As an SME, you’re aware of the threat cyber criminals pose. You’re also aware of the kinds of cyber security threats you face, whether it’s malware or phishing attacks, or data breaches and thefts. However, how you prevent those attacks may not be as obvious – which is where Cyber Essentials comes in.

Cyber Essentials is a government-backed certification scheme designed to help protect organisations against a range of the most common threats. Cyber Essentials is made up of two tiers – Cyber Essentials and Cyber Essentials Plus.

As one of London’s top cyber security companies, we’ve been consulting on IT security in London for over a decade, and on Cyber Essentials since its inception. In this blog, we’ll cover the basic level and outline what it offers, and why you should be using it.

What is Cyber Essentials?

Cyber Essentials is a self-assessment certification that helps you to pinpoint areas of weakness in your cybersecurity, offering pointers to address basic flaws and improve protection. Through a series of questions, Cyber Essentials will assess five key areas of your IT setup, giving you a clear picture of your organisation’s setup and risks. You may have to do this alongside your cyber security consultancy, which can offer help and advice on areas you’re unsure of.

The five areas are:

Firewall and internet gateways: Cyber Essentials expects you to have a robust firewall in place. It will need to be set and configured to provide adequate protection to your network. If you have a remote workforce or use flexible working, you will need to evaluate home routers (if you have provided them) and each laptop and PC will also require testing to make sure their firewalls are set up correctly.

Secure Configuration: This section assesses your common hardware – things like servers, laptops, PCs, and mobile phones. Often when new, these items aren’t secure. They typically contain pre-installed software that, if it’s not removed or maintained properly, becomes a security risk. This section will also look at your passwords and their quality, ensuring that each user has a unique username and password to access the company’s systems and whether you’re using MFA (you really should be!).

Patching and updates: This area looks at the software you’re using on your machines to see how secure and up-to-date they are. If you’re using a version of Windows that is no longer supported (i.e., Windows 7) then you won’t pass. It’s crucial that you use an operating that is still supported because the updates and patches provide security fixes in accordance with the latest best practice and known threats. The same applies to work and personal (when used for business) mobile phones – both Apple and Android – and with servers too.


Access: This control looks at the kind of access restrictions you have in place for various users and who can access what kinds of data and information. It ensures that admin privileges are only given to users that need them and applies to things like email accounts, hardware, and critical or sensitive information. Essentially, this control is trying to ensure that access to data is granted only to those who need it and reducing the risk of that data being lost or stolen.


Malware protection: This control ensures that every device in your organisation has anti-malware protection that is installed and set correctly. It also checks that licenses haven’t expired (thus exposing the company to risk of attack) and that all devices are protected at the time of certification. This step is arguably the easiest to get right and one of the most crucial given the rise and proliferation of malware threats.


If you’re not certified under Cyber Essentials, we highly recommend it. It provides a sound level of security against Cyber attacks which is essential for modern businesses. Moreover, it provides a layer of trust and reassurance for you and for your clients – giving you a clear competitive advantage over those that aren’t certified.

For more information on Cyber Security London, visit: www.nutbourne.com