Procurement · 3 November 2021

Understanding the Government’s Cyber Essentials Scheme

The cyber threat landscape is evolving at a frightening rate, leaving businesses with the difficult task of trying to keep up, reduce their risk exposure and stay secure. For SMEs, this can be particularly tricky as they won’t necessarily have the budgets or resources to invest in comprehensive technical solutions for their cyber security. However, without proper cyber defences, it can be even more likely that a cybercriminal targets an SME. They are seen as an easy, or ‘soft’ target and often an entry point to other businesses higher up in the supply chain.

In 2014, the UK Government’s National Cyber Security Centre began to develop a standard based on the evidence they had of common types of cyber attack. This led to a set of controls that, if implemented, would offer an organisation a good level of protection against these attacks.

The Cyber Essentials standard was designed with SMEs in mind, focusing on the most important technical controls that would make a real difference to a business’ security posture. With 60% of small businesses experiencing a security breach that year, it was clear that many SMEs did not have these controls in place, either because they were not aware of them or did not believe they would ever be attacked as a small business.

What are the technical controls? 

The NCSC outlines five critical technical controls that make up the Cyber Essentials standard to help businesses lay secure foundations. These are a bit like safeguards that are incorporated into computer hardware, software, or firmware.

Malware Protection: The right anti-virus and anti-malware software should be activated, protecting systems from allowing the download of malicious software.

Secure Configuration: Devices need to be correctly configured before use, with default passwords changed, and only approved applications installed.

Boundary Firewalls and Gateways: This protects your internal networks from the wider internet and should be switched on at all times to protect from harmful and unwanted traffic.

Security Updates: Keeping all devices and software up to date hugely reduces the risk of security vulnerabilities which hackers will likely take advantage of.

Access Control: Managing access rights within an organisation, especially keeping admin privileges to a minimum, helps to protect data and other important assets.

How does the Cyber Essentials assessment work?

To make sure your business is complying with these controls, there has to be an assessment. There are two levels to the Cyber Essentials certification, marked by the slightly different way they’re assessed. In its basic form, Cyber Essentials involves an online self-assessed questionnaire. Your IT Provider or your IT department must fill out a series of questions relating to each of these controls and submit them via an online portal. You’ll then pass the assessment and achieve certification if your answers suggest that your business has implemented the required controls.



Clive Madders is Chief Technology Officer and Assessor at Cyber Tec Security. With over 25 years’ experience in the industry, Clive has built up an extensive repertoire as an Enterprise Solution Architect, delivering managed ICT support services, Cyber Essentials certifications and advanced security solutions to help improve the cyber security maturity of businesses across the UK.

HR & Employment