Cyber Essentials Plus for Small Businesses: Is It Worth It?

If you run a small business in the UK, you have probably heard of Cyber Essentials Plus. You may have seen it mentioned in tender documents, spotted it on a competitor's website, or had an IT provider recommend it. But the question that inevitably follows is: is it actually worth it for a small business? After all, certification costs money, takes time, and requires effort — resources that are always in short supply when you are running a lean operation.

The short answer is yes, for most UK small businesses, Cyber Essentials Plus is absolutely worth the investment. But that answer deserves proper context. In this article, we examine the costs, benefits, and practical realities of Cyber Essentials Plus for small businesses, so you can make an informed decision about whether it is right for yours.

Before diving into the detail, it helps to understand the landscape. The UK cybersecurity environment for small businesses is characterised by a striking disconnect between the level of threat organisations face and the level of protection most have in place. The following figures set the scene for why Cyber Essentials Plus deserves serious consideration, regardless of your size.

What Does Cyber Essentials Plus Actually Cost?

Let us start with the numbers, because for a small business, cost is often the deciding factor. The total cost of Cyber Essentials Plus certification includes the assessment fee, any preparation costs, and potentially the cost of remediation work to bring your IT environment up to standard.

The assessment fee for Cyber Essentials Plus typically ranges from £1,500 to £3,500, depending on the size of your organisation and the certification body you choose. This is in addition to the £300 to £500 fee for the basic Cyber Essentials certification that serves as a prerequisite.

If your IT environment is already well-managed and largely compliant, the preparation costs may be minimal — perhaps a few hours of IT time to run a pre-assessment scan and address any minor gaps. However, if significant remediation work is needed, costs can escalate. Common remediation expenses include upgrading end-of-life software, deploying a patch management solution, implementing multi-factor authentication, or replacing consumer-grade network equipment with business-appropriate alternatives.

For a typical small business with 10 to 50 employees, the all-in cost (including basic Cyber Essentials, Plus assessment, and modest remediation) usually falls between £2,500 and £6,000. That is a significant investment for a small business, which is precisely why it is important to understand what you get in return.

The Commercial Benefits

The most immediately tangible benefit of Cyber Essentials Plus is the doors it opens. In an increasingly security-conscious marketplace, certification has become a powerful commercial differentiator.

Government Contracts

Since 2014, the UK Government has required Cyber Essentials certification for all suppliers bidding for contracts that involve the handling of sensitive or personal information. In practice, many government bodies and public sector organisations now require it for any contract, regardless of sensitivity. For small businesses that work with (or aspire to work with) the public sector, Cyber Essentials is not optional — it is a hard requirement.

Cyber Essentials Plus is not always explicitly required, but it carries significantly more weight than the basic certification. Some government departments and NHS trusts specifically ask for Plus, and even where basic is the stated minimum, having Plus demonstrates a higher level of commitment that can give you an edge in competitive tender processes.

Private Sector Supply Chains

The ripple effect of government requirements has spread into the private sector. Large UK businesses — particularly those in financial services, healthcare, legal services, and technology — are increasingly requiring their suppliers to hold Cyber Essentials certification. This is driven partly by regulatory pressure and partly by the recognition that a supply chain is only as secure as its weakest link.

For a small business that supplies goods or services to larger organisations, Cyber Essentials Plus certification can be the difference between winning and losing a contract. More importantly, the lack of certification can result in being excluded from consideration entirely, regardless of how competitive your offering might be.

Customer Confidence

In an era of high-profile data breaches and growing public awareness of cyber threats, customers are increasingly asking about the security practices of the businesses they work with. A Cyber Essentials Plus certificate provides tangible, independently verified evidence that your business takes cybersecurity seriously.

This is particularly valuable for small businesses in sectors where trust is paramount — professional services, financial advice, healthcare, education, and any sector that handles personal data. Being able to point to a government-backed cybersecurity certification gives potential clients confidence that their data will be handled responsibly.

The Security Benefits

While the commercial benefits are compelling, they should not overshadow the fundamental purpose of Cyber Essentials Plus: actually making your business more secure.

Small businesses are not immune to cyber attacks. In fact, the UK Government's Cyber Security Breaches Survey consistently shows that small businesses are frequent targets. The 2024 survey found that 32% of small businesses reported a cyber security breach or attack in the preceding 12 months. The average cost of a breach for a small business was £3,340 — but this figure masks a wide range, with some businesses suffering losses of tens of thousands of pounds.

The five Cyber Essentials controls address the most common attack vectors: unpatched software, misconfigured firewalls, weak access controls, absent malware protection, and insecure configurations. Implementing these controls does not make your business invulnerable, but it significantly raises the bar that an attacker must clear, making your business a less attractive target for the opportunistic attacks that account for the vast majority of incidents.

Real-World Impact

Consider some concrete scenarios that Cyber Essentials Plus controls help prevent:

Ransomware: A phishing email delivers malware to an employee's computer. With proper access controls (no admin rights for standard users), the malware cannot install itself. With up-to-date malware protection, it is detected and blocked. With current patches, the vulnerability it was trying to exploit does not exist. Multiple layers of defence, each addressed by Cyber Essentials controls.

Data theft: An attacker scans your internet-facing systems for known vulnerabilities. With a properly configured firewall and current patches, there are no easy entry points. With multi-factor authentication on your cloud services, even stolen credentials are insufficient to gain access.

Business email compromise: An attacker attempts to access your email system using credentials obtained from a previous data breach. With MFA enabled (a Cyber Essentials requirement for cloud services), the stolen password alone is not enough. The attack is blocked.

Cyber Essentials vs. Cyber Essentials Plus: Does the Plus Matter?

A reasonable question for a cost-conscious small business is whether the basic Cyber Essentials certification (which is significantly cheaper) would suffice. After all, both certifications cover the same five controls — the difference is in how compliance is verified.

The key difference is credibility. Basic Cyber Essentials is a self-assessment — you declare that your controls are in place, but nobody checks. Cyber Essentials Plus involves an independent technical assessment that verifies your controls are actually functioning. For potential clients and partners evaluating your security posture, this distinction matters enormously.

There is also a practical security benefit. The Plus assessment process itself often uncovers vulnerabilities and misconfigurations that the organisation was not aware of. The gap analysis and remediation that precede the assessment, and the assessment itself, frequently identify and resolve genuine security issues that would otherwise have gone undetected.

The Five Controls in Practice

Understanding exactly what Cyber Essentials Plus requires helps demystify the certification process for small businesses. The five technical controls are designed to be practical and achievable, not enterprise-grade complexity. Here is what each control involves and the typical actions a small business needs to take to comply.

Each of these control areas maps to a specific category of cyber threat that small businesses encounter on a daily basis. Firewalls protect your network boundary from unauthorised access. Secure configuration ensures that devices and software are set up with security in mind from the outset, rather than relying on default settings that prioritise convenience over protection. Access control limits who can do what on your systems, preventing a single compromised account from having unrestricted access to everything. Malware protection defends against the ransomware, trojans, and spyware that automated attack tools distribute indiscriminately across the internet. And patch management ensures that known vulnerabilities — the ones that attackers actively scan for — are closed before they can be exploited. Together, these five controls form a coherent defence that addresses the attack surface most commonly exploited in breaches affecting UK small businesses.

Common Objections from Small Businesses

We regularly hear objections from small business owners who are sceptical about the value of Cyber Essentials Plus. Let us address the most common ones.

"We are too small to be targeted by cyber attackers"

This is perhaps the most dangerous misconception in cybersecurity. Small businesses are not targeted despite being small — they are often targeted because they are small. Attackers know that small businesses typically have weaker security controls, limited IT resources, and less awareness of threats. Automated attack tools scan the internet indiscriminately, looking for easy targets regardless of size.

The NCSC has been explicit on this point: small businesses are not beneath the notice of cyber criminals. A ransomware attack that encrypts a small business's data can be just as devastating to that business as a large-scale attack on a major corporation — arguably more so, because the small business is less likely to have the resources and resilience to recover.

"We cannot afford it"

The cost of Cyber Essentials Plus must be weighed against the cost of a cyber attack. The average cost of a breach for a UK small business is several thousand pounds, but this average obscures the catastrophic cases. Some small businesses have been forced to close entirely following a severe cyber attack, unable to recover their data, restore their systems, or rebuild their reputation.

Even setting aside the worst-case scenarios, consider the everyday costs of poor cybersecurity: the productivity lost to malware infections, the management time consumed by dealing with phishing attacks, the potential regulatory fines for data protection failures, and the insurance premiums that reflect an unmanaged cyber risk. Against this backdrop, the cost of Cyber Essentials Plus certification is a modest investment in resilience.

"It is too complicated for a small business"

The Cyber Essentials controls are specifically designed to be achievable by organisations of all sizes, including small businesses without dedicated IT departments. The five controls — firewalls, secure configuration, access control, malware protection, and patching — are fundamental security hygiene measures, not enterprise-grade complexity.

For small businesses that manage their own IT, the preparation work is straightforward with the right guidance. For those that use a managed service provider, the MSP should be able to handle much of the preparation as part of their service. And for businesses that need additional support, specialist Cyber Essentials partners (like ourselves) can guide you through the entire process from start to finish.

"Our clients have not asked for it"

Not yet. But the trend is unmistakable. Five years ago, very few private sector organisations asked their suppliers about cybersecurity certifications. Today, it is increasingly standard in tender documents and supplier assessments. Achieving certification proactively — before your clients demand it — positions your business ahead of the curve and avoids the panic of trying to certify under time pressure when a contract depends on it.

The Cyber Essentials Plus assessment process itself can be a valuable learning experience for small businesses. Unlike the basic self-assessment, the Plus assessment involves a qualified assessor examining your actual systems and configurations. This hands-on evaluation frequently reveals vulnerabilities and misconfigurations that the business was not aware of — issues that a self-assessment questionnaire might not have surfaced. Many small businesses report that the preparation and assessment process gave them a significantly clearer understanding of their own IT environment, including shadow IT assets and configuration drift that had accumulated over time without anyone noticing.

Beyond the technical improvements, achieving Cyber Essentials Plus certification can catalyse a broader cultural shift within a small business. The process of preparing for assessment naturally involves conversations about security practices with employees, leading to greater awareness and better habits across the organisation. Staff who understand why certain policies exist — such as not using personal USB drives or reporting suspicious emails promptly — are far more likely to follow those policies consistently. This cultural benefit is difficult to quantify but arguably more valuable than any single technical control, because it creates an ongoing resilience that persists between annual assessments and extends protection far beyond what any technology solution alone can deliver.

Small businesses that approach the certification process with the right mindset — viewing it as an opportunity to genuinely improve their security rather than merely a compliance hurdle — consistently report the highest satisfaction with the investment. They find that the structured framework gives them a clear, achievable set of priorities that cuts through the noise of competing cybersecurity advice, and the resulting certificate provides tangible evidence of their commitment that they can share confidently with clients, partners, and insurers.

The Insurance Bonus

One benefit that many small businesses are not aware of is that Cyber Essentials Plus certification often comes with free cyber liability insurance. Many certification bodies include a policy as part of the certification package, typically providing cover of up to £25,000 for micro businesses. While this is not a replacement for comprehensive cyber insurance, it provides a valuable safety net at no additional cost.

Beyond the included policy, having Cyber Essentials Plus certification can also make it easier and cheaper to obtain more comprehensive cyber insurance. Insurers view certified organisations as lower risk, which can translate into lower premiums and more favourable policy terms. For small businesses, where every pound counts, these savings can offset a meaningful portion of the certification cost.

Making It Work for Your Business

If you have decided that Cyber Essentials Plus is worth pursuing, here are some practical tips for making the process as smooth and cost-effective as possible for a small business.

Choose the right certification body. Prices and service levels vary significantly between certification bodies. Look for one that has experience working with small businesses and can provide guidance and support throughout the process, not just the assessment itself.

Start with a gap analysis. Before you spend money on the assessment, understand where you stand. A gap analysis — whether conducted by your IT team, your MSP, or a specialist partner — will identify exactly what needs to be done and help you budget accurately for any remediation costs.

Leverage your existing tools. You may already have the tools you need to meet the Cyber Essentials requirements. Microsoft 365 Business Premium, for example, includes Intune for device management, Defender for endpoint protection, and Azure AD for access control and MFA — all of which directly support Cyber Essentials compliance.

Plan for renewal. Cyber Essentials Plus certification is valid for 12 months. Factor the annual renewal cost into your ongoing business expenses from the outset, so it does not come as a surprise when the certificate is due for renewal.

Treat it as an investment, not an expense. The work you do to achieve certification — patching vulnerabilities, tightening configurations, implementing proper access controls — delivers ongoing security benefits that protect your business every day. The certificate is evidence of the work; the real value is in the improved security posture.

Small Business Readiness Assessment

Based on pre-assessment data from organisations preparing for Cyber Essentials Plus, the following readiness scores reflect how well the average UK small business meets each of the five controls before formal preparation begins. These scores highlight where most remediation effort is typically concentrated and can help you anticipate the areas where your own business is most likely to need attention.

The pattern is consistent across organisations of all sizes: malware protection and firewalls tend to score reasonably well because most businesses have some form of antivirus software and a router-based firewall in place. However, secure configuration, access control, and especially patch management consistently lag behind. These are the areas where the Cyber Essentials Plus assessment delivers the most value — by identifying and forcing the closure of gaps that organisations were often unaware of. For small businesses, addressing these gaps represents the single most impactful improvement they can make to their overall cybersecurity posture.

The Bottom Line

For the vast majority of UK small businesses, Cyber Essentials Plus represents excellent value. The commercial benefits — access to government contracts, credibility with larger clients, competitive differentiation — are immediate and tangible. The security benefits — protection against the most common cyber attacks, reduced risk of costly breaches, improved resilience — are enduring and potentially business-saving.

The cost, while not insignificant for a small business, is modest compared to the potential cost of a cyber attack or the lost revenue from failing to win contracts that require certification. And the process, while requiring some effort, is achievable for any small business with the right support.

In an increasingly digital and interconnected business environment, Cyber Essentials Plus is not just a certificate — it is a statement that your business is serious about protecting its customers, its data, and its future.