When I tell people we got Cyber Essentials certified in six weeks, they look at me like I've grown a second head. "Six weeks? While running the business? How?"

Six Weeks, Three Laptops, and a Teenager: Our Cyber Essentials Story

A week-by-week account of getting certified while actually running a business

---

When I tell people we got Cyber Essentials certified in six weeks, they look at me like I've grown a second head. "Six weeks? While running the business? How?"

The honest answer? Caffeine, stubbornness, and a nineteen-year-old called Danny who learned everything he knows from YouTube.

Here's what it actually looked like, week by week, for a small business with no IT department and no idea what we were doing.

Week One: Panic and Paperwork

The first week wasn't really about cyber security at all. It was about accepting that this was actually happening.

I signed up on a Monday. Spent Tuesday convincing myself I'd made a terrible mistake. By Wednesday, I'd finally opened the platform and started looking at the questions.

There were a lot of questions.

I won't lie - I understood about half of them. "Do you have a firewall?" Probably? "How do you manage software updates?" We click the button when it pops up? "What's your password policy?" Don't write it on a Post-it note, Sandra.

I made a list of everything I didn't understand and everything I needed to find out. The list was long. But at least I had a list.

Week Two: The Audit of Shame

This was the week Danny came in and actually looked at our setup properly. Not just "the printer's making that noise again" - a proper look.

It was humbling.

Our WiFi password had been "Welcome1" for four years. One laptop was running software that hadn't been updated since 2019. We had no idea who had access to what, and at some point someone had installed a browser toolbar that Danny described as "basically malware with a smiley face."

He fixed what he could. We made a list of what needed buying, updating, or completely changing. I tried not to think about how long we'd been operating like this.

Week Three: Actually Doing Things

This was the hard week. The week where cyber security started eating into actual work time.

We updated everything. Every laptop, every piece of software, every browser. One update broke the accounting software, just like I'd always feared. Danny fixed it. Sandra made him a cake.

We set up proper passwords. Not just "make them longer" - actual unique passwords for everyone, stored properly. There was grumbling. Kev threatened to retire again. He didn't mean it.

We configured the firewall. I still don't fully understand what that means, but Danny does, and he walked me through what he'd done. I nodded in what I hoped were the right places.

Week Four: The Halfway Panic

Four weeks in, I had a wobble.

The tender deadline was getting closer. We were only halfway through the certification questions. Every time I thought we were nearly there, something else came up. A policy we needed to write. A setting we needed to change. Another thing I'd never heard of.

I rang TransCrypt support at 9pm on a Thursday. They talked me off the ledge. Reminded me that everyone feels like this in week four. Showed me how much we'd actually done compared to where we'd started.

It was a lot. I just couldn't see it from the inside.

Week Five: It Starts Making Sense

Something shifted in week five. The questions started making sense. Not because they'd changed, but because I had.

I knew what a firewall did now. I understood why password policies mattered. When the platform asked about access controls, I didn't have to Google it - I just knew.

We worked through the final sections. Danny and I sat together most evenings that week, him on the technical bits, me on the business bits. Sandra kept us fed and caffeinated. Kev pretended not to be interested but kept wandering over to see how we were getting on.

By Friday, we'd answered every question. I triple-checked everything. Then I made Danny check it too.

Week Six: The Moment of Truth

I submitted the assessment on a Monday morning. Then I paced around the office like an expectant father.

The certification came through on Wednesday.

I'm not ashamed to say I got a bit emotional. We'd done it. Three laptops, no IT department, a teenager who learned from YouTube tutorials, and we'd actually done it.

I printed the certificate and put it in a frame. It's on the wall now, right where everyone can see it. Some might call that showing off. I call it proof that it's possible.

What I Want You to Know

Six weeks sounds fast, but it didn't feel fast. It felt like squeezing something massive into the gaps between everything else - the orders, the deliveries, the customers, the day-to-day stuff that doesn't stop just because you're trying to get certified.

But here's what I've learned: you don't need an IT department. You don't need to understand everything from day one. You don't need to be a tech company.

You just need to start. Make the list. Ask the questions. Fix the things you can fix, get help with the things you can't.

Six weeks from now, you could be where I am - certificate on the wall, contract in the drawer, and the knowledge that your business is actually protected.

Three laptops. A teenager. Six weeks.

If we can do it, so can you.

---

Jim Simpson is definitely not an IT expert, but he's now Cyber Essentials certified, which still surprises him every time he looks at the certificate. Danny has asked that we clarify he's "nearly twenty, actually."