Core Security Controls
The measures every growing business should have
1. Conditional Access
3. Single
Sign On
2. Multi Factor Authentication
4. Automated Backups
The Big Four
Most security incidents do not start with sophisticated attacks. They start with a missing control that should have been in place.
When these four measures are absent or poorly configured, attackers have fewer barriers to overcome, insurers have grounds to reduce or refuse claims, and Cyber Essentials audits will not pass. The costs of getting this wrong, financially and operationally, are disproportionate to the cost of getting it right.
The following controls are not advanced. They are the starting point. If any are missing in your business, everything else built on top is weaker.
1. Conditional
Access
What is it?
A set of policies that check whether a user, device and location meet your security requirements before access to business systems is granted.
What does it do?
Your team works across devices and networks you do not control. Without access policies in place, a stolen or guessed password is often enough for an attacker to gain full entry. Conditional Access means unrecognised devices or unusual login locations are automatically challenged or blocked, removing that single point of failure.
Where does it apply?
Email, cloud file storage, finance tools, project management platforms – any application your team accesses remotely. Supports the Access Control requirement under Cyber Essentials.
2. Multi-Factor
Authentication (MFA)
What is it?
An additional verification step at login, beyond a password – typically an app prompt, a code sent to a trusted device, or a hardware key.
What does it do?
Passwords are routinely stolen, phished, or exposed in data breaches. MFA means a working password alone is not sufficient to access an account. It is the single most effective control against unauthorised access, and the most common missing piece when a business email compromise occurs.
Where does it apply?
Business email, cloud software, finance and accounting systems, remote access – any application holding client data or financial information. Required on all cloud services under Cyber Essentials v3.3 (April 2025). Missing MFA is an automatic failure at assessment.
3. Single
Sign On
What is it?
A central authentication layer that lets your team log in once and access multiple business applications without re-entering credentials for each. All access is managed through a single identity provider, typically Microsoft Entra ID or Google Workspace.
What does it do?
As a business grows and adds cloud tools, separate logins multiply the points at which credentials can be compromised. More critically, without a central directory, offboarding becomes error-prone. Former staff, contractors, and freelancers frequently retain access to tools for weeks after departure. SSO means one account disabled is access revoked everywhere.
Where does it apply?
Most relevant for businesses with 30 or more staff across multiple SaaS platforms. Cubit will advise whether SSO is the right fit for your current setup.
4. Automatic
Backups
What is it?
Regular, automated copies of your business data stored separately from your primary systems including files, email, databases, and any system your business depends on day to day.
What does it do?
Ransomware encrypts your data and demands payment for its return. Hardware fails. Files get deleted. Without backups held separately, your options in a ransomware incident are to pay or to start again. Backups are not a recovery tool unless they are tested. An untested backup is a guess.
Where does it apply?
Business files and shared drives, email and calendar data, accounting records, and client project files. Backup and recovery is an assessed area in Cyber Essentials Plus audits. Untested or undocumented procedures are a common failure point.
Where does Cubit come in?
We assess what is actually in place, identify the gaps, and implement the controls your business needs based on how your team works, which tools you use, and what you are working toward.
For businesses pursuing Cyber Essentials or Cyber Essentials Plus certification, we map implementation against the scheme requirements so nothing is left to chance at audit time.
Every control we put in place is monitored. We do not configure and walk away.
If you want to see where you stand today before any conversation with us, the Cubit CyberCheck takes five minutes and gives you a score across five areas of your current security posture.
Frequently Asked Questions
Do all businesses need these security controls?
Yes. The size of a business does not reduce its exposure. Smaller organisations are frequently targeted precisely because their defences are weaker and the cost of recovery is harder to absorb. These controls are relevant from the point at which a business holds client data, processes payments, or relies on email for operations, which is essentially every business.
What is the difference between MFA and SSO?
MFA (Multi-Factor Authentication) verifies that the person logging in is who they claim to be, by requiring a second proof beyond a password. SSO (Single Sign-On) controls access to multiple applications through a single login. They solve different problems and work well together: SSO reduces the number of places a credential can be compromised, and MFA ensures the credential is properly verified each time it is used.
How do I know if our backups would actually work in a recovery situation?
Most businesses cannot answer this question, which is the problem. A backup that has not been tested is a guess. The only way to know a backup works is to restore from it. A full recovery test should be performed at least annually. This includes pulling actual files from the backup, not just confirming the backup job ran successfully. Cubit includes backup validation as part of ongoing monitoring for managed clients.
Can we handle these controls internally, or do we need an IT partner?
They can be implemented and managed internally, provided someone is accountable for doing so. The more common failure mode is not the absence of tools but the absence of ownership. Conditional Access policies need reviewing when the business changes. Backups need testing. Offboarding needs to be consistent. Many businesses have most of the right tools in place but no-one monitoring whether they are working correctly. An IT partner provides both the implementation and the ongoing assurance.
Is Microsoft 365 enough to cover our security?
Microsoft 365 includes several security features, but the default configuration does not have most of them switched on. MFA is not enforced by default. Conditional Access policies need to be configured. Many of the most important protections require an E3 or E5 licence level and deliberate setup. The platform gives you the tools. Having them properly configured and monitored is a different question.
What are the Cyber Essentials requirements for access controls?
Cyber Essentials requires MFA on all cloud services accessible from the internet, following the April 2025 update to the scheme. It also requires access controls to be configured so that users only have access to the systems and data they need for their role. Conditional Access policies, SSO, and documented offboarding procedures all support these requirements. Missing MFA on cloud services is now an automatic failure at assessment.
What happens to system access when someone leaves the business?
Without SSO or a documented offboarding process, the answer is usually ‘it depends on who remembers to do what.’ Accounts in individual SaaS tools are frequently missed when someone leaves. Former employees, contractors, or freelancers often retain access to file storage, project tools, or email for weeks or months after their departure. This is one of the most common and preventable sources of data exposure. SSO combined with a clear offboarding checklist removes this risk.