Get certified. Win government contracts. Sleep at night.

Cyber Essentials certification proves your business takes security seriously. It's increasingly required for government contracts, supply chain tenders, and insurance renewals — and Dave walks you through the whole thing in plain English. No jargon. No 80-page security policies you'll never read. Just a clear process, guided by someone who spent his career investigating the cyber incidents that certification is designed to prevent.

Talk to Dave about certification See what's involved

This isn't a nice-to-have anymore.

43% of UK businesses experienced a cyber breach in the last 12 months. That's not a worst-case scenario. It's nearly half. And for the businesses that got hit, the average cost wasn't trivial — it was weeks of cleanup, lost client trust, and in some cases, insurance claims that got rejected because they couldn't prove basic security controls were in place.

But here's what's actually driving most businesses to pick up the phone. It's not the breach statistics. It's the email from their biggest client.

48% of organisations that hold Cyber Essentials certification now require their suppliers to hold it too. Read that again. Half the certified companies in the UK are pushing the requirement down their supply chain. So even if you've never worried about a cyber attack in your life, the company that sends you 40% of your revenue might be about to make certification a condition of doing business.

Government contracts? Already there. The Ministry of Defence requires Cyber Essentials for any contract involving sensitive information. More public sector bodies are following. And the Cyber Security and Resilience Bill (expected to pass between 2026 and 2028) will bring fines of up to £17 million for non-compliance across a much wider scope of businesses. That's not a typo. Seventeen million.

This is the direction of travel. Not if, when.

The plain-English version.

Cyber Essentials is a UK government-backed certification scheme. It proves your business has five basic security controls in place. That's it. Five things.

Not five hundred. Five.

Firewalls

Something between your network and the internet that stops uninvited traffic. You probably already have one. The question is whether it's configured properly.

Secure configuration

Your devices and software are set up with security in mind, not left on factory defaults. (You'd be surprised how many businesses are still running routers with the password "admin.")

User access control

The right people have access to the right things, and nobody has admin privileges they don't need. Your receptionist doesn't need the same system access as your finance director.

Malware protection

Antivirus software that's actually running, actually updated, and actually being monitored. Not "we installed it two years ago and it's probably fine."

Patch management

Software updates applied when they're released, not six months later when Windows finally forces a restart during a client presentation.

That's the whole framework. If you're already running a reasonably modern business with halfway decent IT, you're probably closer than you think. The certification process is about documenting what you do, identifying the gaps, and closing them before assessment.

There are two levels. Cyber Essentials is the baseline — a self-assessment questionnaire verified by an external body. Cyber Essentials Plus adds hands-on technical testing of your systems. Most businesses start with the baseline and upgrade later.

Guided by someone who's seen what happens when it goes wrong.

Dave didn't learn about cyber security from a textbook. Well, he did — forensic computing at university — but then he spent years doing the bit they don't teach in the classroom. Investigating actual incidents. Pulling apart compromised systems. Tracing how breaches happened, who got in, and what they took.

He's seen the spreadsheet with 4,000 customer records end up on a forum in Eastern Europe because someone used "Bristol2019" as a password. He's seen a business lose a £180,000 contract because they couldn't demonstrate basic security controls to a government assessor. And he's seen the look on a managing director's face when they realise their "IT guy" hadn't actually been running backups for seven months.

That's the background Dave brings to Cyber Essentials consultancy. Not just "here's a checklist, fill it in." But: here's what actually matters, here's what the assessors look for, here's where businesses your size typically trip up, and here's how we fix it before it becomes a problem.

Initial chat

Dave talks through your current setup. No charge, no commitment. He'll tell you honestly how close (or far) you are from certification.

Gap assessment

A proper look at your five controls against the Cyber Essentials requirements. Dave identifies what's missing and what needs fixing.

Remediation guidance

Plain-English recommendations. Not a 40-page PDF full of technical jargon. Specific actions, prioritised by risk. If something needs buying, Dave tells you the cost upfront.

Assessment preparation

Dave walks you through the self-assessment questionnaire, making sure your answers are accurate and complete. No trick questions — but some of them are surprisingly easy to get wrong.

Certification support

You submit your assessment to the certification body. Dave's there if they come back with questions.

Is this actually for you?

Honestly? Not every business needs Cyber Essentials right now. If you're a sole trader with no employees, no sensitive client data, and no plans to bid for government work, it might not be your priority this quarter. Dave will tell you that.

But you probably need it sooner than you think if:

You bid on government contracts. Many already require Cyber Essentials as a minimum. The scope is widening every year.
Your clients are asking for it. That 48% cascade effect is real. If your biggest client gets certified, there's a decent chance they'll expect you to follow.
You handle personal data. Customer records, employee data, financial information. GDPR already requires "appropriate technical measures." Cyber Essentials is the closest thing to a government-approved checklist of what that means.
You want cyber insurance that actually pays out. Insurers are getting stricter about what they'll cover. Cyber Essentials certification is increasingly the baseline they expect before they'll honour a claim.
The Cyber Security and Resilience Bill worries you. It should, a bit. Fines up to £17 million and a much broader scope than current regulations. The timeline is 2026–2028, which sounds like plenty of time until you realise certification takes weeks, not days.

And then there's the thing nobody talks about. Getting certified makes you think differently about security. It stops being abstract. The five controls become habits. Your team starts noticing suspicious emails instead of clicking them. It's not just a certificate on the wall — it changes behaviour. Dave's seen it happen with every business he's guided through the process.

He didn't just study for a certificate. He investigated real cyber incidents.

Most IT consultants who offer Cyber Essentials guidance learned about security from the same courses everyone else took. CompTIA Security+. CISSP. Valid credentials, genuinely useful. But they're classroom knowledge about threats that happen to other people.

Dave studied forensic computing at university. That's the discipline where you examine compromised systems under controlled conditions, preserve digital evidence chains, and figure out exactly how an attacker got in, what they accessed, and how to prove it in a way that holds up legally. It's the CSI of the IT world, except less dramatic lighting and more staring at log files at midnight.

After university, Dave didn't go straight into IT support. He built his career around understanding what goes wrong. That's what makes his Cyber Essentials consultancy different from someone reading off a template — he knows what the attackers actually do, because he's spent years examining the evidence they leave behind.

Four industry awards since 2021 (Bristol Business Award Winner 2024, Global Business Awards 2024 and 2022, UK Enterprise Awards 2021). CyberFirst Supported by the National Cyber Security Centre. And every client still calls him Dave, because that's the kind of business this is.

/FAQ

Frequently asked questions

How long does certification take? +

From first conversation to certificate, most businesses complete the process in 4–8 weeks. The timeline depends on how much remediation you need. If your IT is already in decent shape, it could be faster. If Dave finds significant gaps, he'll be honest about the work involved before you commit.

How much does it cost? +

Dave's consultancy fees depend on the size and complexity of your business. The certification itself costs between £300 and £500 depending on the assessment body and your company size. Dave will give you a clear, fixed quote for his consultancy work before you start — no open-ended hourly billing that spirals. Book a chat and he'll give you a number.

What's the difference between Cyber Essentials and Cyber Essentials Plus? +

Cyber Essentials is a self-assessment questionnaire verified by an external assessor. It proves you have the five controls in place based on your own answers. Cyber Essentials Plus includes hands-on technical testing — an assessor actually pokes around your systems to verify the controls work in practice, not just on paper. Most businesses start with the baseline. Dave can help you decide which level makes sense.

Do I need to change my IT provider to work with Dave on this? +

No. Dave can guide you through Cyber Essentials regardless of who manages your day-to-day IT. That said, if your current provider is the reason you'd fail the assessment (outdated antivirus, no backup monitoring, passwords on sticky notes), Dave will tell you that too. If you're a TechShield Pro Enterprise client, Cyber Essentials preparation is already included in your plan.

Will this disrupt my business? +

The assessment process is mostly paperwork and configuration checks. Dave does the heavy lifting. Your team might need to change a few passwords, accept some software updates, or stop using "Company123" as the Wi-Fi password. But there's no downtime involved. The most disruptive part is usually the initial gap assessment, and even that takes a couple of hours, not days.

What happens after we're certified? +

Certification lasts 12 months. You'll need to recertify annually, which is simpler the second time because you've already built the habits. Dave can handle your renewal or just check in before the anniversary to make sure nothing's drifted. Some clients roll this into their TechShield Pro support plan.

Is Cyber Essentials the same as ISO 27001? +

No — and the difference matters. Cyber Essentials covers five specific technical controls. ISO 27001 is a full information security management system covering policies, procedures, risk assessments, and ongoing audits. Think of Cyber Essentials as the foundation and ISO 27001 as the full build. Most small businesses start with Cyber Essentials. If you need ISO 27001, Dave can point you in the right direction, but it's a different scale of project.

Stop putting this off.

You've been meaning to look into Cyber Essentials for months. Maybe years. It keeps getting bumped to next quarter because it sounds complicated and nobody's forcing the issue yet.

Dave's had that conversation dozens of times. This is what he'll tell you: it's not as complicated as you think, it doesn't take as long as you fear, and the businesses that certify always wish they'd done it sooner. Not because of the certificate itself — because of the clarity it brings.

Book a 30-minute call. Dave will tell you honestly where you stand, what it would take, and whether now is actually the right time. If it's not, he'll say so. But if you're losing contracts or sleep over this? Let's sort it.

Book a free meeting Or call Dave