Your 2026 Cyber Essentials Checklist for UK SMEs

Your 2026 Cyber Essentials Checklist for UK SMEs

You're about to complete a supplier questionnaire, and one line stops the process cold. “Do you hold Cyber Essentials certification?” For a lot of UK SMEs, that's the moment cyber security stops being an IT nice-to-have and becomes a commercial requirement.

The same thing happens when a larger client tightens supply chain controls, or when your insurer starts asking sharper questions about access, patching and backups. The pressure isn't theoretical any more. The UK's National Cyber Security Centre describes Cyber Essentials as the Government-backed minimum standard of cyber security for organisations of all sizes, built around five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management (NCSC Cyber Essentials overview).

That official baseline matters because it gives smaller firms a practical model to work from, not an enterprise framework that only a large internal security team could maintain. A good cyber essentials checklist should therefore do two jobs at once. It should help you pass certification, and it should reduce the everyday risks that disrupt smaller businesses, such as weak admin controls, unpatched laptops, compromised Microsoft 365 accounts and poor recovery arrangements.

This version expands the official five controls into eight operational areas. That's deliberate. Certification is important, but a pass doesn't automatically mean your business can detect an incident, recover data, or stop a member of staff from handing over credentials to a fake login page. Use this as a working checklist, assign owners, gather evidence as you go, and treat every item as something that must function in practice, not just look good on paper.

1. User Access Control and Authentication

Access control is where many small businesses either get disciplined or get messy. If everyone has broad permissions “just in case”, you create an environment where one stolen password can reach email, files, finance systems and customer records.

For professional services firms, that risk is obvious. An accountancy practice might have Microsoft 365, payroll software, a document portal and a remote desktop environment. A care provider may rely on cloud email, care planning software and shared laptops. If one user account carries local admin rights and weak authentication, the blast radius gets larger fast.

A Person Using A Smartphone To Enter A Two-Factor Authentication Code While Logging Into A Laptop.

What good looks like

Start with named accounts only. Every member of staff should have their own login. Shared admin credentials, generic “office” accounts and recycled passwords are exactly the kind of shortcuts that cause problems during certification and incident response.

Then separate standard access from privileged access. In practice, that means the receptionist, fee earner, care coordinator or director uses a normal account for day-to-day work and only uses admin privileges when a task requires them. In Microsoft Entra ID, Microsoft 365 and local Windows environments, this is manageable if you set the rule early.

Practical rule: Put MFA on every remote login and every admin account first. Then extend it to all cloud services, including Microsoft 365, VPN access and any line-of-business portal that supports it.

A sensible structure often looks like this:

  • Role-based access: Give finance access to finance systems, not to HR folders or server tools.
  • Admin separation: Create distinct admin accounts for IT support staff and senior users who need privileged access.
  • Fast leaver process: Disable accounts the same day someone leaves, including email, VPN, VoIP and cloud apps.
  • Quarterly review: Check who still needs access to what, especially shared mailboxes, Teams sites and finance systems.

Responsibility matrix in a small business

This is one area where ownership needs to be explicit.

  • Business owner or director: Approves access policy and signs off privileged access.
  • Office manager or HR: Triggers joiner, mover and leaver changes.
  • Internal IT or managed IT partner: Implements MFA, group policies, conditional access and account reviews.
  • Department heads: Confirm whether access still matches each person's role.

What doesn't work is leaving permissions to grow organically. That's how a former temp still has SharePoint access, a director's assistant inherits mailbox rights nobody reviews, and a contractor keeps an active VPN account months after the project ends.

2. Patch Management and System Updates

Patch management sounds routine until a tender asks for evidence or a vulnerability gets exploited on a device nobody realised was still in use. Then it becomes urgent.

Cyber Essentials gives this area real weight because unpatched systems are one of the easiest ways into a business. The UK government's impact evaluation also makes the checklist more concrete for SMEs. It ties the scheme to secure configuration, access control, malware protection, patch management and boundary firewalls, and reports that 64% of certified users said certification better enabled their organisation to identify and address common vulnerabilities (UK government Cyber Essentials impact evaluation).

A Professional It Technician Working On A Cybersecurity Dashboard On His Laptop In A Modern Office.

The patching standard to aim for

For most SMEs, the right approach is simple but disciplined. Keep an accurate asset list, remove unsupported software, automate what you can, and escalate critical fixes rather than waiting for a monthly catch-up.

The government guidance is especially useful because it gets specific. It points to admin privilege separation, MFA on network logins including cloud platforms, automatic vulnerability remediation for supported software, and a patch SLA of two weeks where CVSS is above 7 in the same impact evaluation guidance linked above.

That matters because many businesses still patch by habit instead of by policy. Windows laptops may update automatically, but network appliances, firmware, 3CX systems, VMware hosts, printers and line-of-business apps get missed. Those forgotten systems often become the weak point.

What to check each month

  • Supported software only: Remove or isolate anything no longer supported by the vendor.
  • Defined maintenance windows: Patch servers, firewalls and key applications on a schedule staff understand.
  • Emergency process: Have a route for urgent security updates outside normal change windows.
  • Evidence trail: Keep records of what was patched, when, and who approved exceptions.

If you want a practical framework for running that process, SES Computers' guide to patch management best practices is a useful operational reference.

A real example from smaller firms is the “special case” machine in reception, finance or production that can't be restarted during the day. Those devices tend to miss updates for months. The answer isn't to ignore them. It's to schedule downtime, document the business dependency and put compensating controls around them until they're current.

3. Endpoint Protection and Antivirus

Endpoint protection is still one of the easiest controls to misunderstand. Plenty of businesses think “we have antivirus” means the job is done. In reality, an unmanaged consumer-grade product installed on half the laptops isn't a security control. It's a false sense of comfort.

Cyber Essentials includes malware protection for a reason. On a modern SME estate, endpoints include more than office desktops. They include remote laptops, directors' home devices used for business access, virtual desktops, mobile phones with company email, and sometimes devices tied to a specialist system in finance, care or operations.

What works in practice

A proper setup usually means centrally managed endpoint protection with real-time scanning, tamper protection, alerting and isolation capabilities. Microsoft Defender for Business or Defender for Endpoint is a common fit for Microsoft-heavy SMEs. Sophos, Bitdefender and other managed business tools can also work well when they're deployed consistently and monitored properly.

What matters most is central visibility. If one laptop stops reporting, has outdated definitions, or shows suspicious behaviour, somebody needs to know. If no one is watching the console, the software is only doing half the job.

Don't judge endpoint protection by the badge on the laptop. Judge it by whether someone can see device health, quarantine threats, and investigate unusual activity quickly.

Common gaps I see

  • Partial rollout: Head office machines are protected, but home workers and satellite staff are missed.
  • No policy tuning: Staff can disable scans, ignore alerts, or postpone updates indefinitely.
  • No mobile plan: Phones and tablets access company data but sit outside any managed policy.
  • No alert ownership: Threat notifications exist, but no one is responsible for responding to them.

A practical example is a solicitor or accountant receiving a convincing attachment by email on a laptop that rarely connects to the office. If the device has current endpoint controls, web protection and central alerting, you've got a much better chance of containing the issue before it spreads into SharePoint, Teams files or mapped drives.

For SMEs, the best result comes from combining endpoint protection with the rest of your cyber essentials checklist. Anti-malware without patching, hardening and access control won't carry the whole load.

4. Secure Data Backup and Recovery

Backups aren't one of the five official Cyber Essentials controls, but they belong on every practical cyber essentials checklist. Certification helps reduce the likelihood of common attacks. It doesn't guarantee you can recover when something still goes wrong.

That distinction matters because not every serious business incident starts with malware. Staff delete data. A failed update corrupts a system. A sync tool overwrites files. A mailbox gets purged. A line-of-business database breaks after a server issue. If you can't restore cleanly, your operations stall whether or not you passed certification.

The standard SMEs should aim for

Use automated backups, keep at least one copy separate from production access, encrypt backup data, and test restores regularly. If ransomware hits a file server and your backup system is reachable with the same compromised credentials, you haven't really created a recovery layer.

For professional services firms, I'd split backup planning into business functions:

  • Client data: File servers, SharePoint, document systems, finance software data.
  • Communication: Microsoft 365 mailboxes, Teams content and key shared calendars.
  • Infrastructure: Servers, virtual machines, firewall configuration and core network settings.
  • Operational records: Care notes, case files, templates, workflow databases and archived documents.

Reality check: A successful backup job report is not proof of recoverability. Only a restore test proves that.

Ownership and implementation

Many SMEs need a simple matrix here:

  • Director or practice partner: Decides what data is business-critical and how much downtime is acceptable.
  • Operations manager: Identifies systems the team needs first after an outage.
  • IT lead or managed IT partner: Implements backup schedules, retention, encryption and restore testing.
  • Department heads: Validate restored data and confirm it's usable.

SES Computers' overview of data backup and recovery services gives a clear picture of how a managed provider can handle this in an SME environment.

A practical example is a care provider hit by a failed line-of-business update late on Friday. If backups cover the application server, related data, and the recovery process is documented, you can restore over the weekend. If the business has never tested the restore, Monday becomes a crisis meeting.

5. Secure Configuration and Hardening

Secure configuration is one of the most underestimated parts of Cyber Essentials because it doesn't feel dramatic. There's no flashing alert. No big dashboard. Just lots of decisions about what should be turned off, removed, restricted or locked down.

Yet many avoidable weaknesses exist in situations such as these: Default passwords on routers. Local admin rights on every laptop. Unused software left installed. Remote management exposed more broadly than necessary. Default accounts still active on printers, NAS devices or voice systems.

Start with attack surface, not perfection

The NCSC places secure configuration at the core of the scheme through its baseline model cited earlier. In practice, for an SME, that means reducing opportunity. Remove what you don't need. Restrict what you do need. Document exceptions.

Examples that matter in practice include:

  • Disabling default or unused accounts on Windows devices and network appliances
  • Removing software nobody uses, especially remote access tools installed years ago
  • Restricting macro use and untrusted script execution where practical
  • Locking down browser settings, autorun behaviour and local device controls
  • Securing 3CX administration with role-based access and strong authentication

Hardening decisions that pay off

For small businesses, the best wins are usually the least glamorous. Standardised laptop builds. Firewall admin interfaces not exposed to the open internet. Printers with changed default credentials. Servers built from a template, not by improvisation.

A managed IT partner can help by maintaining secure build standards for Windows, Microsoft 365, VMware and network devices, then checking for drift over time. That last part matters. Secure at installation doesn't mean secure six months later after urgent changes, temporary rules and one-off software installs start piling up.

What doesn't work is copying a huge benchmark blindly and breaking live systems in the process. Good hardening is deliberate. It balances risk reduction with operational reality, especially in smaller firms running specialist practice software or older devices they're still phasing out.

6. Network Segmentation and Firewalls

Many SMEs can achieve rapid improvements. Most small businesses don't need a complex enterprise architecture, but they do need clear boundaries. If the guest Wi-Fi, office PCs, phones, printers, servers and backup targets all sit on the same flat network, one compromised device has too much room to move.

The official scheme includes firewalls and internet gateways as a core control through the NCSC framework already noted earlier. That's the baseline. A stronger operational approach is to ask a second question. If one device is breached, what can it reach next?

Practical segmentation for smaller firms

You don't need to overengineer this. For many accountancy firms, care providers and general professional services businesses, a sensible design could include:

  • Office user network: Staff PCs and laptops
  • Server or core services network: File servers, domain services, line-of-business systems
  • Voice network: 3CX or other telephony components
  • Guest or BYOD network: Internet-only access for visitors and unmanaged devices
  • Management network: Admin access to firewalls, switches, hypervisors and backup infrastructure

Default-deny principles are often more useful than complicated documentation. Allow the traffic the business needs. Block the rest. Review old rules regularly, especially temporary vendor access or remote support exceptions.

The external perspective matters too. If your team has remote staff or overseas travel requirements, secure remote access policy should be part of your firewall conversation. Throughwire's piece on IPSec VPN vs SSL VPN is a helpful comparison when you're deciding how remote connectivity should be handled.

What a managed IT partner should do here

A competent provider shouldn't just install a firewall and leave the default rule set in place. They should map your traffic flows, justify open ports, separate risky services, and keep ownership of firewall changes clear.

In a care setting, for example, a medication system, office admin devices and guest internet should not all trust each other by default. In an accountancy practice, the machine used for banking approval should be more tightly controlled than a general workstation used for web browsing and email.

7. Monitoring, Logging, and Incident Response

Cyber Essentials helps you reduce common attack paths. It doesn't guarantee you'll spot every problem immediately. That's why monitoring and logging belong in the expanded version of the checklist.

A practical issue for SMEs is visibility. If a mailbox is accessed from an unusual location, a firewall starts blocking repeated connection attempts, or an endpoint begins encrypting files unexpectedly, somebody needs to see those signals and decide what happens next. Without logs and a response plan, you're left reconstructing events after the damage is done.

Logging that's worth having

Don't collect logs just because a platform allows it. Collect what you can use. For most SMEs, the priority sources are:

  • Microsoft 365 and identity logs: Sign-ins, MFA activity, admin actions, mailbox changes
  • Firewall logs: Blocked connections, VPN activity, configuration changes
  • Endpoint security logs: Malware detections, isolation events, unusual behaviour
  • Server and application logs: Failed logins, service failures, privilege changes, access anomalies

Then define who receives alerts and what escalation looks like. A director should know who calls whom if the finance mailbox is compromised. The office manager should know how to report suspicious activity. Your IT provider should know when to isolate a device, disable an account, or preserve evidence.

If your only incident process is “call IT if something looks odd”, you don't have an incident response plan yet.

Why this matters beyond certification

The UK Government's 2025 Cyber Security Breaches Survey found that 43% of businesses experienced a cyber security breach or attack in the previous 12 months, and phishing remained the most common attack type, as cited in Sprinto's discussion of Cyber Essentials gaps and checklist considerations (Sprinto on Cyber Essentials checklist limitations). That's exactly why monitoring and response matter. Compliance with baseline controls doesn't remove the need to detect, contain and recover.

A common SME example is business email compromise. The first clue may be an unexpected inbox rule, unusual forwarding behaviour, or a login from a location the user has never visited. If nobody reviews those indicators, the attack can continue undetected while fraudulent payment requests are sent to clients or suppliers.

8. Security Awareness Training and User Education

This is the control businesses often postpone because it feels less technical than firewalls or antivirus. That's a mistake. A strong cyber essentials checklist needs a people layer, especially because the official scheme doesn't cover every user-driven risk on its own.

The practical gap is easy to see. A company can have MFA, patching and malware protection in place, then still lose money because a member of staff approves a fake bank detail change, logs into a spoofed Microsoft 365 page, or sends sensitive documents to the wrong recipient.

Training that actually changes behaviour

Annual slideshow training usually doesn't stick. Staff need short, relevant guidance tied to the decisions they make every day.

For professional services firms, that usually means:

  • Email handling: Spotting credential theft pages, fake invoice requests and urgent payment scams
  • Password and MFA habits: Using approved methods and reporting unusual prompts quickly
  • Data handling: Sending client files safely and avoiding personal email or unsanctioned sharing tools
  • Incident reporting: Knowing exactly who to contact and what to preserve

A care provider may need extra focus on shared device handling, safeguarding-related data, and urgent reporting when a suspicious email references residents or staff records. An accountancy practice may need repeated training on invoice fraud, bank detail changes and executive impersonation.

Making ownership clear

Training works best when it's operational, not ceremonial.

  • Leadership: Takes the training too, and follows the same rules.
  • Managers: Reinforce reporting culture and stop staff being punished for raising a false alarm.
  • IT or managed service provider: Delivers awareness content, phishing simulations and policy guidance.
  • Staff: Report suspicious messages, MFA prompts and data handling mistakes early.

If you want support with that process, SES Computers provides guidance on IT security awareness training that fits SME environments.

The key trade-off is time versus risk. Businesses often avoid regular training because they don't want to interrupt fee earning or service delivery. But a short, practical session that prevents one compromised mailbox or one fraudulent payment request is time well spent.

8-Point Cyber Essentials Comparison

Item Implementation complexity Resource requirements Expected outcomes Ideal use cases Key advantages
User Access Control and Authentication Medium–High, requires IAM design and integration IAM/SSO platforms, MFA, admin time, user training Fewer unauthorized accesses, stronger audit trails Distributed teams, cloud infrastructure, admin accounts Strong access control, compliance support, scalable user management
Patch Management and System Updates Medium, tooling, testing and change processes needed Patch management console, test environment, ops staff Reduced exposure to known vulnerabilities, improved stability Multi-endpoint estates, servers, virtual environments Lowers exploit risk, automates updates, supports compliance
Endpoint Protection and Antivirus Medium, agent deployment and tuning required Endpoint agents, licensing, monitoring and response staff Early malware detection, faster containment of endpoint threats Remote/workforce devices, regulated data environments Real-time protection, centralized visibility, ransomware defense
Secure Data Backup and Recovery Medium, requires design, segregation and recovery testing Backup software, offsite storage, bandwidth, periodic tests Rapid recovery, business continuity, RTO/RPO assurance Any org needing reliable recovery, regulated sectors Immutable/offsite backups, minimizes downtime, compliance evidence
Secure Configuration and Hardening High, deep technical changes and careful validation Configuration management tools, security expertise, testing Reduced attack surface and consistent secure baselines Servers, VMs, cloud workloads, critical systems Fewer vulnerabilities, limits lateral movement, automatable baselines
Network Segmentation and Firewalls High, architecture design and rule management complex Firewalls, switches, NAC, skilled network/security engineers Contained breaches, limited lateral movement, clearer scope PCI, POS separation, hybrid cloud and OT/IT separation Compartmentalizes risk, improves detection and performance
Monitoring, Logging, and Incident Response High, SIEM integration, tuning and staffing intensive SIEM/log storage, analysts, threat intelligence, playbooks Faster detection and response, forensic readiness SMEs needing 24/7 monitoring, regulated industries Reduces dwell time, supports investigations and compliance
Security Awareness Training and User Education Low–Medium, program setup and ongoing reinforcement Training platform, time for employees, phishing simulation tools Fewer human-error incidents, improved reporting behavior All organisations, high phishing or insider-risk settings Cost-effective risk reduction, measurable behavior change

From Checklist to Certified: Your Next Steps

A good cyber essentials checklist shouldn't leave you with a pile of disconnected tasks. It should leave you with a clearer, safer way of running the business. That means assigning ownership, tightening the weak points first, and collecting evidence as you implement each control instead of scrambling for it at certification time.

The official scheme remains an excellent baseline. UK-focused guidance commonly states that accredited organisations are protected against about 80 to 85% of known cyber attacks, which is one reason Cyber Essentials became such a recognisable benchmark for SMEs that need a practical, affordable baseline defence (NordLayer Cyber Essentials explainer). That's valuable. But the expanded checklist matters because baseline protection isn't the same thing as operational resilience.

In practice, the order of work is usually straightforward. First, get identity and access under control. Then patch aggressively, standardise endpoint protection, and harden what you already have. After that, make sure backups are isolated and restorable, segment the network sensibly, turn on useful logging, and train staff in a way that reflects the scams they face.

If you're a small business owner, don't try to solve this by buying random tools and hoping they add up to a strategy. What works is a documented process, named owners and regular review. In a company of ten, one person may wear several hats. That's fine. The key is that every control still has an owner, and every exception is deliberate.

For firms in Dorset, Somerset, Wiltshire and Hampshire, managed support can remove a lot of the friction. SES Computers has been delivering managed IT support and cloud services for over 30 years and can help SMEs implement practical controls such as patching, backup, monitoring and user security measures in support of certification readiness. That kind of support is especially useful when the business doesn't have an internal security lead but still needs a reliable route to Cyber Essentials.

If you're preparing for a tender, a renewal, or your first certification, start with the controls that reduce real operational risk today. Certification then becomes the result of good security practice, not a paper exercise you revisit once a year.

If you want help turning this cyber essentials checklist into a workable plan, speak to SES Computers. They can help assess your current setup, assign priorities, and implement the controls needed for stronger day-to-day security and Cyber Essentials readiness.