Realistic assessment of small business setups
Excerpt: You don't need an IT department to get Cyber Essentials certified. You need a starting point and the willingness to learn. Here's proof.
Three Laptops and a Prayer
The story of how we got certified with basically nothing
Let me tell you what our IT infrastructure looked like when we started this journey.
Three laptops. One of them so old I was scared to update it in case the accounting software had a breakdown. One desktop that Kev used mainly for checking delivery schedules. A router that had been sitting in the corner since we moved in, password unchanged for four years.
No server. No IT department. No budget for consultants. No clue what we were doing.
And a teenager who'd learned everything he knew from YouTube.
That was it. That was what we had when I decided we needed Cyber Essentials certification.
If you'd told me then that this setup would pass certification in six weeks, I'd have laughed in your face. Then probably cried. Then gone back to staring at the ceiling at 3am.
But here's the thing: it was enough. More than enough, as it turned out.
The Assumption That Nearly Stopped Us
I almost didn't try.
I looked at the Cyber Essentials requirements and assumed they were for "real" businesses. Businesses with IT teams. Businesses with servers and networks and infrastructure. Businesses that used words like "infrastructure" without feeling like impostors.
Not businesses like mine. Not three laptops in a warehouse that sold lubricants. Not a team where the youngest person was also the entire technical support department.
I assumed we were too small. Too basic. Too amateur.
That assumption nearly cost us the government contract that changed everything.
What Cyber Essentials Actually Requires
Here's what I learned, eventually: Cyber Essentials isn't designed for enterprises. It's designed for exactly businesses like mine.
The five controls it assesses are:
Firewalls. Do you have a boundary between your network and the internet? If you've got a router - even a basic one from your internet provider - you've got a firewall. You just need to make sure it's configured properly.
Secure configuration. Are your devices set up securely? Default passwords changed? Unnecessary software removed? This is tidying up, not rocket science.
Access control. Do you control who can access what? For three laptops, this is straightforward. Each person has their own login. Nobody shares passwords. Admin rights only where needed.
Malware protection. Do you have anti-virus software? Windows Defender, which comes free with Windows, counts. You don't need expensive enterprise solutions.
Patch management. Do you keep software updated? Those annoying update prompts you keep dismissing? Stop dismissing them.
That's it. That's what's being assessed.
None of it requires an IT department. None of it requires expensive equipment. None of it requires expertise you don't have.
It requires attention, willingness to learn, and someone who can Google things when they get stuck.
We had all three.
Danny and the YouTube Education
I've written about Danny before. He was nineteen when all this started. Sandra's lad. No formal qualifications, no certifications, no professional experience.
What he had was curiosity and an internet connection.
When I asked if he thought he could help us get certified, he didn't say yes immediately. He said "give me a weekend."
He came back on Monday having watched hours of tutorials, read the official guidance, and made a list of everything we'd need to do. He'd figured out most of it already. The bits he hadn't figured out, he knew where to find the answers.
That's the thing about self-taught people: they know how to learn. Point them at a problem and they'll find a way through. Not because they already know the answer, but because they know how to find it.
Danny was our entire IT department. And he was enough.
The First Audit
The first thing Danny did was audit what we actually had.
He went through each laptop. Checked the operating systems. Checked what software was installed. Checked the security settings. Made notes.
Then he looked at the router. Found the password situation. Found the firmware hadn't been updated since installation. Found the settings had never been touched.
Then he sat me down with a cup of tea and told me, gently, that we had some work to do.
It wasn't as bad as it could have been. Our laptops were reasonably current. We hadn't installed loads of dodgy software. The basics were... almost there.
But the gaps were real. Passwords were weak. Updates were overdue. The router was essentially a welcome mat for anyone who wanted to walk in.
What We Actually Did
Week one: Understanding the questions. Danny went through the Cyber Essentials assessment with me, translating each question into plain English. "This is asking if we have a firewall. We do - it's the router. But we need to check these settings."
Week two: Fixing the router. Danny reconfigured it. Changed the password from "Welcome1" to something actually secure. Updated the firmware. Turned off things that didn't need to be on. Documented what he'd done.
Week three: Sorting the laptops. Updates installed. Anti-virus confirmed working. User accounts reviewed. Admin rights restricted. Unnecessary software removed. Each laptop took a couple of hours.
Week four: Policies and passwords. We created a password policy. Set up a password manager. Made sure everyone had unique credentials. Documented how we'd handle someone leaving.
Week five: Checking and double-checking. Going through the assessment questions again with honest answers. Filling gaps where we found them. Danny testing things to make sure they actually worked.
Week six: Submission and nail-biting. Sent off the assessment. Refreshed email constantly. Certificate arrived on Wednesday.
Six weeks. Three laptops. One teenager with a YouTube education.
Done.
What We Didn't Need
We didn't need a server. Our three laptops, properly secured, were fine.
We didn't need enterprise software. Windows Defender, which comes free, was sufficient for malware protection.
We didn't need professional consultants. Danny and I figured it out together, with support from TransCrypt when we got stuck.
We didn't need a big budget. The certification cost a few hundred pounds. The software we needed was either free or cheap. The main investment was time.
We didn't need to be experts before we started. We became competent by doing the work. The expertise came through the process, not before it.
What We Did Need
Willingness to look honestly at our setup. The audit was humbling. We had to admit how bad some things were.
Time to do the work. It wasn't zero effort. Sixty to eighty hours across the six weeks, spread between me and Danny.
Someone who could learn. Danny's YouTube education meant he knew how to find answers. That skill was invaluable.
Support when we got stuck. TransCrypt answered questions at weird hours. Without that support, we might have given up in week four.
Biscuits. I'm not joking. Small comforts matter when things get stressful.
The Myth of "Not Ready"
Here's what I want you to understand: there is no "ready."
There's no point where your business is magically prepared for Cyber Essentials. There's no threshold of IT capability you need to cross first. There's no prerequisite equipment list.
You start where you are. With what you have. Three laptops and a prayer, if that's what you've got.
The certification process itself will show you what needs fixing. The requirements aren't arbitrary obstacles - they're a checklist for improvement. You don't need to meet them before you start. You meet them by starting.
If you're waiting until you're "ready," you'll wait forever. And while you're waiting, you're vulnerable. And while you're vulnerable, opportunities like that government contract are going to competitors who just started.
Four Years Later
Today we have what you might call an actual IT department.
Danny's our Head of Technical Sales. We have a dedicated IT manager. A new technician started last month. Proper systems, proper processes, proper everything.
But it all started with three laptops and a prayer.
The teenager who learned from YouTube now speaks at national seminars. The ancient laptop finally got replaced. The router... actually, we still have that router somewhere. Danny wants to frame it. I keep saying no.
Every piece of our current setup grew from that starting point. We didn't wait until we had resources to begin. We began, and the resources followed.
Your Three Laptops
Maybe you've got three laptops. Maybe you've got five, or two, or just one and a phone.
Maybe your "IT department" is your nephew, or your daughter, or the one person in the office who's "good with computers."
Maybe you're looking at Cyber Essentials and thinking "that's not for businesses like us."
It is.
It's specifically for businesses like us. Small operations with minimal resources trying to protect themselves and access opportunities.
You don't need more equipment. You don't need bigger budgets. You don't need professional certifications before you start.
You need to start.
Three laptops and a prayer got us through. Whatever you've got, it's probably enough too.
Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. He still gets emotional when he thinks about how close he came to not trying at all. The prayer worked, as it turns out.
Ready to streamline your compliance?
Join hundreds of fast-growing fintechs building with Transcrypt today.
Join the WaitlistAbout the Author
"We are building the operating system for compliance. Transcrypt removes the ambiguity from regulatory frameworks, turning them into deterministic, executable code."
