There is a moment that repeats itself in this job. We finish an independent security audit, sit down with the owner or the board, and walk through what we found. Not theoretical risk. Their risk: the accounts that should not exist, the systems years out of support, the cloud services one password away from everything the business holds. The room goes quiet. Almost every time, the next sentence is some version of “we had no idea”.
The room goes quiet. Almost every time, the next sentence is some version of "we had no idea".
What an independent audit usually sounds likeNobody had lied to them. They simply had no way of seeing it. Most businesses run on trust: trust that the IT provider has it covered, trust that the defaults are sensible, trust that no news is good news. The audit replaces trust with evidence, and the evidence is usually uncomfortable.
The question that follows is always the same: where do we start? And the answer, almost always, is Cyber Essentials. This post explains what it is, clears out the myths, and makes the honest commercial case for it.
What Cyber Essentials actually is
Cyber Essentials is the UK government-backed cyber security certification, overseen by the National Cyber Security Centre and assessed by licensed certification bodies. Malwise is one.
It certifies one thing: that five fundamental technical controls are in place across your organisation. Firewalls. Secure configuration. Security updates applied on time. Access controlled properly, including multi-factor authentication on cloud services. Malware protection everywhere. That’s it. It is not a framework, not a management system, not a shelf of policies. It is a check that the basics are actually done, verified by an assessor, signed for by your board.
Cyber Essentials Plus is the same standard with independent technical testing: an assessor examines a sample of your systems and confirms the declared controls really hold.
If you want the full breakdown of the controls and a preparation checklist, we have written a complete preparation guide with a full checklist. This post is about the why, not the how.
The myths, demystified
“It’s for big companies.” Backwards. The scheme was designed so a two-person firm can achieve it. The question set scales to your size, and small businesses are precisely who the scheme exists to protect, because they are attacked constantly and defended least.
“It’s expensive.” The certification itself costs a few hundred pounds. The real cost is the housekeeping to get ready, and that work is not an overhead of certification. It is security your business needed anyway, with a certificate at the end as proof you did it.
“It’s a paperwork exercise.” It was never paperwork, and since the scheme tightened in April 2026 it is less forgiving than ever: several gaps that used to be survivable are now automatic failures. A certificate now says something real. That is exactly why customers ask for it.
“Our IT is outsourced, so we’re covered.” The most expensive myth on this list. Your provider manages your systems; that is not the same as certifying your security, and accountability never transfers with the invoice. Many of the shocked rooms described above had a provider on a healthy monthly retainer. Some of the findings were things that provider was being paid to prevent. With managed service providers about to come under regulation themselves, “our IT company handles it” is about to get tested like never before.
How it wins you work
The commercial case is not subtle, and it is getting stronger every year.
It is the entry ticket to contracts. Cyber Essentials is required for a wide range of government contracts, and it is standard in defence supply chains. Around Salisbury and across Wiltshire and Hampshire, where so many businesses supply the defence sector directly or at one remove, it is frequently the difference between bidding and not bidding.
It answers the questionnaire before it arrives. Larger customers increasingly send security questionnaires to every supplier. Without certification, each one is an afternoon of awkward answers. With it, most of the questionnaire is answered by a single verifiable badge.
It reassures insurers. Certifying your whole organisation includes cyber liability insurance for eligible UK organisations under £20 million turnover, and demonstrating the controls makes conversations with your existing insurer easier.
It signals competence. Two quotes land on a buyer’s desk. One bidder can prove a government-backed security standard; the other can offer assurances. Price being close, that decision makes itself. Certification is one of the few security investments that is visible to the people who pay you.
How it protects you: the attacks that actually happen
The five controls were not chosen by committee guesswork. They map directly onto how the overwhelming majority of real attacks on small businesses begin.
Most businesses are not targeted by sophisticated adversaries. They are swept up by automated, opportunistic attacks that try the same handful of doors on every organisation in the country: internet-facing systems missing security updates (now the single most common way in, having overtaken stolen passwords), cloud accounts without multi-factor authentication, default passwords that were never changed, commodity malware in email attachments, and old accounts nobody disabled.
Look back at the five controls. Each one closes one of those doors. That is the design: not to make you unbreachable, but to take you out of the population that gets breached by accident. Given that 43% of UK businesses reported a breach or attack last year, leaving that population is not a marginal gain.
The first step, not the destination
Here is the honest framing, and it is the same thing we say in those quiet rooms after an audit.
Cyber Essentials will not fix everything the audit found. It does not cover your backup strategy, your incident response, your staff awareness, or your governance. What it does is fix the fundamentals first, in a defined order, with a verified finish line, and produce evidence you can show anyone who asks. It converts “we should really sort out our security” from a vague intention into a completed project.
Every business that has sat in that quiet room and then certified has told us the same thing afterwards: the process itself was the eye-opener. Building the asset list, sweeping the cloud accounts, finding what was unsupported. The certificate was the receipt. The security was the point.
Cyber Essentials will not fix everything, and anyone who says it will is selling something. What it does is fix the fundamentals first, in a defined order, with a verified finish line, and hand you evidence you can show anyone who asks. That is worth more than it costs, every time.
If you already suspect there are things you cannot see, you have two good ways in. Start with certification and let the process surface the issues, or start with an independent audit and get the full picture first. Either way, get in touch and we will tell you plainly which makes sense for your business. We are a licensed certification body based in Salisbury, working across Wiltshire and nationwide, and we would rather open your eyes in a scoping call than have an attacker do it for free.