Why bother with Cyber Essentials?

Cyber Essentials is the UK government-backed scheme that proves your business has the five basic security controls every modern company needs. It’s increasingly required to bid for public-sector contracts, demanded by cyber insurers and — most importantly — it actually stops the majority of real-world attacks before they happen.

If you handle client data, take payments online or rely on cloud services like Microsoft 365, you should be working to this standard. The good news: most of it is already possible with the licences you have today.

The five technical controls

1. Firewalls

Every device that touches the internet needs a properly configured firewall. For most Letsma clients that means the Windows Firewall on each laptop, plus a managed business-grade router at the office. Default passwords on routers must be changed and remote admin disabled.

2. Secure configuration

“Secure by default” means turning off services you don’t use, removing default accounts and locking down auto-run features. For Microsoft 365 tenants this includes disabling legacy authentication, enabling Conditional Access and removing global admin rights from day-to-day accounts.

3. User access control

Each user gets exactly the access they need to do their job — no more. Administrative accounts are separate from day-to-day accounts, and account creation/removal is documented. MFA is non-negotiable on every account that can access company data.

4. Malware protection

Every laptop and desktop needs antivirus that’s centrally managed, kept up to date and configured to block known-bad sites. Microsoft Defender for Endpoint (included in Microsoft 365 Business Premium) covers this beautifully and gives you a central alert dashboard.

5. Security update management

Operating systems, browsers and applications must receive security updates within 14 days of release. Intune is the easiest way to enforce and monitor this across a small business — it’s why we recommend Business Premium for any Letsma client serious about Cyber Essentials.

The seven-step Letsma path to certification

1. Scope it — decide whether you’re certifying the whole business or just one team. Smaller scope = faster pass.
2. Inventory devices and people — every laptop, phone, tablet and admin account needs to be on the list.
3. Run the gap analysis — we benchmark your current state against the five controls and produce a punch list.
4. Fix the gaps — typically MFA rollout, removing legacy authentication, deploying Intune compliance policies and tightening admin rights.
5. Document the evidence pack — screenshots, policy excerpts and an inventory go into your CE workbook.
6. Self-assessment with IASME — Letsma walks you through the questionnaire with the IASME assessor.
7. Receive your certificate — valid for 12 months. Annual recertification is included in our managed contracts.

How long does it really take?

For a typical 10–30 user business already on Microsoft 365 with MFA enabled, we usually go from kick-off to certificate in 3–6 weeks. The biggest variable is patch hygiene on personal devices that staff use for work — if BYOD is widespread, expect to spend extra time enrolling devices into Intune.

Common reasons businesses fail first time

• Legacy authentication still enabled in Microsoft 365 — a single sign-in via POP/IMAP can fail the whole audit.
• MFA not enforced for admins — every privileged account must use MFA, period.
• Personal devices not in scope — if a director uses their personal MacBook to read company email, that device counts.
• Out-of-support software — Windows 10 is approaching end-of-life. Anything no longer receiving security updates is an automatic fail.
• Default router passwords — embarrassingly common, easy to fix.

What it costs

The IASME assessment fee is around £300–£500 + VAT depending on your business size, paid directly to IASME. Letsma’s preparation, evidence-pack and assessor liaison is included in our standard managed contracts — no extra charge. For non-contract clients, we offer a fixed-price CE readiness package.

“Letsma got us through Cyber Essentials in five weeks, including the bits we’d been kicking down the road for a year. We’ve just renewed for our third certificate.”

— IT lead, professional services firm, Caterham

Ready to start?

Book a free Cyber Essentials readiness review — we’ll spend an hour mapping your tenant against the five controls and give you a punch list of what to fix. No obligation, no sales pitch.

Related reading: Cyber Security at Letsma · Microsoft 365 hardening · Helpdesk