The Five Core Controls of Cyber Essentials UK

If you operate a business in the UK whether you're a sole trader, SME, or large enterprise, you have likely heard about Cyber Essentials, the government-backed scheme designed to help organisations protect themselves against the most common cyber threats. At the heart of Cyber Essentials are five essential technical controls. These controls are straightforward, highly effective, and suitable for organisations of all sizes.

In this article, we will explain what each of the five controls is, why it matters, and how it helps defend your organisation against everyday cyber risks.

1. Firewalls

A firewall is your organisation’s first line of defence, think of it as the digital equivalent of a locked front door. A firewall monitors and filters incoming and outgoing network traffic based on predefined security rules. In Cyber Essentials, firewalls help ensure that only safe, expected connections are allowed to reach your devices.

Why it matters

Cyber attackers often scan the internet for devices that have open or poorly secured network ports. If they find one, they may attempt to exploit it to gain access to your systems. A firewall blocks these unwanted attempts, dramatically reducing your exposure.

Key requirements under Cyber Essentials

• Firewalls must be switched on and properly configured.
• Default settings especially default admin passwords must be changed.
• Only necessary services, ports, and protocols should be open.
• Personal devices connecting remotely to business data should also be protected by a firewall.

A well-configured firewall shuts the door on opportunistic attacks and gives you much greater control over your network.

2. Secure Configuration

Out of the box, devices and software often come with default settings designed for convenience rather than security. Default passwords, unused ports, sample accounts, and unnecessary services all create opportunities for attackers. Secure configuration focuses on ensuring your systems are set up in a way that minimises risks.

Why it matters

Hackers frequently exploit known vulnerabilities and predictable settings. For example, leaving an admin account active with a default password is one of the simplest ways a cybercriminal can gain access.

Key requirements under Cyber Essentials

• Remove or disable unnecessary user accounts, applications, and services.
• Change all default passwords and settings.
• Implement strong password policies.
• Use secure configurations for cloud services.
• Ensure multi-factor authentication (MFA) is enabled wherever possible.

These actions help create a hardened environment where attackers have fewer opportunities to break in.

3. User Access Control

Not everyone in your organisation needs access to everything. User access control ensures that users only have the permissions required to perform their role, nothing more.

Why it matters

Excessive permissions make cyber incidents far more damaging. If an attacker compromises the account of an employee with admin-level access, the potential impact is huge. Similarly, a disgruntled staff member with unnecessary privileges can cause significant harm.

Key requirements under Cyber Essentials

• Use the principle of least privilege (POLP).
• Create separate user accounts for each individual, no shared logins.
• Only grant admin or privileged access when required.
• Regularly review permissions to ensure they remain appropriate.
• Disable accounts for users who leave the organisation immediately.

Good access control limits the scope of any breach and ensures you maintain proper oversight over who can access what.

4. Malware Protection

Malware-viruses, ransomware, spyware, and trojans, continues to be one of the most common threats to UK businesses. Cyber Essentials requires organisations to have suitable measures in place to detect and prevent malware infections.

Why it matters

Malware can cause enormous damage: data theft, financial loss, system downtime, and reputational harm. Ransomware attacks, for example, continue to rise and often target small organisations due to their historically weaker defences.

Key requirements under Cyber Essentials

• Use reputable anti-malware or anti-virus software on all devices.
• Enable real-time scanning and automatic updates.
• Disable or restrict the execution of untrusted software.
• Consider application allow-listing on systems where appropriate.

These controls help ensure malicious software is identified before it can cause harm, and prevent unknown or suspicious applications from running unchecked.

5. Security Update Management

Also known as patch management, this control ensures that all devices, applications, and systems are kept up to date with the latest security patches.

Why it matters

Most cyber-attacks exploit known vulnerabilities weaknesses that already have fixes available. If an organisation fails to apply updates promptly, it leaves the door open for attackers. Many major breaches in recent years could have been prevented with prompt patching.

Key requirements under Cyber Essentials

• Apply all high-risk security patches within 14 days of release.
• Enable automatic updates wherever possible.
• Replace unsupported or end-of-life software.
• Maintain an inventory of all software and hardware to track updates effectively.

Fast, consistent patching ensures you are protected against known threats and reduces the likelihood of an exploit succeeding.

Key Takeaways

The five controls of Cyber Essentials: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Security Update Management form a simple yet powerful framework for building cyber resilience. These measures are fundamental, practical, and achievable for organisations of all types.

Achieving Cyber Essentials certification not only improves your security posture but also builds trust with customers, demonstrates compliance with best practices, and may even be required for certain contracts, especially in the public sector.

By implementing these five controls, you significantly reduce the risk of becoming a victim of common cyber threats and take a proactive step toward safeguarding your organisation’s future.