XCEVIASECURITY & COMPLIANCE
All articles
Compliancecyber-essentialscomplianceuk-smencsc

Why Most SMEs Fail Cyber Essentials (And How to Fix It)

Cyber Essentials has a 3% adoption rate among UK businesses. Here's why so many fail and what practical steps to take before your next assessment.

Abiola Oyegun10 April 20263 min read

Cyber Essentials has existed in the UK since 2014. The NCSC created it specifically to protect organisations from the most common cyber attacks. It's not complex. It's not expensive. Yet adoption sits at just 3% of UK businesses.

Why? And more importantly — what can you do about it?

The five controls Cyber Essentials actually tests

The scheme assesses five technical controls:

  1. Firewalls — is your internet boundary protected?
  2. Secure configuration — are your devices and software set up securely by default?
  3. User access control — do people only have the access they actually need?
  4. Malware protection — are your devices protected from malicious software?
  5. Patch management — are your systems and software kept up to date?

That's it. No penetration testing. No complex risk registers. No ISO 27001-style documentation.

Why SMEs fail

The most common failure points are not technical. They're procedural.

1. Shadow admin accounts

The number one reason firms fail: multiple users with local administrator rights on their laptops, often without anyone realising it. Windows 10/11 installs often create admin accounts by default. The fix is straightforward — audit your accounts and reduce privileges.

2. Outdated software on one machine

A single laptop running an unsupported version of Windows or an old browser will fail the assessment. Patch management needs to be systematic, not reactive.

3. MFA not enabled on cloud services

Since 2021, Cyber Essentials requires multi-factor authentication for cloud services. Microsoft 365, Google Workspace, and similar tools must have MFA enabled for all users. This trips up a surprising number of organisations.

4. The assessment is treated as a one-day exercise

Many firms book an assessment, realise they're not ready, and fail — then spend three months fixing issues they could have caught in a two-hour internal audit beforehand.

A practical pre-assessment checklist

Before you pay for an assessment, run through these yourself:

  • [ ] Audit all user accounts — remove accounts that aren't needed
  • [ ] Ensure no standard users have local admin rights
  • [ ] Check every device has MFA-capable accounts set up for cloud services
  • [ ] Run Windows Update on every device and confirm nothing is more than 14 days out of date
  • [ ] Verify your firewall is blocking inbound connections that aren't needed
  • [ ] Check that anti-malware is installed and current on all devices
  • [ ] Remove or disable any unsupported software (old browsers, legacy apps)

This doesn't take a security expert. It takes an hour of structured attention.

What changes after you're certified

Cyber Essentials certification is now required for all UK government contracts involving the handling of personal data or sensitive information. Beyond government work, it signals to clients, insurers, and partners that you take basic security seriously.

More practically: completing the process forces a structured review of your own IT environment. Most organisations find things they didn't know were there.

If you need help preparing, get in touch with Xcevia. We run straightforward pre-assessment readiness checks that identify gaps before you spend money on a formal assessment.

#cyber-essentials#compliance#uk-sme#ncsc

Share on LinkedIn

Copy the pre-formatted LinkedIn post below and share it from your company page.

Open LinkedIn