In our conversations with clients and prospects, we often learn that finance leaders and founders/CEOs feel overwhelmed by cyber security compliance requirements: there are certifications, regulations, insurance questions, technical tools, and a steady stream of headlines telling you the risks are rising.
This article aims to simply cyber security and enable you to understand what good looks like and how to take the sensible next steps.
The basics: this step is about protecting your business from the most common cyber attacks. Think of it as locking the doors and windows.
In the UK, this tier is best represented by Cyber Essentials, the government‑backed baseline for cyber security . Cyber Essentials focuses on five core areas that prevent the majority of commodity attacks:
Firewalls and secure network boundaries
Secure configuration of devices and systems
Controlled user access (including admin rights)
Malware protection on all endpoints
Timely security updates and patching
These controls won’t stop every attack, but they are proven to block the most common ones. That’s why Cyber Essentials is increasingly required by customers, partners, and government bodies in supply chains.
It significantly reduces your exposure to everyday cyber risk
It provides a recognised, external signal that you take security seriously
It is often a prerequisite for winning contracts or even being considered as a supplier
Tier 2: Managing impact: insurance, regulation, and response
Tier two accepts a hard truth: no organisation is immune. Even with good front‑line controls, incidents can and will happen. This tier looks beyond prevention and focuses on how you manage risk, respond to incidents, and protect sensitive information.
It is driven by two forces:
1. Cyber liability insurance
2. Industry and regulatory requirements (for example NHS, government supply chains, financial services)
Cyber insurers are no longer satisfied with a checklist of technology or software that your business has bought. They want confidence that, if something goes wrong, you can detect it quickly and respond effectively.
A documented incident response plan
Evidence of 24/7 monitoring and rapid escalation
Managed Detection and Response (MDR), not just antivirus
Regular risk assessments and staff awareness
Insurers increasingly look for specialist response capability, not just proof that software is installed.
Simply put, insurers care less about whether malware exists on a device, and more about how quickly you know, who responds, and how damage is contained.
Regulation focuses on data and accountability
If you operate in regulated sectors or handle sensitive data, Tier 2 becomes unavoidable.
Regulators and industry frameworks tend to focus on:
Protection of confidential and personal data
Clear ownership and accountability
Incident response and reporting
Ongoing risk management
This is where cyber security isn’t primarily an “IT problem” and becomes a business priority.
Tier 3 looks at the whole organisation. It asks a broader question: Is security embedded into how the business operates, today and in the future?
This tier is represented by recognised standards such as ISO 27001, which assesses people, process, and technology together.
Unlike Cyber Essentials, standards don’t prescribe specific tools. Instead, they assess whether you:
Understand your information risks
Have clear policies and governance
Can evidence how security is applied in practice
Review, test, and improve over time
ISO 27001, for example, is built around an Information Security Management System (ISMS) that emphasises risk‑based decision‑making and continuous improvement.
Customers ask deeper security questions during procurement
You operate internationally or in highly regulated markets
You want long‑term confidence, not just point‑in‑time compliance
These tiers are not alternatives, they are stacked.
Tier 1 protects you from common attacks
Tier 2 reduces impact and financial exposure when incidents occur
Tier 3 demonstrates maturity, governance, and future readiness
A common mistake we see is jumping straight to Tier 3 without solid Tier 1 foundations, or treating Cyber Essentials as “the end”. In reality, Cyber Essentials is the starting point.
We’re seeing increased interest in Cyber Essentials across UK supply chains. Customers are being asked to prove their security, or else be excluded from procurement processes.
Make better investment decisions
Speak confidently to customers, insurers, and partners
Show that your organisation plays its part in a collective defence
Cyber security is no longer just about protecting your own business. It’s about protecting the ecosystem you operate in.
If you’re early in this journey, start with Tier 1 and build forward deliberately. If you already have Cyber Essentials, use it as a platform to strengthen your incident response and data protection capabilities.
Security doesn’t need to be complicated, but it does need to be intentional.
If you’d like help mapping where your organisation sits across these three tiers, we're happy to have a conversation.