The IT Baseline

The measures every growing business should have

1. Conditional Access

3. Single
Sign On

2. Multi Factor Authentication

4. Automated Backups

Why it matters

Our IT baseline is built to meet the Cyber Essentials standard as a baseline. It covers your users, devices, email, backups and identity controls to the level the UK government’s own certification scheme requires. Every account starts here.

This is the standard for agencies, practices and studios without a regulated compliance requirement or highly sensitive client data beyond standard commercial confidentiality, which describes most of the businesses Cubit works with. If your work involves regulated data, government contracts with specific clearance requirements, or a client base that demands certified compliance, Secure is built for that level of risk instead.

If a business doesn’t meet this baseline, everything built on top of it, client trust, insurance cover, contract eligibility, is weaker than it should be.

The four controls that define the standard

Most security incidents start with a missing control that should have been in place. These four are the basis for Cyber Essentials.

Conditional
Access

This checks whether a user, device and location meet your security requirements before access is granted, so an unrecognised device or unusual login location is automatically challenged or blocked. This closes the gap a stolen or guessed password would otherwise leave open.

Multi-Factor
Authentication (MFA)

A password alone is not proof of identity. MFA adds a second verification step, typically an app prompt or a code sent to a trusted device, so a compromised password is not enough on its own. Under Cyber Essentials v3.3, MFA is required on all cloud services and its absence is an automatic assessment failure.

Single
Sign On

As a business adds cloud tools, separate logins multiply the points where credentials can be compromised, and offboarding becomes error-prone. SSO centralises authentication through one identity provider, so one account disabled means access is revoked everywhere. This matters most once a business has grown past a handful of core systems.

Automatic
Backups

Ransomware encrypts data and demands payment for its return. Hardware fails. Files get deleted by mistake. Automated backups held separately from your primary systems mean recovery does not depend on paying an attacker. An untested backup is a guess, not a safeguard, which is why  regular recovery testing is important too.

Cubit Favicon

Where Cubit comes in?

Cubit assesses what is actually in place, identifies the gaps, and implements the controls your business needs based on how your team works, which tools you use, and what you are working toward.

Every control is monitored on an ongoing basis. Cubit does not configure a system and walk away.

If you want to see where your business stands today before any conversation with us, the Cubit CyberCheck takes five minutes and scores your current security posture across five areas.

Frequently Asked Questions

Is meeting Cyber Essentials standard enough, or do we need certification?

Meeting the standard and holding the certification are different things. Foundation aligns your IT with what Cyber Essentials requires operationally. If you need the certificate itself, for a client requirement, an insurance condition, or a tender, that is available as an add-on rather than something bundled by default. Talk to Cubit about whether your situation needs the certificate or just the standard.

Do all businesses need these security controls?

Yes. Business size does not reduce exposure. Smaller organisations are frequently targeted precisely because their defences are weaker and recovery is harder to absorb. These controls are relevant from the point a business holds client data, processes payments, or relies on email for operations, which is effectively every business Cubit works with.

What is the difference between MFA and SSO?

MFA verifies that the person logging in is who they claim to be, by requiring a second proof beyond a password. SSO controls access to multiple applications through a single login. They solve different problems and work well together: SSO reduces the number of places a credential can be compromised, and MFA ensures the credential is properly verified each time it is used.

Can we handle these controls internally, or do we need an IT partner?

They can be implemented and managed internally, provided someone is accountable for doing so. The more common failure mode is not the absence of tools but the absence of ownership. Conditional Access policies need reviewing when the business changes. Backups need testing. Offboarding needs to be consistent. Many businesses have most of the right tools in place but no-one monitoring whether they are working correctly. An IT partner provides both the implementation and the ongoing assurance.

How do I know if our backups would actually work in a recovery situation?

Most businesses cannot answer this, which is the problem. A backup that has not been tested is a guess. The only way to know a backup works is to restore from it. A full recovery test should happen at least annually, pulling actual files rather than just confirming the backup job ran. Cubit includes backup validation as part of ongoing monitoring.

Can we handle these controls internally, or do we need an IT partner?

They can be implemented and managed internally, provided someone is accountable for doing so. The more common failure is not the absence of tools but the absence of ownership: policies that never get reviewed, backups that never get tested, offboarding that is inconsistent. An IT partner provides both the implementation and the ongoing assurance that it keeps working.

What happens to system access when someone leaves the business?

Without SSO or a documented offboarding process, the answer is usually that it depends on who remembers to do what. Accounts in individual tools are frequently missed. Former staff, contractors or freelancers often retain access to file storage, project tools or email for weeks after they leave. SSO combined with a clear offboarding checklist removes this risk.