When considering a new IT supplier, it's important to verify whether they meet the Cyber Essentials standard. This UK government-backed certification shows that a company follows basic but effective cybersecurity practices to protect against common threats. For a small or medium-sized business, working with a supplier who holds Cyber Essentials can reduce the risk of cyberattacks that might cause costly downtime, data breaches, or damage to your reputation.
Why Cyber Essentials matters for your business
Cyber Essentials focuses on five key controls: secure configuration, boundary firewalls, access controls, malware protection, and patch management. These are practical steps that help prevent hackers from exploiting vulnerabilities. If your IT provider meets this standard, it means they have demonstrated a baseline level of security management, which supports your own compliance with UK data protection laws like the Data Protection Act 2018 and UK GDPR.
For example, imagine a UK-based manufacturing firm with 50 employees. They rely on their IT supplier to manage their network and protect sensitive customer and employee data. Without Cyber Essentials, the supplier might overlook critical updates or lack proper access controls, increasing the risk of ransomware or data theft. A Cyber Essentials certified supplier would have processes in place to regularly patch systems, enforce strong passwords, and monitor for malware—helping to keep the business operational and compliant.
How to check if a supplier meets Cyber Essentials
To confirm a supplier's Cyber Essentials status, you can ask for their certification details. The certification is issued by accredited bodies and should be current. Be aware that Cyber Essentials has two levels: the basic Cyber Essentials and the more rigorous Cyber Essentials Plus, which includes hands-on technical verification. Knowing which level the supplier holds can help you assess their security maturity.
Here's a practical checklist to guide your assessment:
- Request their Cyber Essentials certificate and check the expiry date to ensure it's valid.
- Ask if they hold Cyber Essentials Plus, which involves independent testing rather than just self-assessment.
- Inquire about their approach to patch management: how quickly do they apply security updates?
- Confirm their policies on access control, such as whether they enforce multi-factor authentication (MFA) for remote access.
- Check if they perform regular malware scans and maintain up-to-date antivirus software.
- Request evidence of secure configuration for firewalls and network devices.
- Review their incident response plan to understand how they handle security breaches.
- Ask for references or case studies
Common pitfalls to avoid
Some suppliers may claim to be Cyber Essentials certified but cannot provide valid proof. Others might only have the basic level, which is a good start but less comprehensive than Cyber Essentials Plus. Also, certification alone doesn't guarantee perfect security; it's important to understand how the supplier actively maintains and updates their security controls.
Finally, consider how their security practices align with your own compliance needs. For example, if you handle payment card data, you may need additional controls beyond Cyber Essentials to meet PCI DSS requirements.
Next steps
Verifying Cyber Essentials certification is a practical step towards choosing a reliable IT partner who takes cybersecurity seriously. To get a full picture of their capabilities and how they can support your business, speak with a trusted managed IT provider or IT advisor. They can help you interpret certification details, assess risks, and ensure your supplier meets your specific security and compliance needs.