Cyber Essentials – are you prepared?

November 5, 2014

Paul Holborow, Head of IT Services at RMT Accountants and Business Advisors, takes a look at the Governments’ Cyber Essentials scheme aimed at SME’s.

Launched in June 2014, the Government’s Cyber Essentials Scheme aims to protect SME’s from common internet based threats. It does this by suggesting implementing basic controls in 5 core areas. Alongside this, an assurance framework allows the SME to gain certification so it can demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

The process begins with the completion of a self assessment questionnaire which covers the following 5 core areas:

• Firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management

The SME can then approach a registered independent assessor to demonstrate its compliance and achieve accreditation – a badge to certify it does have the basic cyber security controls in place. This process can cost around £300 or so. There is also a Cyber Essentials Plus scheme which follows this up with penetration testing of your defences, an exercise that could cost £1000-£3000.

Why would an SME go this far? Well, if you have a contract with government, it’s mandatory for new contracts awarded after 1 October 2014. It also provides a competitive advantage too at relatively low cost – if you are compliant and your competitor isn’t, then you have an advantage over them. Whether you’re bidding for government work or not, having good defences does also protect your business from fraud, which can only be a good thing.

Some SME’s though may see this as a distraction from their everyday work and yet more ‘red tape’, even though it’s been designed to be simple to carry out. Some SME’s may need to use consultants to help conduct the survey, with the added cost this will entail. And whilst covering these basic elements is a start, they don’t necessarily help protect against other threats to business data, which are covered in more detail in the CESG 10 steps to Cyber Security guide. This covers additional protection measures such as developing a risk management regime, mobile working, user education and training all of which address the very real risk of data loss from within the organisation.

Overall, I think the scheme is an excellent start to getting SME’s to think about cybersecurity and to putting in place certain minimum measures to protect the business. More needs to be done though for businesses to really make security part of the business culture.

For more information, please contact or call 0191 2569550.


Our key focus is outstanding client service. We are always on the look out for high quality team members in the following areas…

If you would like to be part of a progressive, growing practice please upload your CV here.

  • Accepted file types: pdf, doc, png.
  • This field is for validation purposes and should be left unchanged.