Cyber Essentials: What It Is, What It Costs, and Why Your Business Needs It

There's a common assumption in UK businesses that cyber security is something large companies worry about. Big budgets, big targets, big problems.

That assumption is wrong — and expensive.

The majority of cyber attacks hitting UK businesses right now aren't targeting household names. They're automated, indiscriminate, and looking for whoever's easiest to get into. Small businesses, professional services firms, manufacturers, charities. If you're connected to the internet and your defences are weak, you're a target.

Cyber Essentials is the UK government's answer to that problem. And it's a lot more straightforward than most people expect.

What Is Cyber Essentials?

Cyber Essentials is a government-backed certification scheme developed by the National Cyber Security Centre (NCSC). It defines five fundamental security controls that every organisation should have in place — and certifies that you've actually got them.

It's not the most advanced security framework in existence. It's not trying to be. It's the baseline. The minimum standard that every UK business should be meeting, regardless of size or sector.

The NCSC estimates that getting these five controls right would prevent around 80% of common cyber attacks. Not because the controls are sophisticated — but because most attacks aren't either. They're exploiting basic, preventable weaknesses. Cyber Essentials closes those gaps.

The Five Controls

1. Firewalls Your network needs a properly configured boundary defence between itself and the internet. Default router settings and home-grade kit don't pass the check. A business-grade firewall, correctly configured, is the starting point.

2. Secure configuration Devices and software need to be set up securely from day one. Default passwords changed. Unnecessary features switched off. Software that nobody's using removed. The principle is simple: don't leave doors open that don't need to be open.

3. User access control People should only have access to what they actually need to do their job. Admin privileges should be limited and used only when necessary. If someone only needs to send emails and update spreadsheets, they don't need system administrator rights.

4. Malware protection You need active defences against malicious software — whether that's endpoint protection, application controls, or both. The goal is to stop malware running in the first place, and to catch it fast if it does.

5. Patch management Software updates exist because vulnerabilities get discovered and fixed. Attackers know about those vulnerabilities too — and they move fast. Keeping your operating systems and high-risk applications (browsers, email clients, Office) up to date is non-negotiable.

Cyber Essentials vs Cyber Essentials Plus

There are two levels, and the difference matters.

Cyber Essentials is a self-assessment. You work through a detailed questionnaire about your IT systems and security controls, which gets reviewed and verified by an accredited certifying body. If your controls are actually in place, it's a manageable process. If they're not, you'll find out quickly.

Cyber Essentials Plus adds independent verification. A qualified assessor tests your systems directly — not just reviewing what you've said, but checking that it's true. It takes more time and costs more, but it carries considerably more weight. If you're working with larger clients, handling sensitive data, or operating in regulated sectors, Plus is often expected.

For most small and medium businesses, standard Cyber Essentials is the right starting point. You can always move to Plus once the foundations are solid.

Do You Actually Need It?

Possibly more than you think.

Government contracts. If you want to bid for UK public sector work involving sensitive information or technical services, Cyber Essentials is mandatory. Full stop.

Cyber insurance. Insurers are tightening their requirements. Some now ask specifically about Cyber Essentials as part of the application process — and certified businesses often get better terms.

Client and supply chain requirements. Larger organisations increasingly ask their suppliers to demonstrate basic security standards. Having the certificate answers that question before it's asked.

Due diligence on record. If something does go wrong, having Cyber Essentials certification shows you took reasonable, documented steps to protect yourself. That matters for insurance claims, regulatory investigations, and client relationships.

It actually works. This isn't a box-ticking exercise with nothing behind it. The five controls are practical, proven, and genuinely effective against the kinds of attacks that are actually happening.

What Does the Cyber Essentials Check Involve?

The assessment is built around a questionnaire that covers your IT setup in detail — your devices, your network configuration, your software, your access controls, and your patching processes.

The questions are specific. "We have antivirus" isn't enough — you need to be able to show it's configured correctly, up to date, and covering all the right devices.

This is where preparation matters. Going into the cyber essentials check without having done the groundwork first is how businesses end up failing assessments they could have passed. A proper gap assessment beforehand — looking at what you've got, what's missing, and what needs fixing — makes the whole process considerably less stressful.

How Long Does It Take?

For a business that has its IT in reasonable shape, a few weeks from start to cyber essential certificate is realistic. The assessment itself is the quick part. Getting your controls properly in place and documented is where the time goes.

That timeline compresses significantly when you're working with an IT provider who knows the requirements and can sort the gaps before you go anywhere near the formal assessment.

The Bottom Line

Cyber Essentials isn't a silver bullet, and it doesn't replace a full security strategy. But it's the most accessible, practical, and credible security baseline available to UK businesses — backed by the government, recognised by insurers and procurement teams, and genuinely effective at stopping the attacks that are actually targeting businesses like yours.

If you haven't got it yet, the question isn't whether you need it. It's why you haven't done it already.

Talk to First Contact

We help businesses across Greater Manchester get Cyber Essentials-ready — assessing your current setup, identifying gaps, and making sure your controls are properly configured before you go near the certification process.

No failed assessments. No nasty surprises. Just a clear path to the certificate.