Cyber Essentials aims to protect businesses against the most prevalent cyberattacks. The scheme consists of five control areas (or requirements) that target the various aspects of cybersecurity. Here we explain each of the five Cyber Essentials requirements and how following them can help protect your business’ data.

1. Use a firewall for securing your network

Purpose: To ensure only the safe and required network services of an organisation can be accessed from external networks.

Under the Cyber Essentials scheme, it is mandatory for all devices connected to the internet to be secured with a firewall. Using a firewall creates a buffer zone known as the demilitarised zone between an organisation’s IT network and an external network. In simpler terms, it provides a protective layer between devices and external networks such as the internet to keep out harmful bugs and viruses.

This applies to all kinds of devices including desktops, laptops, routers, servers, and personal devices.

2. Make use of secure settings and passwords

Purpose: To ensure that all devices are properly configured to reduce vulnerabilities.

Most hardware and software have default configurations so you can easily start using them after you buy them. However, many default settings are well known to attackers and provide them with a point-of-entry into your systems. 

That’s why the second key requirement of Cyber Essentials is to change default configurations including passwords to recommended secure settings. Varonis’ 2019 Risk Report showed 61% of companies have over 500 accounts with non-expiring passwords. Additionally, this requirement also specifies guidelines for implementing a password policy

This requirement applies to web servers, email servers, software and applications, routers, firewalls, desktops, laptops, and personal devices.

3. Access control for data and services

Purpose: To ensure that all users are authorised individuals, and have only as much access to IT resources as required to perform their tasks.

According to the 2019 Varonis Global Data Risk Report, 53% of companies found over 1,000 sensitive files open to every employee and 22% of all folders open to every employee. Only the most relevant people should be given administrative rights to access everything. If a user can access only the data and services that they need for their work rather than all of the companies files, then only those particular areas will be affected if their account is compromised. 

The Cyber Essentials certification requires that access to your data is controlled. Under the scheme, administrator privileges should only be given to the most trusted people. This requirement applies to user accounts, data, and services.

4. Protect your devices against viruses and malware

Purpose: To protect systems against known viruses and malware, and to prevent any harmful code from accessing data.

Without proper protection, all devices and software are prone to malware attacks. There are various forms of malware that can affect devices including ransomware, viruses, and spyware. If one device is affected then malware can quickly spread to other connected devices as well.

Therefore, the Cyber Essentials scheme requires businesses to make use of antivirus software on all devices. This requirement applies to laptops, desktops, servers, and personal devices.

5. Keep all devices and software updated and patched

Purpose: To protect software and devices against known security threats that have already been solved.

All devices and software must be kept up to date. Regular updates are released by developers to fix any known security vulnerabilities.

Whenever a patch or update is released, it should be installed on the systems immediately.  This rule applies to devices, installed applications, and operating systems. This requirement applies to applications, firewalls, web servers, email, routers, laptops, desktops, and personal devices.


Understanding the five requirements of Cyber Essentials is the first step towards compliance. Cyber Essentials is one of the simplest cybersecurity standards out there. However, it still involves a lot of technical requirements which is why CyberSmart offers an automated compliance service that helps simplify and accelerate the journey towards Cyber Essentials.