Cyber Essentials: Improving Your Cyber Security as an SME

George Ryan
Consultant at URM
24 Jan

When it comes to cyber security, small and medium-sized enterprises (SMEs) tend to have a smaller pool of resources available to them than large enterprises, often lacking defences (such as dedicated security teams and automated detection) that their larger counterparts are able to implement: yet they face a similar level of risk.  In their Cyber security breaches survey 2024, the Department for Science, Innovation and Technology (DSIT) found that 58% of small and 70% of medium-sized businesses had suffered a breach within the last 12 months at the time of the survey taking place, only 16% and 4% less than large enterprises, respectively.  Whilst large enterprises may be able to absorb the consequences of a breach, for many SMEs the impact can be devastating.

SMEs often find themselves facing a standoff between what their budget allows, and what needs to be done to improve security.  Becoming Cyber Essentials certified can help to mitigate this, allowing you to build a solid baseline for addressing cyber related threats, without having a significant impact on your budget.

What is Cyber Essentials?

Cyber Essentials is a Government-backed scheme aimed at helping organisations protect themselves against common Internet-based cyber attacks.  Certification to Cyber Essentials provides reassurance that your organisation’s security controls will protect against the vast majority of common cyber attacks, and will act as a significant deterrent to cyber criminals.

The scheme centres around 5 basic security controls, which are: user access control, security updates, secure configuration, malware protection and firewalls and routers. The implementation of these controls is then verified by a qualified assessor, who will review your completed self-assessment questionnaire (SAQ) to determine whether you are compliant with the scheme and can be awarded certification.

To go on to achieve Cyber Essentials Plus certification, your organisation must already be certified to Cyber Essentials.  The requirements are the same, however gaining the additional qualification will involve a technical expert conducting an on-site or remote audit on your IT systems to confirm the 5 basic security controls are effectively implemented.  Further information can be found in our blog on Cyber Essentials: Frequently Asked Questions.

Applicability of Cyber Essentials to SMEs

For many SMEs, Cyber Essentials provides a means of gaining external assurance for their cyber security, without having to take on a significant cost that other standards or certifications come with.  In addition to this, the guidance for achieving Cyber Essentials is free, with a dedicated Knowledge Hub.  The scheme is also designed to be achievable by organisations of any size, but it is especially applicable for SMEs – often more so than it is to large enterprises.

Cyber Essentials: Benefits to SMEs

Cyber Essentials enables you to gain clarity over your cyber security posture and build a strong starting foundation for protecting your organisation against cyber attacks.  In their study, DSIT found that 91% of Cyber Essentials users reported that the scheme directly improved their confidence in being protected in the event of an attack.

Cyber security is a constant cycle of improvement, and it is much more straightforward to effectively improve your organisation’s cyber security when working from a solid, established framework – this, perhaps, is part of the reason that 76% of Cyber Essentials users successfully took additional steps, beyond the Cyber Essentials technical controls.  Without initially following a scheme such as Cyber Essentials, it would be difficult to ensure that resources are being effectively applied.

Further to the above, the scheme enables you to verify that you have effective cyber security measures in place, thus allowing you to provide customers and third parties with external assurance of your cyber security practices from a respected source (i.e., the National Cyber Security Centre (NCSC), which developed the scheme and stipulates its requirements).  In their survey, DSIT found that 33% of respondents were actively considering mandating Cyber Essentials of their suppliers in the future, and that 61% were more likely to select a supplier that uses Cyber Essentials.

Closing Thoughts

Certification to Cyber Essentials is perhaps one of the most effective first steps your organisation can take in its cyber security journey, helping you to establish strong security foundations whilst also providing external validation of your cyber security practices.  If you are not taking your first steps, but instead feel you are already ahead your cyber security journey, certification to Cyber Essentials can provide you with the opportunity to review your essential cyber security controls and check how they compare against an established framework.   With increasing numbers of businesses requiring Cyber Essentials certification from their suppliers, and with the high rate of companies reporting improved security confidence following implementation, the scheme represents a valuable investment for SMEs looking to enhance their cyber security posture.

How URM can Help?

As an accredited certification body for Cyber Essentials and an NCSC Assured Cyber Advisor, URM has facilitated hundreds of successful Cyber Essentials and Cyber Essentials Plus assessments, providing us with a wealth of knowledge and experience around the scheme.  Our assessors can provide a range of services to both facilitate and help you prepare for your Cyber Essentials assessment.  These services include (but are not limited to) conducting a gap analysis to help you identify any areas of noncompliance, and working through a Cyber Essentials checklist with you before you complete your SAQ or check your already completed SAQ prior to submission.

George Ryan
Consultant at URM
George Ryan is a Consultant at URM, working predominantly with ISO 27001. He is an IASME certified Cyber Essentials and Cyber Essentials Plus Assessor.
Read more

Get practical guidance on preventing common cyber-attacks

Get practical guidance on how to prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification, and protect your organisation against these attacks.
Thumbnail of the Blog Illustration
Cyber Security
Published on
Access Control, Administrative Accounts and Password-Based Authentication in the Cyber Essentials SAQ

URM’s blog offers advice on answering questions in the Cyber Essentials SAQ which relate to access control, admin accounts and authentication methods.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
I’ve Got my Cyber Essentials - Now What?

URM’s blog discusses the best next steps your organisation can take following Cyber Essentials certification to further enhance its security posture.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
Cyber Essentials – What’s Changing in 2025?

URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.

Read more
Excellent presentation, thank you!
Webinar 'Abriska 27001 Risk Assessment'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.