Cyber Essentials UK: the complete guide for small businesses in 2026
Cyber Essentials is the UK government-backed security certification most SMBs will eventually need — here is everything a small business needs to know about it in 2026.
Read more →Blog
Practical security advice, product updates, and guides for IT consultants and business owners.
Cyber Essentials is the UK government-backed security certification most SMBs will eventually need — here is everything a small business needs to know about it in 2026.
Read more →Cyber Essentials certification is a UK government-backed scheme that verifies your business has basic security controls in place — here is what it involves and how to apply.
Read more →Cyber Essentials has five specific technical requirements covering firewalls, configuration, access control, malware protection, and patching — here is what each one means in practice.
Read more →GDPR requires appropriate technical security measures to protect personal data — here is what that means in practice for a UK small business website in 2026.
Read more →A CAA record controls which certificate authorities are allowed to issue SSL certificates for your domain — without one, anyone can request a certificate for your domain name.
Read more →An SSL certificate is what puts the padlock in your browser and encrypts the connection between your website and its visitors — here is what it does, why it matters, and what happens when it expires.
Read more →Most security advice for small businesses starts in the wrong place — here is a practical, prioritised starting point for a business with no IT team and no security background.
Read more →Cyber Essentials Plus is the independently verified version of Cyber Essentials — here is what the extra assessment involves, who needs it, and whether it is worth the additional cost.
Read more →External and internal vulnerability scanning find different things — here is what each one covers, where they overlap, and which is the right starting point for a UK small business.
Read more →A Content Security Policy header tells browsers exactly what your website is allowed to load, closing off a class of attacks that most small business sites have no protection against.
Read more →A vulnerability scan report is only useful if you can understand what it is telling you — here is how to read one, prioritise what matters, and know what to fix first.
Read more →A DMARC record set to p=none passes every checker but stops nothing — here is what the policy setting means and why it matters for your domain security.
Read more →Ecommerce businesses face specific Cyber Essentials considerations around payment pages, customer data, and third-party integrations that other businesses do not.
Read more →Cyber Essentials requires businesses to use only software versions that still receive security updates — end-of-life software is one of the most common gaps assessors find.
Read more →Cyber Essentials requires software and security updates to be applied within 14 days of release — here is why that deadline exists and how to actually meet it.
Read more →Cyber Essentials asks whether you restrict what software can be installed on devices, because unrestricted installation rights are one of the most common ways malware gets a foothold.
Read more →Cyber Essentials asks whether you restrict USB drives and removable storage, because plugging in an unknown device bypasses almost every other security control you have.
Read more →Cyber Essentials asks whether anti-malware is set to update automatically, because outdated protection can pass a visual check while missing every new threat.
Read more →Cyber Essentials asks whether anti-malware is installed on all devices in your organisation, and the gaps usually show up on the devices nobody thinks of as company equipment.
Read more →Restricting user accounts to only what staff need for their job is a core Cyber Essentials control, and most small businesses grant far more access than necessary by default.
Read more →Removing access immediately when staff leave is a Cyber Essentials requirement, and forgotten logins are one of the most common gaps assessors find.
Read more →Cyber Essentials requires administrator accounts to be separate from standard user accounts, and most small businesses skip this without realising why it matters.
Read more →Multi-factor authentication on internet-facing services is a core Cyber Essentials requirement, and one stolen password is all it takes without it.
Read more →Permissions-Policy, Referrer-Policy, and X-Content-Type-Options headers are commonly missing on UK SMB websites and each closes a different specific gap.
Read more →Missing Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers leave your site open to a class of browser-based attacks most businesses have never heard of.
Read more →A 1024-bit DKIM signing key passes basic email checks but fails Cyber Essentials secure configuration standards — here's why key length matters.
Read more →Cyber Essentials requires you to change every default password on every device, and assessors check this first — here's how to find what you missed.
Read more →DMARC stops criminals sending fake emails from your own domain, and most UK small businesses have never checked if theirs is set up correctly.
Read more →One week after launching Olimpio Security — 34k LinkedIn impressions, a first paying customer, industry testimonials, and 100 domains scanned with alarming results. Here is what happened.
Read more →An accidentally public GitHub repository can expose API keys, database credentials, and source code within minutes — here is what to do immediately if it happens, and how to prevent it.
Read more →Based on real scan data from UK small business domains, these are the security vulnerabilities appearing most frequently — and the ones most likely to be sitting undetected on your website right now.
Read more →UK GDPR requires businesses to implement appropriate technical security measures to protect personal data — here is what that means in practice for your website, and how to demonstrate compliance if the ICO comes knocking.
Read more →Cyber Essentials is a UK government-backed certification that shows your business takes cybersecurity seriously. Here is what it covers, who needs it, and how to prepare.
Read more →Preparing for Cyber Essentials certification does not have to be complicated — this step-by-step guide walks through each of the five controls, what assessors check, and how to make sure you pass first time.
Read more →Subdomain takeover lets attackers claim an abandoned subdomain of your domain and host their own content on it — making phishing pages, malware, or fake login forms appear to come from your legitimate domain.
Read more →An expired SSL certificate breaks your website for visitors, triggers Google penalties, and is one of the most easily preventable security failures — here is everything you need to know to stay on top of it.
Read more →A vulnerability scan checks your domain and infrastructure for security weaknesses before attackers find them — here is what it involves, what it finds, and whether your business should be running one.
Read more →Cyber Essentials and ISO 27001 are both cybersecurity certifications, but they serve very different purposes and businesses — here is how to decide which one is right for you.
Read more →A practical 15-point security checklist for UK small business websites — covering the most common vulnerabilities, what to check, and how to fix each one without needing a dedicated IT team.
Read more →A leaked API key can give attackers full access to your cloud services, payment processor, or email platform within minutes of being exposed — here is how it happens and what to do if it happens to you.
Read more →DMARC, SPF, and DKIM are three DNS records that protect your email domain from being spoofed by attackers — and missing even one of them leaves your business and your customers exposed.
Read more →We tested Olimpio on scanme.nmap.org — a site built by the team behind Nmap, one of the most recognised security tools in the world. One finding was confirmed. One was a false positive. Here is what we learned from both.
Read more →Open ports on your domain are entry points — and if the wrong ones are exposed, attackers will find them before you do. Here is how to check what your domain is exposing and what to do about it.
Read more →Cyber Essentials is a UK government-backed cybersecurity certification that helps small businesses protect themselves from the most common online threats — here is everything you need to know about what it covers, who needs it, and how to prepare.
Read more →