Category

Cyber Security

Cyber Essentials vs Cyber Essentials Plus: Which One Does Your Business Actually Need?

Cyber Essentials and Cyber Essentials Plus sound alike but aren’t the same. Here’s the real difference, and why Plus is getting harder to pass.

Here’s a question we get a lot: “We keep seeing Cyber Essentials and Cyber Essentials Plus mentioned in tenders and insurance forms, what’s actually the difference, and which one do we need?”

Fair question. The names are almost identical, but the two are quite different in practice, and picking the wrong one can either leave you under-protected or land you with a much bigger job than you were expecting. 

Cyber Essentials: the honesty-based check

Think of Cyber Essentials as the “tell us about your homework” version. It’s a UK government-backed scheme, and it looks at five basic areas that stop the vast majority of everyday cyberattacks, not the James Bond stuff, just the boring, common attacks that catch businesses out every single day:

  • Firewalls — is there a proper barrier between your systems and the internet?
  • Secure configuration — are your devices set up safely, not just left on default settings?
  • User access control — do people only have access to what they actually need?
  • Malware protection — is your antivirus doing its job?
  • Patch management — are you actually keeping software updated?

You fill in a questionnaire about how you handle each of these, an independent assessor reviews it, and if it stacks up, you get certified. Nobody visits. Nobody tests anything directly. It’s essentially you saying “here’s what we do,” and being taken at your word.

Most businesses can get there within a few weeks, and it’s often exactly what’s needed to tick the box on a contract or reassure a bigger client you’re taking security seriously.

Cyber Essentials Plus: same questions, but now they check

Plus covers the same five areas. The difference is nobody’s taking your word for it anymore.

An assessor actually comes and tests things. A technical audit of a sample of your real devices, vulnerability scans from outside and inside your network, and genuine verification that your patching, antivirus, and configurations are doing what you said they were. Not documented, actually there.

So if Cyber Essentials is “tell us what you do,” Plus is “prove it.” That’s exactly why it carries more weight with clients, insurers, and public sector procurement teams — it’s proof, not a promise.

Why Plus has gotten harder to achieve

Plus has quietly gotten a lot harder to pass than it used to be. We say this to clients all the time, and it usually gets a raised eyebrow: what sailed through an audit a few years ago won’t necessarily pass one today. As attacks get more sophisticated, the bar for Plus has risen right along with them. A few reasons why:

Everyone works from everywhere now. A few years back, most company devices sat behind one office firewall on one network. Now they’re logging in from home broadband, the local coffee shop, a phone hotspot on the train. Assessors have had to widen what they check to cover all of that — which means more can go wrong, and more ways to technically fail.

MFA isn’t optional anymore. Multi-factor authentication used to be a nice-to-have. Now assessors look hard at it, especially on admin accounts, and they’re not forgiving if it’s missing or half-enforced.

The patching clock has sped up. There used to be more breathing room between a patch coming out and it being applied. That window’s shrunk, so you need consistent, fast patching — not “we’ll get to it next month.”

Cloud has made everything more complicated. Nearly every business now runs a mix of on-site kit and cloud platforms like Microsoft 365. Both need to be configured properly and both are in scope now, which is a lot more to keep straight than one office network used to be.

None of that means Plus is out of reach. It just means it rewards the businesses who already run tight, well-managed IT day to day — not the ones scrambling to look good for one audit and then letting things slip again.

People pointing to cyber threat on laptop

So which one do you need?

Honestly, it depends on what you’re trying to achieve.

Go for Cyber Essentials if:

  • This is your first time doing anything like this and you want a realistic, achievable start
  • A contract or client only asks for the base-level certification
  • You want to build good habits first before taking on something tougher

Go for Cyber Essentials Plus if:

  • You’re handling sensitive client, patient, or financial data
  • You’re chasing public sector, healthcare, or bigger enterprise contracts that specifically ask for it
  • You want real, independent proof for your own peace of mind — not just a box ticked
  • Your insurer’s offering better terms for it, which is becoming more and more common

A lot of the businesses we work with treat Cyber Essentials as step one and Plus as step two, and honestly, that’s a smart way to do it. It gives you time to build the right habits and catch anything a self-assessment would miss, so by the time the technical audit comes around, you’re walking in with confidence instead of crossed fingers.

How can we help?

We’ll say this upfront: we can’t certify you. That has to come from an accredited body, and it should — the whole point of Plus is that it’s independent of anyone with a stake in the outcome.

What we can do is make sure you’re not walking into that audit blind. Most businesses that fail their first Cyber Essentials Plus attempt don’t fail because their security is genuinely bad — they fail because nobody checked, beforehand, whether their firewalls, patching, device setups, and access controls would actually hold up under real testing rather than a questionnaire. That’s where we come in: finding the gaps and helping you close them before an assessor finds them for you.

The real value isn't the certificate

It’s easy to think of Cyber Essentials Plus as a piece of paper you need for a tender document. The more useful way to think about it is as a genuine health check on whether your business would actually hold up against a real attack, because the two things being tested are, more often than not, the same thing.

If you’re not sure which level makes sense for your business, or you want an honest read on how ready your IT actually is for a Plus audit, that’s worth figuring out before you book the assessment, not during it.

Protect Your Business Today

Get in touch to find out more about out cybersecurity solutions!

What is Social Engineering in Cyber Security?

Understand how attackers manipulate people with different forms of social engineering, and learn how to stay safe online.

Social Engineering: A Cyber Threat That Targets People, Not Systems

When we used to think about cyberattacks, we imagined hackers breaking into systems through the back end. However, nowadays, many attacks start with something much simpler such as a conversation, an email, or a message that feels completely normal.

This is called social engineering, and it’s one of the most common ways attackers get into your systems.

What is Social Engineering in Cyber Security?

laptop with code

Social engineering is when someone tricks you into sharing information or taking an action that benefits them. So, instead of hackers breaking into systems, they rely on people slipping up. They normally do this by manipulating things like trust, curiosity, or urgency.

It might look like:

  • An email asking you to reset your password
  • A phone call from your ‘IT support’
  • A message saying you’ve got a delivery waiting

On the surface, these seem harmless. But they’re very carefully designed to catch employees out. A prime example of these types of attacks is the high profile M&S, Harrods and Co-op phishing attacks that happened in 2025, where an attacker group posed as employees and tricked help desk staff into resetting passwords or disabling MFA. You will remember how much disruption this caused across the entirety of the UK.

Why people fall for it

Social engineering works because it doesn’t feel like a cyber attack. Attackers are very good at creating situations where you might act quickly without thinking, trust the source without questioning it, feel worried or pressured to respond or are trying to be helpful.

In busy, everyday situations, like work emails or personal messages, it’s easy to miss the warning signs. Especially when they are so subtle.

Common types of social engineering attacks

You will have most definitely heard or even come across most of these social engineering techniques:

Phishing emails: Messages that look like they’re from legitimate companies, asking you to click a link or log in.

Text message scams: Short, urgent messages about deliveries, payments, or prizes.

Phone scams: Calls where someone pretends to be from a trusted organisation and asks for information.

Impersonation: Someone posing as your boss, a colleague, or a supplier, often asking for urgent help or payment.

Baiting: Offering something tempting (like free downloads or rewards) in exchange for your details.

Why it matters for businesses

For organisations, social engineering is more than just spammy emails or inconvenience, it can lead to serious risks. One small action, like clicking a link or sharing login details can lead to a serious cyberattack.

And because these attacks target people rather than systems, even the best tech can’t stop them completely.

What should your business do?

office meeting

Not everyone can be a cyber security expert, but there are a few simple habits can make a big difference.

Take a moment: If something feels urgent, slow down. This pressure is often intentional from the attackers.

Check before you trust: Look closely at who’s contacting you, even an extra letter in someone’s email address, or even added punctuation like ‘.’ can make a huge difference. If unsure, use official channels to confirm.

Keep your details private: Passwords and sensitive information should never be shared casually, even over email.

Be careful with links: If you didn’t expect a link, don’t click it.

Train your team: One of the most effective ways to reduce risk is through regular cybersecurity awareness training. At Mother, we offer training powered by KnowBe4 that helps staff recognise real-world scams, spot red flags, and respond confidently.

It’s practical, easy to follow, and designed for everyday people, not just IT teams. Making employees carry this training out regularly raises their awareness on the scams and can make a big difference to your organisation.

For more information on our cybersecurity awareness training: https://www.mothertech.co.uk/security-awareness-training/

Want to know more about our Cyber security Services?

Mapping Major Cyberattacks on UK Businesses in 2025

Discover the biggest UK cyberattacks of 2025 and the crucial lessons they teach businesses about resilience, response, and prevention. Learn how companies like M&S, JLR, and Harrods were targeted — and how you can protect your organisation from evolving cyber threats.

What this year’s attacks tell us about the state of cyber threats in the UK

As we reach the end of 2025, one thing is clear: cyberattacks are no longer rare events, they’re part of daily life, and not just for businesses.

Whether you run a SMB, a supermarket, or a global car brand, the risks are the same: hackers are getting faster, smarter, and even more relentless.

The government’s Cyber Security Breaches Survey 2025 estimated that over 600,000 UK businesses and 61,000 charities were targeted this year alone. Considering how little we thought about cybersecurity only just a few years ago, now, it’s something no organisation can afford to ignore.

This blog post looks back at some of the biggest attacks that made headlines this year, what happened, how long it took to recover, and most importantly, what every business can learn from them. While this is a very small representation of the attacks that have occurred in the UK this year, the disruption they have caused is still clear.

1. Marks & Spencer — weeks of disruption

Empty Supermarket Shelves

When: April 2025

What happened: Household name, M&S, was hit with a large scale ransomware attack that encrypted their systems, with hackers stealing customers personal data. The attack, which was believed to of happened through a third party, which then used social engineering to trick employees into handing over access. This caused widespread disruption including suspension to online services, and also in store chaos with payment issues and empty shelves in some places. This attack is estimated to of cost M&S around £300 million in lost profit. Even although the attack happened over easter weekend, M&S did not fully resume its online operations until the middle of June.

What it teaches us: Even the large, well equipped companies can fall victim.  Despite the company’s security investments, hackers managed to get in through human error. This highlights the importance that security awareness training has in organisations. Making security everyone’s responsibility (and not just the IT Teams) ensures that employees take extra caution when passing on details, dealing with system changes, and anything else. 

2. Co-op — a fast response that made the difference

When: April 2025

What happened: Around the same time, hackers which were responsible for M&S, also infiltrated the Co-op’s systems. However, the Co-op faced way less disruption, as ransomware never actually got deployed due to them yanking their own plug when they suspected suspicious activity, meaning the cybercriminals were unable to carry out their attack.

While there were temporary shortages and delivery delays, Co-op avoided the prolonged shutdown that M&S faced.

What it teaches us: With cyber attacks now being a ‘when?’ rather than ‘if?’, how you respond matters. Quick isolation beats slow defence. The Co-op’s actions, over M&S, shows that being decisive, even if it means short-term disruption, can turn a potential disaster into a manageable event.  We recommend implementing a cyber response plan into your business, so that if you are faced with a cyber attack, everyone in the organisation knows how to respond.

3. Harrods - Proactive and Contained

When: May 2025

What happened: Harrods detected attempts to access its systems through a third party and swiftly restricted internet access across stores. The company contained the attack with minimal public impact. However, in September, Harrods warned customers that an IT systems breach at a third-party provider may have exposed personal data like names and contact details. Once again, Harrods acted quickly to contain the situation.

What it teaches us: Having clear authority to act quickly can make all the difference. Prevention is great,  but preparation and decisiveness are better. Additionally, Harrods being a target for cyber attacks twice in the last 6 months, highlights that cybersecurity is not a onetime thing, but an ongoing commitment.

4. Jaguar Land Rover — when production stops

When: August 2025

What happened: Jaguar Land Rover (JLR) has suffered a major cyberattack that forced it to shut down production. Without a completed cyber insurance policy, JLR is absorbing the full impact, with potential losses exceeding £3.5 billion in revenue and £1.3 billion in gross profit. The disruption is rippling through its supply chain, threatening tens of thousands of jobs and putting smaller suppliers and dealerships at risk of cash flow crises and layoffs. JLR is cautiously restoring systems with expert help, though smaller partners may struggle to recover as quickly.

What it teaches us: The attack highlights the need for strong cybersecurity, regular staff training, and clear response plans to reduce risks and limit damage. It also shows why having cyber insurance and a resilient supply chain is essential to protect businesses from wider disruption.

5. Kido Nursery Group — personal data exposed

When: Reported September 2025

What happened: Cybercriminals accessed Kido, a London based nursery chain’s systems and published photos and personal details belonging to children, parents, and staff onto the dark web. The nursery group reacted quickly and contacted families while working with police and data regulators.

The Kido hackers are now pushing affected families to sue the nursery chain, which is already struggling with severe damage to its reputation.

Investigators believe the attack started with stolen or phished login details.

What it teaches us: Cyber criminals have no limits. Seeing the group deliberately going after children — something most attackers avoid, often backing off completely once they realise kids’ data is involved is a worrying shift and shows that truly, no industry is safe. At Mother, we’ve worked closely with many education organisations and know exactly how to help them stay safe. Take a look at our education-focused solutions here.

Additionally, protecting data means more than strong passwords it means turning on multi-factor authentication (MFA) everywhere and using password managers to avoid password reuse. You can view our how to create a strong password policy here. Once again, this awareness should be spread across your organisation.

6. Renault UK — a supplier becomes the weak link

When: October 2025

What happened: Renault confirmed that customer data had been stolen via a cyberattack on one of its third-party data processors. No financial data was taken, but personal information was exposed, leading to warnings about potential phishing attempts.

What it teaches us: With many of these cyber-attacks happening through third party suppliers, one thing is clear, you are only as secure as your partners. Review who handles your data and make sure the third parties you work with have security standards in place, cyber essentials for example.  

What 2025 Has Shown Us

Cyberattacks this year have affected almost every sector — childcare, retail, automotive, and manufacturing.

The message is clear: no organisation is too big or too small to be targeted.

Here are the key takeaways every business should remember:

  • Expect it. Cyber incidents are now a matter of when, not if.
  • React fast. Early isolation and communication can stop an attack from escalating. You can view our cyber threat action plan here. 
  • Know your partners. Supplier breaches are now one of the most common causes. Working with organisations who have cyber essentials plus can help in keeping your business safe. 
  • Plan for recovery. Regularly test backups and restore processes — don’t wait for an emergency.
  • Education: Making everyone inside your organisation aware of how to spot a cyberattack is key. Having all these solutions in place is great, but that can all be for nothing if an employee opens the door for these criminals to walk in. Our security awareness solution can be found here. 

The Bottom Line

Cybersecurity isn’t just an IT issue anymore — it’s a business continuity issue.

As 2025 draws to a close, it’s time for businesses to focus less on avoiding every possible attack and more on how to survive and recover when one happens.

In the years ahead, the winners won’t just be the most secure organisations they’ll be the most resilient.

Want to know more about our Cybersecurity Solutions?