements are met, the business will be awarded the Cyber Essentials certification.


The scheme offers two levels of certification: CE and CE Plus.

The standard CE certification involves an online self-assessment, while the CE Plus certification requires a more thorough on-premises verification in addition to the self-assessment. SMEs may find that the standard certification is sufficient for their needs, but larger businesses or those seeking to demonstrate their cybersecurity measures to clients, insurers, and professional bodies may want to consider the added assurance provided by CE Plus.


I can offer you a seamless journey to Cyber Essentials or Cyber Essentials Plus certification. With over 20 years of experience in cybersecurity and supporting businesses in London with their IT, I realize that data protection is what makes SMEs tick. Get in touch today and let’s get you on the path to certification – and success.

Leave a comment