What is Cyber Essentials and does your West Sussex business need it?
You've probably seen Cyber Essentials mentioned in a contract, an insurance renewal, or a supplier questionnaire. It keeps coming up, and if you're running a business in West Sussex, chances are it's going to keep coming up more. But what actually is it, and does your business genuinely need it?
This is one of the most common questions we get from SMEs across Haywards Heath, Crawley, Horsham, and Worthing. So let's answer it properly.
What is Cyber Essentials?
Cyber Essentials is the UK government's baseline cybersecurity certification scheme. It was developed by the National Cyber Security Centre (NCSC) to give organisations a straightforward way to demonstrate that they've implemented the fundamental security controls needed to defend against the most common types of cyberattack.
The scheme focuses on five core technical controls:
• Firewalls and boundary controls — protecting your network perimeter so only legitimate traffic gets through.
• Secure configuration — removing unnecessary services and default settings that attackers routinely exploit.
• User access control — ensuring people only access what they actually need, with unique accounts and controlled admin rights.
• Malware protection — deploying and maintaining endpoint security across all devices.
• Patch management — applying security updates within 14 days of release for internet-connected systems.
If you implement these five areas correctly, you block the vast majority of commodity attacks — the ones that hit the broadest number of businesses at volume. We're talking about automated scans looking for unpatched systems, malware delivered through phishing, and opportunistic access through misconfigured services.
How does the certification work?
There are two levels: Cyber Essentials and Cyber Essentials Plus.
The standard Cyber Essentials certification is a self-assessment. You work through a questionnaire covering the five control areas, confirm you've implemented the required controls, and an accredited certification body reviews your answers. If you pass, you receive a certificate that's valid for twelve months.
Cyber Essentials Plus goes further. An independent assessor verifies your controls through external vulnerability scanning and an internal technical assessment. We'll cover this in more detail in a separate post — but the short version is that Plus provides verified evidence rather than a self-reported claim.
Does your West Sussex business actually need it?
This is where we have to be honest rather than just telling you yes to sell you something. Whether you need Cyber Essentials depends on a few practical factors.
You almost certainly need it if you supply to the public sector. Government contracts increasingly require Cyber Essentials as a condition of procurement. If you're tendering for any work with local authorities, NHS trusts, or central government departments — even indirectly as a sub-contractor — this will come up.
You're increasingly expected to have it if you work in regulated industries. Healthcare, financial services, and legal are all sectors where clients and regulators are raising the bar on supplier security standards. Cyber Essentials is becoming the baseline expectation, not a differentiator.
Your clients may require it even if they're not in the public sector. Larger organisations are auditing their supply chains more rigorously. We work with businesses across West Sussex that have received requests from clients asking for evidence of Cyber Essentials certification. This trend is accelerating.
It's worth doing even without a specific requirement. The five controls address the areas that account for the majority of successful attacks on UK SMEs. In 2024, the average cost of a cyber breach for an SME reached £15,300. Implementing Cyber Essentials controls isn't just about a certificate — it's about closing the gaps that attackers are actively looking for.
What does it cost?
The cost of Cyber Essentials self-assessment through an accredited certification body typically starts from around £300 to £500 for a small organisation. Cyber Essentials Plus is a more significant investment — we'll cover the full cost breakdown in a dedicated post.
For most West Sussex SMEs, the bigger cost is the time and effort required to actually implement the controls before you go through the assessment. If your systems haven't had much attention, there will be gaps to address.
Where do I start?
The most useful first step is understanding where you actually stand before you commit to anything. A security audit will tell you which of the five control areas you've already addressed, where the gaps are, and what work is needed before you'd pass an assessment.
That's exactly what our free security audit covers. We work with businesses across West Sussex — from small professional services firms in Haywards Heath to growing businesses in Crawley and Worthing — helping them understand their real security posture and what certification actually requires.
If Cyber Essentials is on your radar, or if it's been raised by a client or insurer, talk to us. We'll give you a straight answer about where you stand and what to prioritise.