He helps organisations adopt simple but effective security controls that protect against high-frequency digital threats.
Neil walks through the Cyber Essentials scheme, what is still going wrong with UK cybersecurity, and practical steps any business can follow to reduce risk.
The focus is baseline protection: the controls that stop most opportunist attacks before they need a sophisticated response.
Most UK businesses will face a cyber incident at some point, whether through phishing, stolen credentials, or basic control failures.
The Cyber Security Breaches Survey 2025 continues to show how widely UK organisations are affected by cyber incidents, including phishing and credential-related attacks.
Still, dangerous assumptions persist in boardrooms across the UK.
“They won't target us, we're too small” is one of the most common - and dangerous - beliefs.
The threat often comes from unsophisticated attackers using off-the-shelf tools to exploit the easiest targets.
"The opportunist doesn't know whether it's a small company or a large one. They’ll simply go after what's easiest to access."
Neil Furminger, Head of Cyber Essentials, IASME Consortium
What makes some organisations easier to attack?
Weak passwords, open internet ports, and missed software updates are recurring themes - all areas covered by the UK government's Cyber Essentials certification.
It’s designed to help businesses of all sizes protect themselves from common, high-volume cyber threats.
The scheme has two levels of certification:
Cyber Essentials (Basic) - A self-assessment questionnaire reviewed by a trained assessor
Cyber Essentials Plus - An independently audited version involving technical testing and sampling
Neil leads work on developing and evolving these standards alongside the NCSC.
The schemes are updated regularly to reflect emerging threats while keeping the bar high for security fundamentals.
As the scheme marks its first decade, the Ten Years of Cyber Essentials coverage reflects how widely it has become a baseline expectation for suppliers, partners, and public-sector contracts.
The benefits of Cyber Essentials include clearer security boundaries, stronger assurance for customers, and a practical framework teams can follow without a large in-house security function.
The Five Cyber Essentials Controls
Cyber Essentials is structured around five areas of control that protect against most common attacks.
Firewalls - Devices must block suspicious traffic and have default passwords changed.
Secure Configuration - Systems and devices should run only the software and functions they need.
User Access Control - Accounts should have appropriate privileges, with admin rights restricted and protected by multi-factor authentication.
Malware Protection - Devices must have anti-malware or equivalent protection.
Security Update Management - Critical updates must be applied within 14 days of release.
These might sound basic, but in many organisations they’re not applied consistently.
Many of these issues have been discussed for more than 25 years, yet breaches still happen because fundamentals are skipped or applied unevenly.
Passwords, Phishing and MFA: What Needs to Change
Passwords remain one of the weakest links in many organisations' security strategies.
Opportunist attackers look for gaps in patching, access, and configuration - not for prestige targets.
Credentials stolen in one breach are often resold on the dark web, then reused in password-guessing attacks on other services.
That’s why organisations should use multi-factor authentication (MFA) wherever possible.
While not perfect, MFA can block the vast majority of automated attacks that rely on compromised credentials.
Even a simple SMS second factor is far better than password-only protection.
"Any form of multi-factor helps stop someone logging in as you. It creates a decision point for the attacker."
Neil Furminger, Head of Cyber Essentials, IASME Consortium
Passkeys are the next step on that path for services that want stronger, phishing-resistant sign-in without relying on passwords alone.
Passkeys: The Future of Authentication?
A new advancement going mainstream is passkeys - a passwordless login method that uses biometrics or physical security keys.
Passkeys are phishing-resistant and do not rely on users remembering complex passwords.
They’re already available on services like Google and eBay, but wider adoption will take time.
Cyber Essentials aims to educate organisations along this journey, regardless of their current maturity.
Scaling Security in Enterprise Communications
For large organisations managing digital communications at scale, the starting point is always the same: understanding what devices and systems are in use.
You can’t protect an asset you don’t know exists.
Need A Safer Way To Send Sensitive Email?
Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.
This becomes especially important as enterprises deploy new tools, platforms, and interfaces to engage with customers online.
“If it’s connected to the internet, then an attacker can find it and try to get in.”
Neil Furminger, Head of Cyber Essentials, IASME Consortium
That’s why applying Cyber Essentials-style controls across customer-facing systems is so important.
Why Even Large Companies Get Caught Out
Many high-profile breaches stem from basic misunderstandings or missteps, not from a lack of security products.
Education is often the hardest part of the job: convincing teams that a few simple actions can materially reduce risk.
It’s not a lack of tools, budgets or even awareness - it’s often misconceptions about what actually needs to be done.
"The hardest part is convincing people that doing a few simple things can make such a big difference."
Neil Furminger, Head of Cyber Essentials, IASME Consortium
That gap shows up sharply in regulated sectors, where customer email and document channels still depend on the same baseline controls as internal IT.
“Customer-facing channels are where many regulated firms still assume MFA, patching, and access control are already consistent - until a breach shows they are not.”
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Those basics are a useful place to start before you review wider customer communication channels.
What Can You Do Today?
If you’ve got some spare time, two simple actions can cut risk quickly:
Two Quick Wins You Can Apply Now
Update your device - Apply any available updates to your laptop or phone without delay.
Turn on MFA - Enable multi-factor login on all your online services, especially email, banking and cloud-based tools.
These actions reduce your risk dramatically, often with just a few minutes’ work.
If you're responsible for a department or company-wide systems, review cloud platforms and enable MFA across users.
It’s a quick win that protects both you and your customers from increasingly opportunistic attacks.
FAQs
What Does Cyber Essentials Cover?
Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organisations protect themselves from common online threats with five key technical controls.
Why Does Multi-Factor Authentication Matter?
MFA adds a second barrier to access beyond passwords, dramatically reducing the success of phishing and credential-stuffing attacks.
What Are Passkeys?
Passkeys are passwordless login credentials that use biometrics or hardware tokens to securely authenticate users, making them resistant to phishing and guessing attacks.
How Can Small Businesses Benefit from Cyber Essentials?
It provides a cost-effective way to build strong cyber defences, gain customer trust, and demonstrate best practice in security, even without a large IT team.
What’s the Main Security Challenge for Larger Organisations?
The biggest challenge is applying and maintaining basic security controls consistently across all devices, users, and communication systems at scale.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
Sam Kendall
.svg)
Previous post