What is Cyber Essentials and Does Your Business Need It?

Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber threats. It was developed by the National Cyber Security Centre (NCSC) and sets out a baseline of security controls that any business — regardless of size or sector — can implement. Despite being around since 2014, a significant number of small businesses still don’t have it, and many don’t fully understand what it involves or whether they need it.

The Five Technical Controls

Cyber Essentials is built around five core security controls. Together, they address the most frequent methods attackers use to compromise systems.

Firewalls are the first line of defence. The scheme requires that internet-connected devices are protected by a properly configured firewall — whether that’s a network-level device or a software firewall on each machine. The goal is to prevent unauthorised access to your systems.

Secure configuration means ensuring that devices and software are set up securely from the start. Default passwords must be changed, unnecessary software must be removed, and any features not required for business use should be disabled. A surprising number of breaches occur because systems are left in their factory-default state.

User access control addresses who has access to what. Staff should only have the level of access they need to do their job — no more. Administrative privileges should be tightly controlled and limited to those with a genuine need. This limits the damage an attacker can do if they compromise a single account.

Malware protection requires that devices have up-to-date anti-malware software in place. The scheme accepts a range of approaches, including traditional antivirus tools and application allow-listing, which prevents unapproved software from running at all.

Patch management is perhaps the most important control. Software vulnerabilities are discovered regularly, and vendors release patches to fix them. Cyber Essentials requires that operating systems and applications are kept up to date — typically within 14 days of a patch being released.

Cyber Essentials vs Cyber Essentials Plus

There are two levels of certification. The standard Cyber Essentials is a self-assessed questionnaire. You answer a series of questions about your IT environment, a certifying body reviews your responses, and if you meet the requirements, you’re certified. This is the more accessible option and suits most small businesses.

Cyber Essentials Plus goes a step further. All of the same requirements apply, but the assessment is independently verified. A qualified assessor will test your systems — checking whether your controls actually work as you’ve described, not just whether you’ve said they’re in place. It provides a higher level of assurance and is increasingly requested by larger clients and public sector bodies.

What Does It Cost?

For the self-assessed Cyber Essentials certification, costs typically range from £300 to £500, depending on which NCSC-approved certifying body you use. The price can vary based on organisation size.

Cyber Essentials Plus involves a more detailed technical assessment and costs more — typically £1,500 to £3,500 or higher, depending on the complexity of your IT environment. Costs should be viewed in the context of what a breach would cost you, which is a comparison that almost always makes certification look like excellent value.

Who Needs It?

Cyber Essentials is not yet a legal requirement for most businesses, but there are circumstances where it is effectively mandatory. Any organisation bidding for UK government contracts that involve handling sensitive information or personal data must hold Cyber Essentials certification. This has been a requirement since 2014 and is strictly enforced.

Beyond that, many large private sector organisations now require it of their supply chain. If you work with enterprise clients, expect to be asked for your certificate — if you don’t have one, you may lose the contract.

Even where it isn’t required, certification demonstrates a credible baseline of security hygiene. That matters to clients, to insurers, and increasingly to prospective employees who want to work for organisations that take security seriously.

Benefits Beyond the Certificate

Achieving Cyber Essentials forces you to take stock of your current IT environment in a structured way. Many businesses discover gaps they didn’t know existed — exposed devices, accounts with excessive privileges, or software years out of date. Fixing those issues reduces risk whether or not you ever display the certificate.

Certified businesses also gain access to free cyber liability insurance from the NCSC for organisations with a turnover under £20 million. That alone can offset a significant portion of the certification cost.

If you’re unsure whether your business is ready for certification, or you want help navigating the assessment process, DreamThieves can walk you through it. We work with small businesses across the UK to make the process straightforward and genuinely useful — not just a box-ticking exercise.