There are certifications you hold because clients ask for them, and then there are certifications you hold because you genuinely believe in what they stand for or help you achieve. For Syntura, Cyber Essentials Plus is firmly in the second camp.
We’ve just retained our Cyber Essentials Plus certification, and it felt like the right moment to explain what that actually means, why it matters more than ever right now, and what it could mean for your organisation.
What Is Cyber Essentials, and Why Does It Exist?
Cyber Essentials is a UK government-backed scheme designed to protect organisations against the most common and preventable cyber threats. It doesn’t try to cover every possible risk; rather, it focuses on five core controls that, when properly implemented, block the vast majority of opportunistic attacks:
- Firewalls — controlling what traffic can reach your systems and leave them.
- Secure configuration — making sure devices and software aren’t left on default, exposed settings.
- User access control — ensuring people only have access to what they actually need.
- Malware protection — defending against malicious software.
- Patch management — keeping software and devices up to date.
It sounds straightforward. And in principle, it is. The challenge is that most organisations, even those with good intentions and robust policies, have gaps they don’t know about or aren’t aware of until someone looks properly and flags them up.
Why Retaining This Certification Matters to Us
Syntura works with organisations across both the private and public sectors, and for public sector work, Cyber Essentials Plus isn’t optional. It’s a mandatory requirement for suppliers handling certain types of government contracts and data. Holding and retaining it every year is part of what makes us a credible, eligible partner for the organisations we serve in that space.
But it goes beyond eligibility. Syntura works with organisations that trust us with their infrastructure, their data, and increasingly their security posture. That trust isn’t something we take lightly. So holding a Cyber Essentials Plus certificate isn’t about having a badge on our website or a fancy logo we can use in our marketing materials; it’s about being able to say, with independent verification, that our own house is in order.
Every year, retaining the certification means going through the assessment again. Controls are checked. Configurations are reviewed. Nothing is assumed to still be correct just because it was correct last year. That discipline of regular, structured self-examination is exactly what we encourage our clients to adopt — so it has to start with us.
Why It Matters More Than Ever Right Now
Cyber threats aren’t slowing down. The National Cyber Security Centre consistently reports that phishing, ransomware, and credential-based attacks remain the dominant threat vectors for UK organisations, and almost all of them exploit failures in exactly one of the five areas Cyber Essentials covers.
But there’s another dimension that’s becoming increasingly important: cyber insurance.
Premiums have risen sharply over the past few years as insurers have absorbed the cost of more frequent and more damaging claims. Many insurers now require Cyber Essentials as a minimum condition of coverage. Some offer meaningful premium reductions for organisations that hold it, particularly those that achieve Cyber Essentials Plus, which involves independent technical verification rather than self-assessment. And it also helps organisations when they bid for opportunities in the sectors they serve.
In short, the certification isn’t just a security measure. It’s a financial one.
What This Means for Our Clients
If you work with Syntura, our certification is part of the assurance stack that underpins our relationship with you. When you share data with us, work with us on your infrastructure, or engage us on security projects, you’re working with an organisation whose security baseline is independently verified. And combined with our ISO 9001, 14001, 20000, 27001, 27017 and 27018 certifications, our clients are assured that they really are in safe hands.
But we also know that many of our clients face the same recertification challenge themselves — and that the path to achieving or retaining Cyber Essentials isn’t always obvious, especially when you’re already running Microsoft 365 and wondering whether you’re actually using what you’re paying for.
The Uncomfortable Truth About Microsoft 365 Licences
Here’s something we see regularly: organisations that hold Microsoft 365 E3 or E5 licences and are paying for a significant set of built-in security capabilities that have never been properly configured or enabled.
E3 includes tools like Microsoft Defender, Intune for device management, Azure Active Directory Premium, and Information Protection. E5 goes further with Defender for Endpoint, advanced threat analytics, and Sentinel. Together, these features can directly address most of the Cyber Essentials control areas — firewalls and network protection, device configuration, access control, malware protection, and patching.
The problem isn’t access. It’s activation and configuration. Many organisations are effectively paying for a security toolkit that’s sitting in the box, while they may be using other third-party tools.
Our Security Assessment — Doing More With What You Already Have
This is where we can help in a very practical way, and it’s particularly relevant in a market where budgets are under real pressure and every line of spend is being scrutinised.
The question we hear most often isn’t “What should we buy?” — it’s “Are we actually getting value from what we already have?” That’s exactly the right question. And our security assessment is built to answer it.
We look at your existing Microsoft E3/E5 licence features alongside your broader security toolset and work out where you have duplication, where you have gaps, and where built-in Microsoft capabilities – properly configured – can do the job you’re currently paying a third-party solution to do. The goal is a stronger security posture at optimised cost: not more tools, but the right tools working properly and frictionlessly and, if possible, offering a single pane of glass view of your security infrastructure.
Specifically, we help you:
- Map your existing Microsoft E3/E5 licence features against your current security posture
- Identify which built-in capabilities are unused, misconfigured, or only partially enabled
- Show you where those features can replace or reduce reliance on third-party security tools you may be paying for separately.
- Consolidate your security asset base — reducing complexity, licence overlap, and unnecessary spend
- Build a clear, prioritised roadmap to get your organisation to a position where Cyber Essentials or Cyber Essentials Plus is achievable.
The outcome isn’t just a report. It’s a practical plan that uses what you already own to close the gaps that matter most, which is reducing your exposure, strengthening your audit position, and putting you in a much stronger position when your cyber insurance renewal comes around.
Cyber Essentials Plus — The Standard Worth Aiming For
While standard Cyber Essentials involves a self-assessment questionnaire, Cyber Essentials Plus involves independent technical testing of your systems. It’s a higher bar, and insurers know it. Organisations that achieve Plus are demonstrating that their controls don’t just exist on paper; they’ve been tested and verified.
Our security assessment is designed with that goal in mind. We don’t just help you pass a questionnaire. We help you build a security foundation that stands up to scrutiny by the strictest underwriters.
People-Inspired Solutions — This Is What It Looks Like in Security
If there’s one area where our people’s inspired solutions philosophy is put to its clearest test, it’s security. It’s easy to throw tools at a problem. It’s harder and more valuable to step back, understand how your organisation actually operates and what your users need to do their jobs effectively, and then design a security posture that protects without obstructing, that empowers without being overbearing.
That’s what our security assessment is built around. We don’t start with a product. We start with your people, your teams, your workflows, and your existing infrastructure – and work outwards from there. We look at what you have, what’s actually being used, and what your users’ day-to-day reality looks like. Then we help you activate, configure, and connect the solutions that work for your organisation — not just for an audit checklist.
Getting to Cyber Essentials and beyond it to Cyber Essentials Plus shouldn’t mean buying your way to compliance. Rather, it should mean building a security environment that your people can work within confidently, that your auditors can verify independently, and that your leadership can stand behind. That’s the standard we hold ourselves to — and it’s the standard we bring to every client engagement as a trusted advisor.
Ready to See What You’re Working With?
If you’re approaching a Cyber Essentials renewal, thinking about Cyber Essentials Plus for the first time, or simply want to understand whether your Microsoft 365 investment is doing the security work it’s capable of, we’d be glad to help.
Our security assessment is a straightforward starting point: no jargon, no pressure, and a clear picture of where you stand, what you already have, and what’s possible.