Back to case studies
    How We Helped an Accountancy Firm Achieve Cyber Essentials and Win Public Sector Work
    Financial Services & Accountancy15-30 staff

    How We Helped an Accountancy Firm Achieve Cyber Essentials and Win Public Sector Work

    From unpatched systems and shared passwords to certified, audit-ready security in under six weeks

    Yes

    Certified on first attempt

    12

    Critical vulnerabilities fixed

    100%

    Staff security trained

    3

    New contracts won in 6 months

    About the Business

    Our client is a chartered accountancy practice based in the City of London, providing audit, tax advisory, and bookkeeping services to SMEs and public sector organisations. With a team of around 22 people, the firm manages payroll data, tax returns, and financial records for over 200 clients. The nature of their work means they hold some of the most sensitive data a business can possess, yet their IT security had never been formally assessed or certified.

    The Challenge

    The firm had been shortlisted for two public sector contracts that required Cyber Essentials certification as a minimum. Without it, they could not even submit a tender. The partners knew they needed to act quickly, but when they looked at their current setup, they realised the gap was wider than they had expected. A preliminary review revealed a troubling picture. Several workstations were running outdated operating systems that no longer received security patches. Staff were sharing login credentials for key applications. There was no mobile device management in place, meaning personal laptops and phones had uncontrolled access to client data. Backups existed but had never been tested, and no one could confirm whether they would actually restore if needed. The firm had a capable office manager who handled IT day-to-day, but security was outside their expertise. They needed a partner who could assess the situation honestly, fix what needed fixing, and guide them through the certification process without disrupting client-facing work.

    Our Solution

    Comprehensive Security Audit

    We carried out a full audit of the firm's IT estate, covering every device, user account, network configuration, and software application. Each finding was categorised by severity and mapped directly to the Cyber Essentials control requirements, giving the firm a clear picture of where they stood and what needed to change.

    Vulnerability Remediation

    We identified and resolved 12 critical vulnerabilities, including unpatched operating systems, open remote desktop ports, and misconfigured firewall rules. Every workstation was updated, legacy software was removed or replaced, and administrative access was locked down to authorised personnel only.

    Access Control and Password Policy

    Shared credentials were eliminated entirely. Every staff member was given their own unique login with role-based access controls. Multi-factor authentication was enabled across all cloud services, and a password policy was enforced that met Cyber Essentials requirements.

    Staff Security Awareness Training

    We delivered a tailored training session covering phishing recognition, safe data handling, and the firm's new security policies. Every member of staff completed the training and signed an acknowledgement, creating an auditable record for the certification assessor.

    Guided Certification Submission

    We prepared all documentation, completed the self-assessment questionnaire on behalf of the firm, and liaised directly with the certification body. The firm achieved Cyber Essentials certification on the first attempt, with no queries or follow-up required from the assessor.

    The Outcome

    The firm achieved Cyber Essentials certification in just five weeks from the start of the engagement. Every vulnerability identified in the audit was remediated before the submission, and the certification was granted on the first attempt without any additional queries from the assessor. The immediate commercial impact was clear. Within six months of certification, the firm had won three new public sector contracts that had previously been out of reach. The certification badge now sits on their website, their email signatures, and their tender documents, giving prospective clients visible proof that the firm takes data security seriously. Beyond the certification itself, the firm's day-to-day security posture has been transformed. Staff no longer share passwords. Every device is patched and monitored. Backups are tested monthly and restore successfully every time. The office manager, who had previously felt out of their depth on security matters, now has a clear framework and a support partner to lean on. The partners described the process as straightforward and painless. They expected weeks of disruption and complexity. Instead, they got a structured, well-communicated project that delivered exactly what was promised, on time and without fuss.

    Services Provided

    Cyber SecurityIT SupportCloud Backups

    Ready to See Similar Results?

    Book a free IT review and find out where your business stands. No obligation, no jargon, just honest advice.