Complete Guide
Cyber Security & Cyber Essentials
Protecting your business from modern cyber threats
A comprehensive guide to cyber security for UK businesses — the real threats, best practice, and how Cyber Essentials certification fits in.
Why cyber security matters
Cyber attacks aren't "big company" problems anymore
Small and medium businesses are now the most-targeted segment for cyber criminals — not because they're valuable on their own, but because they're seen as easier prey. Lower security budgets, smaller IT teams, and often a belief that "we're too small to be targeted".
The reality is that most attacks are automated and opportunistic. Bots scan the internet looking for unpatched servers, exposed remote desktops, weak passwords, and vulnerable applications. If your business matches a vulnerable profile, you're a target — regardless of size.
Good cyber security isn't about being invincible. It's about being hard enough to attack that the automated tools move on to the next victim, and having the layers in place to contain and recover when something does get through.
Know your enemy
The biggest cyber threats to UK businesses
Understanding the threat landscape is the first step to defending against it. These are the attack types we see most often affecting SMEs.
Phishing
Fake emails, texts or calls tricking staff into revealing passwords, clicking malicious links, or transferring money. Still the #1 way attackers get in.
Ransomware
Malware that encrypts your files and demands payment to unlock them. Can cripple a business for weeks and trigger data-breach reporting obligations.
Malware & Viruses
Software designed to damage, steal, or disrupt. Includes keyloggers, spyware, remote-access trojans, and cryptocurrency miners.
Credential Theft
Stolen passwords — from breaches of other websites, phishing, or weak password practices — used to access your systems directly.
Social Engineering
Manipulation techniques — impersonating suppliers, HR, or executives — to extract information or authorise fraudulent payments (CEO fraud).
Supply Chain Attacks
Attackers target your suppliers or software providers to reach you. A single compromised vendor can expose dozens of downstream businesses.
The standard
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, delivered by the IASME Consortium on behalf of the National Cyber Security Centre (NCSC). It provides a clear, practical framework of the minimum controls every business should have in place.
The scheme has two levels:
- Cyber Essentials — a self-assessment verified by an external assessor. You complete a questionnaire about your setup; an assessor reviews and certifies you if you meet the criteria.
- Cyber Essentials Plus — everything in Cyber Essentials plus a hands-on external technical audit. An assessor connects to your devices and validates that the controls are actually in place.
Plan-IT is Cyber Essentials certified — we use the same controls we recommend to clients, and we help businesses across East Anglia achieve and maintain their certification every year.
We're Cyber Essentials certified
Plan-IT uses the same controls we recommend to clients — and we help East Anglia businesses achieve certification every year.
Start your certificationThe foundation
The 5 Cyber Essentials technical controls
To achieve Cyber Essentials certification, your business needs to demonstrate each of these five control areas. The NCSC estimates these controls alone prevent around 80% of the most common cyber attacks.
Firewalls & Internet Gateways
Properly configured boundary firewalls between your network and the internet. Default passwords changed, unused services disabled, correct inbound and outbound rules.
Secure Configuration
Devices and software set up securely by default. Remove unnecessary accounts and software, disable unused services, change default passwords, lock down device settings.
User Access Control
Give each user only the access they need. Unique accounts, strong passwords or passphrases, MFA on cloud services, and removed access when staff leave.
Malware Protection
Anti-virus and anti-malware on every device, with application whitelisting or sandboxing where appropriate. Must be actively updated and monitored.
Security Update Management
All software must be supported, licensed, and patched. Critical security updates applied within 14 days. Unsupported software removed or isolated.
Which level is right for you?
Cyber Essentials vs Cyber Essentials Plus
Most businesses start with basic Cyber Essentials. If you bid for government contracts, handle sensitive data, or want the strongest assurance, Plus is worth the extra investment.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| External assessor verification | Yes | Yes |
| Self-assessment questionnaire | Yes | Yes |
| Hands-on technical audit of devices | No | Yes |
| External vulnerability scan | No | Yes |
| Annual certification | Yes | Yes |
| Use of certification badge | Yes | Yes |
| Eligible for £25k free cyber insurance* | Yes | Yes |
| Required for many government contracts | No | Yes |
* £25k free cyber liability insurance available to UK businesses with <£20m turnover who certify with an IASME-accredited body.
Beyond certification
How Plan-IT protects your business
Cyber Essentials is the foundation. True cyber resilience combines certification-level controls with layered defence, monitoring, and trained users. Here's what we deliver.
Cyber Essentials Certification
Full-service certification — gap analysis, remediation, submission, and Plus audit support.
Endpoint Protection
Business-grade antivirus and threat detection across all devices. Managed, monitored, and kept up to date.
Email Security
Anti-phishing, attachment sandboxing, and impersonation protection to keep your inbox safe.
Multi-Factor Authentication
MFA rollout on Microsoft 365, VPN, critical line-of-business apps. Phishing-resistant options available.
Backup & Disaster Recovery
Immutable, ransomware-resilient backups with regular test restores and clear recovery objectives.
Security Awareness Training
Ongoing staff training with simulated phishing tests — because your people are the last line of defence.
Proactive Monitoring
24/7 monitoring of endpoints, network, and cloud accounts for suspicious activity and rapid response.
Policies & Compliance
Acceptable use policies, incident response plans, and GDPR-aligned documentation written for your business.
Getting certified
Our Cyber Essentials process
We've guided dozens of East Anglia businesses through certification. Here's exactly what to expect when you work with us.
- Gap analysis We review your current setup against the 5 controls and identify what needs work — often 80% is already in place.
- Remediation We make the necessary changes: enable MFA, tighten firewall rules, patch software, deploy endpoint protection, document policies.
- Self-assessment We complete the IASME questionnaire on your behalf, using our own documentation of your systems.
- Submission & certification Questionnaire submitted to an accredited assessor. Certification is usually issued within a few working days if all is well.
- Cyber Essentials Plus audit Optional step — we coordinate the external technical audit and support you through it. Most clients pass first time.
- Annual renewal We manage recertification every 12 months as part of our managed cyber security service.
FAQs
Cyber security questions, answered
Do small businesses really need cyber security?
Yes — more than ever. 43% of all cyber attacks now target small businesses precisely because they often have weaker defences than enterprises. A single ransomware incident can close a small business permanently.
How much does Cyber Essentials cost?
Certification fees scale with the size of your business. Plan-IT offers fully managed certification packages that include both the assessment fees and the remediation work — get in touch for a tailored quote.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment verified by an external assessor. Plus adds a hands-on technical audit — an assessor physically tests your controls on a sample of devices. Plus gives stronger assurance and is required for many government contracts.
How long does Cyber Essentials take to achieve?
For a well-set-up business the whole process can be completed in 2–3 weeks. If significant remediation is needed, expect 4–8 weeks. Plan-IT handles everything end-to-end including the remediation work.
Do I need Cyber Essentials to bid for government contracts?
Yes — any UK central government contract involving handling personal information or ICT systems requires Cyber Essentials as a minimum. Many local authorities, MOD suppliers, and private-sector tenders also require it.
How often do I need to recertify?
Annually. Cyber Essentials certification lasts 12 months. Plan-IT includes recertification within our managed cyber security packages so it's handled automatically.
Is MFA enough on its own?
MFA is essential and blocks the vast majority of credential-based attacks, but it's not a silver bullet. You also need good email filtering, endpoint protection, regular patching, backups, and user training. Defence in depth.
What should I do if we've been hacked?
Act fast. Disconnect affected devices from the network, preserve evidence, notify your IT provider immediately, and — if personal data is involved — notify the ICO within 72 hours. Call us on 01473 723046 for emergency incident response.