| Cyber Essentials is a baseline cyber security framework built around five technical controls that, used together, prevent the large majority of common internet-based attacks on a business. |
Most cyber attacks on small businesses are not clever. They are opportunistic, automated, and aimed at whoever left a door open.
The breach that takes a small firm offline for a week rarely involves a skilled attacker picking a target. It usually involves an unpatched laptop, a shared admin password, or a setting nobody changed when the software was installed.
Cyber Essentials exists to close those doors. The framework sets out the minimum controls a business should have in place, and it gives owners a clear way to check whether they actually have them. This guide explains what Cyber Essentials covers, why it matters for New Zealand businesses, and how to put it in place without turning your operation upside down.
What Is Cyber Essentials?
Cyber Essentials is a cyber security framework that sets out five technical controls every organisation should have in place to defend against the most common attacks. It was developed by the UK National Cyber Security Centre and has become a widely recognised baseline well beyond Britain, including among New Zealand businesses and the partners they work with.
The thinking behind it is deliberately narrow. Rather than try to cover every possible threat, the framework focuses on the handful of controls that stop the attacks businesses actually face day to day. Get these right and you drop out of the easy-target pool that automated scanning tools are built to find.
For a busy owner, that focus is the appeal. You do not need to become a security expert or read a 200-page standard. You need to know that five things are handled, and to be able to prove it when a client or an insurer asks.
Where does it fit alongside other frameworks?
Cyber Essentials sits at the entry level, setting a minimum standard rather than a complete one. Larger or more regulated organisations often work toward broader standards such as ISO 27001 or the NIST framework, which cover governance, risk, and process in far more depth.
For an SME, that depth can be overwhelming and expensive to reach in one step. The value of a baseline framework is that it tells you exactly where to start. You can build from it toward a fuller approach later, once the basics are covered.
Why Does a Baseline Cyber Security Framework Matter for NZ Businesses?
A baseline framework matters because it turns a general worry about security into a short list of specific things to check. Without one, security spending tends to be reactive, scattered, and hard to justify.
The pressure is also building locally. The New Zealand Cyber Security Strategy 2026 to 2030 signals a clear shift toward stronger expectations on how organisations manage cyber risk, with consultation underway on requirements for critical infrastructure and the suppliers connected to it. Expectations are moving toward more structure over time.
What happens if you have no baseline?
When nothing is defined, gaps go unnoticed until something goes wrong. A staff member reuses a password across systems. An old server keeps running months past its support date. Nobody is quite sure who has administrator rights.
Each gap on its own looks minor. Together they form the exact conditions an attacker needs. A baseline framework forces these into the open before an incident does it for you.
How does it affect insurance and contracts?
It affects both directly. Cyber insurers now ask pointed questions about specific controls before they will quote, and a claim can be reduced or declined if the answers on the form did not match reality. At the same time, larger clients and government tenders increasingly include security questions in their procurement, and a weak answer can quietly cost you the work.
Being able to point to a recognised framework makes both of those conversations far easier to handle. Our overview of cyber insurance explains what underwriters look for and why the answers matter to your premium.
What Are the Five Cyber Essentials Controls?
The framework rests on five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. Each addresses a different way attackers get in, and the framework expects all five to be in place rather than treated as a menu.
Firewalls
A firewall is the gatekeeper between your network and the internet, deciding what traffic gets through. Every device that connects to the internet should sit behind one that has been set up properly, and that includes the laptops your staff use at home, not just the gear in the office.
The usual problem is not a missing firewall but a default one nobody ever adjusted. Ports left open and services switched on that you never use are the digital equivalent of leaving a side door unlocked, and closing them takes a few minutes of configuration.
Secure configuration
Secure configuration means setting up devices and software to reduce avoidable weaknesses. New equipment often ships with default passwords, sample accounts, and features switched on that your business will never use.
Removing or disabling what you do not need shrinks the surface an attacker can probe. This is one of the cheapest controls to apply and one of the most often skipped.
User access control
User access control means people can only reach the systems and data their job actually requires. In practice that means the new hire in sales should not have the keys to your finance system, and the staff member who left six months ago should not still have a working login.
Administrator rights deserve particular care, since they are the accounts attackers most want. Hand them out sparingly and review them regularly. Strong authentication belongs here as well, and turning on multi-factor authentication across your key systems is one of the single most effective steps available. Our guide to multi factor authentication walks through how to roll it out without frustrating staff.
Malware protection
Malware protection defends devices against malicious software using anti-malware tools or approved alternatives such as application allow-listing. The aim is to stop harmful code from running, whether it arrives by email, download, or a compromised website.
Protection only works when it is active and current on every device, not just the ones IT remembers. The wider problem of malware shows how quickly a single unprotected machine can become the entry point for the whole network.
Security update management
Security update management, or patching, keeps software current so that known vulnerabilities are fixed before attackers exploit them. Critical and high-risk updates should be applied promptly, and software that no longer receives updates should be retired.
This control alone would have stopped a large share of well-known breaches. The challenge for most businesses is not knowing what to do but doing it consistently across every device.
How Do the Five Controls Map to Tools You Already Use?
The five Cyber Essentials controls are not a shopping list of new products. In most businesses they map onto systems you already run, which means the work is often about configuring and managing what you have rather than buying more.
Microsoft 365 and your cloud platform
If you run Microsoft 365 or a similar cloud suite, several controls live there already. Conditional access policies and built-in multi-factor authentication cover the bulk of user access control. Defender provides malware protection across email and devices, and tenant-level settings handle a large part of secure configuration.
The catch is that these capabilities are not all switched on by default, and the more advanced ones depend on your licence tier. Getting full value from the platform you are paying for is a recurring theme, and our guide to Microsoft 365 covers the settings most businesses leave unused.
Your network and devices
Within Cyber Essentials, firewalls usually sit in two places: the hardware firewall at your office boundary and the software firewall on each device. Both need to be on and configured, with home-working laptops treated the same as office machines. Patching and secure configuration then apply to every endpoint, including the phones and tablets staff use for work.
Endpoint management tools let you enforce these settings across a fleet from one place, rather than trusting each person to keep their own device in order. As a business grows, that central control is what keeps a baseline holding instead of slipping out of date.
How Does a Business Achieve Cyber Essentials?
A business achieves Cyber Essentials by assessing its current state against the five controls, closing the gaps, and where useful, having that work independently verified. The path is straightforward, though the effort depends on where you start.
Step one: assess where you stand
Begin with an honest gap assessment. Work through each of the five controls and record what is fully in place, what is partly there, and what is missing entirely.
Most businesses doing this for the first time find they are stronger in some areas than they expected and weaker in others. One firm we worked with assumed patching was handled automatically, then discovered a third of its laptops had not updated in months. A formal security audit gives you that picture across the whole environment rather than control by control.
Step two: close the gaps
Prioritise the gaps by risk, not by how easy they are to fix. Enabling multi-factor authentication, removing unused administrator accounts, and getting patching under control usually deliver the biggest reduction in exposure for the least cost.
Some fixes are configuration changes you can make in an afternoon. Others, such as replacing hardware that no longer receives updates, take planning and budget. The point is to work through them in order rather than all at once.
Step three: keep it in place
Meeting Cyber Essentials once is not the goal. Devices change, staff come and go, and software reaches end of support, so the controls need ongoing attention to stay effective.
A managed approach is the practical way to handle this. Continuous monitoring, scheduled patching, and regular access reviews keep the controls current rather than letting them slip. Exodesk delivers this through our Cyber Security service, so the Cyber Essentials baseline stays met without your team having to chase it.
Do you need formal certification?
Cyber security certification is the optional step of having an independent body confirm that your controls meet the standard, usually through a self-assessment that is then verified. It gives you a Cyber Essentials credential you can show to clients, insurers, and tender panels.
Whether you pursue it depends on your market. Many South Island SMEs gain most of the value simply by meeting the controls and being able to evidence it, and formalise the certification later if a major client or contract requires it. The work to reach the standard is the same whether or not you certify, so it counts either way.
What Does the Process Look Like in Practice?
In practice, reaching the Cyber Essentials baseline is a sequence of manageable steps rather than a single project. A worked example shows how it tends to unfold for a typical South Island SME.
Take a 30-person professional services firm with two offices, a mix of company laptops and a few personal devices, and Microsoft 365 already in place. On paper they felt reasonably secure. The Cyber Essentials gap assessment told a different story.
Week one: the assessment
Walking through the five Cyber Essentials controls, the obvious wins appeared first. Multi-factor authentication was on for the owners but not for general staff. Three former employees still had active accounts. Patching ran automatically on most laptops but two older machines had fallen out of the cycle entirely.
On their own these looked like minor housekeeping. Taken together, they meant a single phished password could have opened the whole system, and two unpatched laptops sat exposed to vulnerabilities that had been fixed months earlier.
Weeks two to four: the quick wins
The first round of fixes cost almost nothing but time. Multi-factor authentication went on across every account. The dormant accounts were disabled and an access review became a quarterly habit. Conditional access policies were configured in Microsoft 365 to block sign-ins from unexpected locations.
By the end of the first month, the firm had closed the gaps that carried the most risk. Secure configuration and malware protection were tightened through settings already available in their existing platform, with no new software purchased.
Months two and three: the harder items
The remaining work needed budget and planning. The two unsupported laptops were replaced rather than patched, since no amount of updating fixes hardware that the vendor no longer supports. A managed patching schedule was put in place so that updates no longer depended on individual staff remembering to restart.
Most businesses follow the same pattern. The bulk of the risk reduction comes from a handful of low-cost changes in the first few weeks, and the slower, costlier items can be planned around your budget rather than rushed. Treating this as part of how the business plans and budgets keeps the Cyber Essentials baseline current as you grow.
What Does Cyber Essentials Not Cover?
Cyber Essentials covers the technical baseline, but it is not a complete security programme on its own. Knowing the limits of the framework helps you plan what comes next.
What about people and process?
The framework focuses on technical controls and does not deal in depth with staff behaviour, which is where many incidents start. Phishing and social engineering target people, not systems, so ongoing employee security awareness training sits alongside the technical controls rather than inside them.
Does it cover backup and recovery?
Backups are strongly recommended but are not one of the five controls. That is a meaningful gap, because a business often only recovers from a serious incident if it can restore its data afterwards. Treat a tested data backup strategy as essential even though the framework leaves it to one side.
Get Your Cyber Essentials Baseline in Place
Exodesk helps Christchurch, Dunedin, and South Island businesses assess their security against the five controls, close the gaps that matter most, and keep the baseline met as they grow.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
What is Cyber Essentials?
Cyber Essentials is a baseline cyber security framework built around five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. Used together, these controls prevent the large majority of common internet-based attacks. It was developed by the UK National Cyber Security Centre and is now widely recognised as an entry-level security standard internationally.
What are the five Cyber Essentials controls?
The five controls are firewalls, secure configuration, user access control, malware protection, and security update management, also known as patching. Each tackles a different route attackers use to get into a business. The framework expects all five to be in place rather than treated as optional extras.
Is Cyber Essentials relevant to New Zealand businesses?
Yes. Although it originated in the UK, the framework is a practical baseline that maps directly onto what any New Zealand business should have in place. With the New Zealand Cyber Security Strategy 2026 to 2030 signalling stronger expectations on cyber risk management, having a recognised baseline framework is increasingly valuable for local SMEs.
How is Cyber Essentials different from a security audit?
Cyber Essentials defines the baseline controls a business should have, while a security audit reviews your current environment against that and other standards to find gaps. The framework tells you the target; an audit tells you how far you are from it. The two work together, with the audit measuring you against the baseline.
Does Cyber Essentials cover staff training?
No. The framework focuses on technical controls and does not cover staff behaviour in depth. Because phishing and social engineering target people rather than systems, security awareness training should sit alongside the five controls as part of a complete approach.
Do you need certification to use Cyber Essentials?
No. You can meet and benefit from the five controls without pursuing formal cyber security certification. Certification is the optional step of having an independent body verify that your controls meet the standard, which gives you a credential to show clients, insurers, and tender panels. Many SMEs meet the baseline first and certify later only if a major contract requires it.
How long does it take to meet the framework?
It depends entirely on your starting point. A business with good practices already may close the remaining gaps in a few weeks, while one starting from scratch may need a few months, particularly if hardware needs replacing. The first step is always an honest gap assessment against each of the five controls.
Is Cyber Essentials enough on its own?
It is a strong baseline but not a complete security programme. The framework deliberately covers the minimum technical controls that stop common attacks. Most businesses build from it toward broader measures such as backup, staff training, monitoring, and eventually fuller standards as they grow.
Will Cyber Essentials help with cyber insurance?
Often, yes. Cyber insurers increasingly ask about specific controls before they will quote or renew a policy, and the five controls map closely onto what underwriters want to see. Being able to demonstrate a recognised baseline can make obtaining cover easier and may influence your premium.
How do I get started with Cyber Essentials?
Start by assessing your business against each of the five controls to see where you stand, then prioritise closing the gaps that carry the most risk. Enabling multi-factor authentication, tightening access, and getting patching under control are usually the highest-value first steps. A managed IT or security provider can run the assessment and keep the controls in place over time.
