Would you leave your front door open for anyone passing by to enter? Unlikely. Chances are, you’d make sure it’s shut properly and maybe even locked and/or bolted.

Many cyberhackers are chancers who test an entry system to see if it’s easy to access. They’re akin to a thief who tries a door to see if it swings open.

Cyber Essentials provides a first line of defence for your business. It’s an accessible, yet powerful, form of cyber security. And the government backs it as an effective security layer for businesses.

Daniel Clarke, Head of Professional Services here at Mirus, explains what Cyber Essentials really means, why it matters, and how SMEs can approach cyber security with confidence.

What’s Cyber Essentials all about?

Danny Clarke (DC): Cyber Essentials is a UK government-backed scheme designed to help organisations protect themselves against common cyber threats. It’s governed by the National Cyber Security Centre (NCSC) and administered by IASME.

Cyber Essentials shows a level of security that the British government believes is required for businesses to stay safe. Without it, your business isn’t eligible to provide services for certain contracts, such as government. As a certified body for the scheme, Mirus can provide you with assessments and certifications.

Why should SMEs care?

DC: This isn’t just a checkbox exercise. It’s a mindset. It’s about understanding what you’re doing with your systems and ensuring you’re always considering the security implications.

Compliance might be a motivating factor, alongside being eligible to pursue government contracts. But Cyber Essentials also demonstrates a broader commitment to good governance. By performing proactive checks, you reduce the chances of having a security breach. It gives you the best chance of discovering (and fixing) the vulnerabilities before hackers do.

Cyber Essentials goes beyond a government scheme. We’re now seeing more and more private sector clients asking for proof of certification before engaging with new partners.

Cyber Essentials ultimately gives you peace of mind. It’s a verified stamp that says your business follows baseline security best practices.

What’s the assessment process like?

DC: Contrary to what you may assume, Cyber Essentials is largely a self-assessment for businesses. You answer a series of questions about your IT setup, from firewalls and user permissions to software patching and access controls. Then a certified assessor, like Mirus, validates those answers.

But business owners or employees don’t always know all those answers. They’re not tech experts and don’t need to understand the intricacies of their IT systems. That’s where Mirus steps in – collating technical data, simplifying responses, and guiding clients through the assessment. It’s a collaborative process.

It’s important to remember that cyber security should be an ongoing activity. The Cyber Essentials assessment is annual, but businesses should be using cyber security best practice to influence everything they’re doing with their infrastructure and data.

What are the most common vulnerabilities identified in the audit?

1. Undefined or undocumented processes: Many SMEs lack formal processes (in particular, for new starters or leavers). This makes it hard to explain who has access to what systems and why.
2. Misunderstood cloud security: Businesses often use multiple cloud services (such as HR systems, project management platforms, file storage). They believe wrongly that the cloud platforms handle security. Ultimately, cloud platforms hold your data so you’re responsible for that.
3. Weak administrative controls: Default usernames, shared admin accounts, or lack of multi-factor authentication (MFA) are all red flags.
4. Access to data: Too many people use admin accounts for everyday activities rather than only to access restricted data. Also, these admin accounts must be kept to a minimum, secured with strong passwords, and have multi-factor authentication.
5. Lack of infrastructure knowledge: Often, businesses don’t have a clear view of which devices are accessing their company data. And the latest patch updates aren’t always deployed.
6. Reactive rather than proactive mindsets: Some companies view cyber security as a once-a-year box to tick, instead of an ongoing business discipline.

What are the real-world risks businesses are exposed to?

DC: Failure to implement even basic Cyber Essentials controls opens your door to phishing attacks, ransomware, and more.

Phishing is a huge problem. People are unwittingly giving away information because they respond to a phishing email. Some phishing emails are blatantly dodgy and unbelievable, so easy to identify. But there are very detailed and sophisticated phishing attempts now.

For example, we recently saw a phishing email disguised as a Domino’s Pizza promotion. It offered some free vouchers, and all it asked you to do was to link it to your Microsoft account to it. Yet, once a hacker gains access to an account, particularly in a Microsoft 365 environment, they can access email, cloud storage, calendars, and potentially even devices – especially if security configurations are lax.

What practical security advice do you have for SMEs?

DC: Make these best practices part of your everyday operations:
• Regular patching of all devices (laptops, phones, tablets)
• Enforce MFA wherever possible
• Establish clear access controls for all users
• Create simple, written processes for system usage and changes
• Test employees with simulated phishing campaigns
• Run security awareness training sessions

Cybersecurity isn’t a one-time fix. It should be baked into your day-to-day thinking. Whether you’re onboarding a new software or expanding a department, you should be asking: what are the security implications?

Keep out cyber attackers with Mirus’ help

Cyber Essentials is more than just a tick-box exercise. It’s a foundation for good cybersecurity practices and a powerful step toward securing your data, your clients, and your business future.

Our certified Mirus professionals like Danny can support you to gain your Cyber Essentials certification. Importantly, we’re here to help you become more secure and less vulnerable to attack. We adapt our services to your needs, be that weekly contact or quarterly reviews for example.

Don’t leave your business open to attack. Shut out unwanted hackers with optimised cybersecurity practices. Contact us for tailored advice and security services