If you run a small brokerage, claims firm, or any FCA-regulated outfit, Cyber Essentials has probably arrived on your desk from one of three directions: your PI insurer asked for it, a network or principal firm made it a condition, or a corporate client put it in a contract. It is rarely something a small firm goes looking for.
That means most people meet Cyber Essentials as a form to fill in rather than a thing to actually do — which is exactly how firms end up self-certifying to controls they do not really have. This article is the honest version: what the five controls mean, where small regulated firms genuinely fall short, and what it takes to pass properly rather than on paper.
What Cyber Essentials actually is
Cyber Essentials is a UK government-backed baseline, administered by IASME. It is deliberately not sophisticated. It asserts that you have five basic technical controls in place across the machines and accounts your business runs on.
There are two levels, and the difference matters:
- Cyber Essentials — a self-assessment questionnaire. You answer for your own estate, and a director signs it off. Nobody visits.
- Cyber Essentials Plus — the same five controls, but independently tested. An assessor actually probes your machines and checks the answers are true.
The certificate itself costs a few hundred pounds depending on headcount. That is not the real cost. The real cost is doing the work the questionnaire assumes you have already done.
The five controls, and where small firms actually fail
1. Firewalls. Every device that touches the internet sits behind a properly configured firewall — including laptops working from a kitchen table. Where firms fail: the office firewall is fine, but the home-working laptops are naked on someone's domestic broadband.
2. Secure configuration. Default passwords changed, unnecessary software and accounts removed, machines not shipped as-is. Where firms fail: nobody ever removed the software that came on the laptop, and there is a shared login that three people use.
3. Security update management. Operating systems and applications patched within 14 days of a critical update. Where firms fail: this is the big one. Windows mostly patches itself; Chrome, Adobe, and softphones frequently do not. A single unpatched machine in the corner fails the whole assessment.
4. User access control. People have only the access they need, admin rights are restricted, and accounts are removed when someone leaves. Where firms fail: everyone is a local admin because it was easier, and the leaver from March still has a live mailbox.
5. Malware protection. Active, current protection on every device. Where firms fail: rarely — this is the control most firms genuinely have.
Read that list again and notice how little of it is about hackers. It is about housekeeping — the patching nobody owns, the admin rights nobody revoked, the laptop nobody has looked at since it was handed over.
Cyber Essentials is a floor, not a ceiling
A point worth being blunt about: Cyber Essentials is a baseline, and passing it does not discharge your obligations as a regulated firm. The FCA's expectations around operational resilience and treating customers fairly sit well above it, and a certificate does not answer the question of what happens to your customer data when a laptop is lost or a mailbox is compromised.
If you handle recorded calls, customer files, and payment details — and if you are regulated, you do — then encryption, access logging, and retention are your problem whether or not IASME asks about them. Cyber Essentials is a useful forcing function to get the basics done. It is not the finish line.
What passing properly involves
For a small firm with no IT department, getting to a genuine pass usually means:
- Full-disk encryption on every laptop and desktop, so a lost machine is an inconvenience rather than a reportable breach.
- Automatic patching of Windows and the everyday applications — the browsers, PDF readers, and softphones that quietly go stale.
- Multi-factor authentication on every account. It is the single biggest block against account takeover and it costs nothing but a bit of friction.
- Admin rights taken back from people who do not need them, and a leaver process that actually removes accounts.
- Somewhere to see, at a glance, which machines are currently secure — because "I think they're fine" is not an answer an assessor accepts.
None of that is exotic. It is all achievable. It simply needs someone to own it, and in most small firms nobody does.
Doing it yourself, or having it run
If you have someone in-house who can own patching, encryption, and access control as an ongoing job — not a project — then do it yourself. The tooling is available and the controls are not difficult.
If you do not, the honest answer is that it will drift, because it always does. Patching is boring, and boring things lose to urgent things every single time.
We built Telebyte Shield for exactly that gap: managed security and compliance for small firms, packaging the same stack we run across our own estate. Encryption, patching, MFA, threat protection, and a compliance dashboard, from £25 per user per month — with Cyber Essentials certification available as a one-off add-on on the Compliance+ tier, so the certificate arrives as the by-product of controls that are genuinely in place rather than a form you hope nobody checks.
If you have been asked for Cyber Essentials and want a straight answer about what your setup would actually need, tell us what you're running and we'll tell you. No discovery-call gauntlet.