Guard, organization, cyber attacks

What is Cyber Essentials and why does my business need it?

Yann News 11 minutes

Cyber attacks come in many shapes and sizes, but the vast majority are very basic and carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.

All businesses will hold and access some form of data. These can include confidential client information, employee data, suppliers’ information, customer marketing records, etc.

Cyber Essentials is a simple but effective, government-backed scheme that will help you protect your organisation, whatever its size, against a whole range of the most common cyber attacks.

The accreditation will help your business understand how to improve your cyber security in general.

Here are 4 reasons why you need to have Cyber Essentials:

Protection – Cyber-attacks are on the rise and your staff may not be as aware of cybersecurity as they should be, and with things changing all the time, it’s hard to keep them up to date. Without a robust security solution in place, your data is vulnerable to criminals. The Cyber Essentials prevents over 80% of the most common computer security breaches. It aims to provide businesses with a strong base from which to reduce the risk from these prevalent, but unskilled, cyber-attacks.

Assurance – Achieving Cyber Essentials certification demonstrates to your customers, suppliers and other partners that you take data security seriously. It is a quick way to show that you have done your due diligence and are putting controls in place to protect information. This gives them more confidence that they can trust you and encourage them to work with you.

Compliance – You are legally required to protect the data you hold within your business, particularly if it belongs to clients/customers, whether these are existing or previous. The introduction of The General Data Protection Regulation (GDPR) in May 2018 means that you must have solutions in place to protect that data and be able to demonstrate these.

Opportunity – Achieving Cyber Essentials can allow you to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. The UK Government has set a good example for UK businesses, highlighting the importance of a secure supply chain for ongoing business. Not only does this defend the integrity of government information, but it could even give your company a competitive advantage when bidding for public sector tenders. Cyber Essentials is fast becoming a prerequisite for doing business because the certification provides third-party assurance of the company’s cyber security.

Use a firewall to secure your network

Purpose: To ensure only the safe and required network services of an organisation can be accessed from external networks.

Under the Cyber Essentials scheme, it is mandatory for all devices connected to the internet to be secured with a firewall. Using a firewall creates a buffer zone known as the demilitarized zone between an organisation’s IT network and an external network. In simpler terms, it provides a protective layer between devices and external networks such as the Internet to keep out harmful bugs and viruses.

This applies to all kinds of devices including desktops, laptops, routers, servers, and personal devices.

Make use of secure settings and passwords

Purpose: To ensure that all devices are properly configured to reduce vulnerabilities.

Most hardware and software have default configurations so you can easily start using them after you buy them. However, many default settings are well known to attackers and provide them with a point of entry into your systems.

That’s why the second key requirement of Cyber Essentials is to change default configurations including passwords to recommended secure settings. Varonis’ 2019 Risk Report showed that 61% of companies have over 500 accounts with non-expiring passwords. Additionally, this requirement also specifies guidelines for implementing a password policy.

This requirement applies to web servers, email servers, software and applications, routers, firewalls, desktops, laptops, and personal devices.

Access control for data and services

Purpose: To ensure that all users are authorised individuals, and have only as much access to IT resources as required to perform their tasks.

According to the 2019 Varonis Global Data Risk Report, 53% of companies found over 1,000 sensitive files open to every employee and 22% of all folders open to every employee. Only the most relevant people should be given administrative rights to access everything. If a user can access only the data and services that they need for their work rather than all of the company’s files, then only those particular areas will be affected if their account is compromised.

The Cyber Essentials certification requires that access to your data is controlled. Under the scheme, administrator privileges should only be given to the most trusted people. This requirement applies to user accounts, data, and services.

Protect your devices against viruses and malware

Purpose: To protect systems against known viruses and malware, and to prevent any harmful code from accessing data.

Without proper protection, all devices and software are prone to malware attacks. Various forms of malware can affect devices including ransomware, viruses, and spyware. If one device is affected, then malware can quickly spread to other connected devices as well.

Therefore, the Cyber Essentials scheme requires businesses to make use of Antivirus on all devices. This requirement applies to laptops, desktops, servers, and personal devices.

Keep all devices and software updated and patched

Purpose: To protect software and devices against known security threats that have already been solved.

All devices and software must be kept up to date. Regular updates are released by developers to fix any known security vulnerabilities.

Whenever a patch or update is released, it should be installed on the systems immediately.  This rule applies to devices, installed applications, and operating systems. This requirement applies to applications, firewalls, web servers, email, routers, laptops, desktops, and personal devices.


Understanding the five requirements of Cyber Essentials is the first step towards compliance and keeping your business secure.

Not only does Cyber Essentials validate your commitment to data and cyber security it safeguards your data, and reduces the likelihood of a cyber attack and the associated data, reputational and monetary losses.

Cyber essentials logo with a check mark.

Cyber essentials



You may also be interested in this article:


Further resources:

NCSC exercise in a Box

Exercise in a Box – Online Tool