Cyber Security: Getting the Essentials Right With IASME

What’s the best way to protect your business from common cyber attacks?

Neil Furminger is Head of Cyber Essentials at the IASME Consortium.

He helps organisations adopt simple but effective security controls that protect against high-frequency digital threats.

In this episode, Neil explains the Cyber Essentials scheme, breaks down what’s still going wrong with UK cybersecurity, and shares practical tips any business can follow to reduce risk.

Why Basic Security Still Matters

For most businesses, becoming a target of a cyber attack is no longer a question of “if” but “when”.

Still, many misconceptions persist in boardrooms across the UK.

"They won't target us, we're too small" is one of the most common - and dangerous - assumptions, Neil says.

But the threat often comes from unsophisticated attackers using off-the-shelf tools to exploit the easiest targets.

"The opportunist doesn't know whether it's a small company or a large one. They’ll simply go after what's easiest to access."

Neil Furminger, IASME Consortium

And what makes some organisations 'easier' to attack?

Things like weak passwords, open internet ports, ignored software updates - all areas covered by the UK government's Cyber Essentials certification.

What Is Cyber Essentials?

Cyber Essentials is a UK Government-backed scheme run by the National Cyber Security Centre and delivered by IASME.

It’s designed to help businesses of all sizes protect themselves from common cyber threats.

The scheme has two levels of certification:

• Cyber Essentials (Basic) - A self-assessment questionnaire reviewed by a trained assessor
• Cyber Essentials Plus - An independently audited version involving technical testing and sampling

Neil plays a leading role in developing and evolving these standards alongside the NCSC.

The schemes are updated regularly to reflect emerging threats while keeping the bar high for security fundamentals.

The Five Cyber Essentials Controls

Cyber Essentials is structured around five areas of control that protect against most common attacks.

• Firewalls - Devices must block suspicious traffic and have default passwords changed.
• Secure Configuration - Systems and devices should run only the software and functions they need.
• User Access Control - Accounts should have appropriate privileges, with admin rights restricted and protected by multi-factor authentication.
• Malware Protection - Devices must have anti-malware or equivalent protection.
• Security Update Management - Critical updates must be applied within 14 days of release.

These might sound basic, but in many organisations they’re not applied consistently.

In fact, Neil says they’ve been talking about some of these issues for over 25 years - yet breaches still happen because of them.

Passwords, Phishing and MFA: What Needs to Change

Passwords remain one of the weakest links in many organisations' security strategies.

Neil points out that credentials stolen in one breach are often resold on the dark web, then reused in password-guessing attacks on other services.

That’s why organisations should use multi-factor authentication (MFA) wherever possible.

While not perfect, MFA can block the vast majority of automated attacks that rely on compromised credentials.

Even a simple SMS second factor is far better than password-only protection.

"Any form of multi-factor helps stop someone logging in as you. It creates a decision point for the attacker."

Neil Furminger, IASME Consortium

Passkeys: The Future of Authentication?

A new advancement going mainstream is passkeys - a passwordless login method that uses biometrics or physical security keys.

Neil explains they’re phishing-resistant and don't rely on users remembering complex passwords.

They’re already available on services like Google and eBay but wider adoption will take time.

Cyber Essentials aims to educate organisations along this journey, regardless of their current maturity.

Scaling Security in Enterprise Communications

For large organisations managing digital communications at scale, the starting point is always the same: understanding what devices and systems are in use.

You can’t protect an asset you don’t know exists.

This becomes especially important as enterprises deploy new tools, platforms, and interfaces to engage with customers online.

“If it’s connected to the internet,” Neil warns, “then an attacker can find it and try to get in.”

That’s why applying Cyber Essentials-style controls across customer-facing systems is so important.

Why Even Large Companies Get Caught Out

Neil points out that many high-profile breaches stem from basic misunderstandings or missteps.

In fact, education remains his biggest ongoing challenge in the role.

It’s not a lack of tools, budgets or even awareness - it’s often misconceptions about what actually needs to be done.

"The hardest part is convincing people that doing a few simple things can make such a big difference."

Neil Furminger, IASME Consortium

What Can You Do Today?

If you’ve got some spare time, Neil has two simple things you can do:

• Update Your Device - Apply any available updates to your laptop or phone without delay.
• Turn On MFA - Enable multi-factor login on all your online services, especially email, banking and cloud-based tools.

These actions reduce your risk dramatically, often with just a few minutes’ work.

And if you're responsible for a department or company-wide systems, Neil recommends reviewing your cloud platforms and enabling MFA across users.

It’s a quick win that protects both you and your customers from increasingly opportunistic attacks.

FAQs

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organisations protect themselves from common online threats with five key technical controls.

Why Does Multi-Factor Authentication Matter?

MFA adds a second barrier to access beyond passwords, dramatically reducing the success of phishing and credential-stuffing attacks.

What Are Passkeys?

Passkeys are passwordless login credentials that use biometrics or hardware tokens to securely authenticate users, making them resistant to phishing and guessing attacks.

How Can Small Businesses Benefit from Cyber Essentials?

It provides a cost-effective way to build strong cyber defences, gain customer trust, and demonstrate best practice in security, even without a large IT team.

What’s the Main Security Challenge for Larger Organisations?

The biggest challenge is applying and maintaining basic security controls consistently across all devices, users, and communication systems at scale.

References

Cyber Security Breaches Survey 2025, GOV.UK, 2025

UK Cybercrime Statistics 2025 - Online Security, TwentyFour IT, 2025

Ten Years of Cyber Essentials - A Decade of Making the UK More Resilient, Counter Terror Business, 2025

What Are the Benefits of Cyber Essentials?, IASME Consortium, 2025

Cyber Security Advice for Small to Medium Sized Organisations, NCSC.GOV.UK, 2024

UK Government Advances Passkey Adoption in GOV.UK System, Mobile ID World, 2025

Reviewed by

Sam Kendall, 18.07.2025