How to achieve Cyber Essentials accreditation for your SME
If a cyber insurer, a client or your board asks for Cyber Essentials accreditation, they’re not asking for perfection — they want basic, demonstrable controls that stop the obvious attacks. For UK SMEs of 10–200 staff, the gap between “we think we’re secure” and an actual certificate is usually procedural and low-cost. This post names the common points of failure, explains how to check each one, and gives the immediate next step you should take.
Admin and shared accounts still using weak or reused passwords — force resets and enable MFA
Problem: Administrators and shared accounts often have weak, reused passwords and no multi-factor authentication (MFA). That single weakness hands attackers a direct route to your network.
Diagnosis: Pull a list of accounts with elevated privileges: domain admins, cloud tenant admins, remote-access users and any shared inboxes. Check whether those accounts have MFA enabled and whether passwords are company-managed (not personal notes or sticky labels). If you can’t get that list quickly, that itself is a red flag.
Next step: Immediately require MFA for every admin-level account and schedule a forced password reset for shared credentials. Make this explicit in policy and log the changes. For Cyber Essentials accreditation you’ll need evidence of MFA and a short policy showing who has admin rights. If you need a practical checklist for the next actions, our Cyber Essentials page explains typical evidence and small technical fixes that close this gap.
Windows machines with patch deferral or no update policy — deploy updates and document the process
Problem: Laptops and servers running old Windows builds or with updates deferred create a continual, exploitable surface. Relying on users to click “remind me later” is not a patch policy.
Diagnosis: Inventory all Windows endpoints and servers. Note the OS build numbers and the last patch date. If patching is manual or delegated to staff who aren’t tracked, you’ve got an audit problem as much as a security one.
Next step: Put a short-term block window in place to ensure critical updates are applied within 48–72 hours. Then set a routine: monthly update cycle, automatic reboots outside business hours and a simple record that shows successful update runs. For Cyber Essentials you don’t need a sophisticated management platform — you do need proof that patches are applied and logged.
Default router and firewall settings still in use — lock down management and document changes
Problem: Many businesses leave routers, firewalls and VPNs on factory defaults: default admin credentials, open remote management, or basic passwords. That’s an easy path for anyone who can reach the device, including contractors or guests.
Diagnosis: Check every network appliance for default credentials, enabled remote management, and unused open ports. Look for UPnP left on, or multiple open RDP/SSH rules on the firewall. If you find devices accessible from the internet with admin panels exposed, treat those as urgent.
Next step: Immediately disable remote admin from the internet, change default credentials to a strong, unique passphrase and lock down administrative access to a small set of IPs or jump servers. Record the configuration changes and save the firewall rule set; Cyber Essentials expects documented, consistent network controls, not ad-hoc tinkering.
Unmanaged cloud apps signed up with personal emails — inventory services and enforce single sign-on
Problem: Staff often sign up for SaaS tools with personal addresses. Those shadow services can hold company data and sit outside your control, complicating an accreditation audit.
Diagnosis: Ask department heads for a list of business-critical tools, then cross-check with finance for card charges and with HR for sign-ups tied to personal email addresses. Identify any service where company data would be exposed if an ex-employee kept access.
Next step: Create a documented inventory and require business-critical services to use company-managed accounts with single sign-on (SSO) where possible. If SSO isn’t available, enforce company email accounts, and ensure administrators can revoke access centrally. Evidence of an inventory and an access-control plan will cover most of the Cyber Essentials questions on cloud use.
Closing the loop: quick evidence collection and the audit-ready folder
Problem: Failing cyber checks isn’t just bad security — it’s a paperwork problem. Small firms often do the right things but can’t produce evidence under the auditor’s timescale.
Diagnosis: If you can’t pull screenshots, logs or a policy and email trail within an hour for the items above, you don’t have audit-ready evidence. That’s fixable, but it’s the main reason startups and SMEs fail the first assessment.
Next step: Create an audit folder (digital) containing: a current device inventory, a user/admin list, MFA screenshots for admins, recent patch reports, and firewall/router configuration exports. Label each file with the date and author. Keep the folder to no more than a few MB and back it up securely. That folder is the fastest route from chaos to certificate.
Wrap-up and immediate action
If you’re short on time this week, choose one of the three highest-risk gaps from above and close it. For most UK SMEs that means enabling MFA for admins, applying outstanding Windows updates, and locking down network devices. Those actions reduce breach risk, simplify the audit and improve your negotiating position with clients and insurers.
Want a small, practical next move? Schedule a 60‑minute internal review with your IT lead and set three measurable actions: MFA enabled for admins, patch run completed, and an audit folder created. Do that this week and you’ll materially speed any Cyber Essentials accreditation process — which translates into saved time, reduced insurance friction and better client credibility.
