The Contract That Changed Things
Pearson Building Limited are a well-established construction firm based in Wigton, Cumbria. They do good work, they've got a strong reputation locally, and they'd been growing steadily for years. But they kept running into the same wall: larger contracts, particularly public sector work, were increasingly asking for Cyber Essentials certification as a minimum requirement.
Without it, they were being locked out of opportunities before they could even put a bid in. It wasn't about whether they were capable of doing the work, it was about proving they took data security seriously enough to be trusted with it.
They didn't just want the basic Cyber Essentials badge either. They wanted Cyber Essentials Plus, the higher-level certification that includes hands-on technical testing of your systems, not just a self-assessment questionnaire. It's harder to get, but it carries more weight with the kind of clients they were targeting.
What We Found When We Looked Under the Hood
Pearson's weren't starting from zero. They had a reasonable setup and their team were sensible about security. But like most small businesses, there were gaps that nobody had thought to check.
Some machines were running outdated software. Password policies were inconsistent: some accounts had strong passwords, others hadn't been changed in years. There was no formal process for applying security patches, which meant some devices were weeks or months behind on updates. And access controls were loose, with people holding permissions they didn't need, simply because nobody had revisited them since the accounts were set up.
None of this is unusual. It's exactly what we find in most businesses of this size. The important thing is that Pearson's wanted to fix it properly, not just scrape through the certification.
Getting Them Ready
We worked through the gaps methodically, without overcomplicating things or disrupting their day-to-day operations. Construction firms aren't like office-based businesses. People are on site, using laptops in portacabins, accessing files remotely. The security has to work in the real world, not just on paper.
- Network hardening: we tightened up firewall rules, closed unnecessary ports, and made sure the network was properly segmented so that a compromised device couldn't reach everything
- Patch management: we set up automated patching so that critical updates are applied within 14 days across all devices, without anyone having to remember to do it
- Endpoint protection: proper antivirus and endpoint detection on every machine, including the laptops that go out to site
- Access controls: we reviewed every account, removed unnecessary permissions, and enforced strong password policies across the board
- Staff preparation: we ran simulated tests and training sessions so the team understood what the assessors would be looking for and why it mattered
The Result
Pearson Building passed their Cyber Essentials Plus assessment. Not scraped through, but passed properly, with a setup they could maintain going forward.
More importantly, they came out of the process with a genuinely stronger security posture. Their devices are kept up to date automatically. Their network is properly configured. Their team understands the basics of what to look out for. And they've got a recognised certification that tells clients and partners: this is a business that takes data protection seriously.
We still look after their systems as part of our cyber security and managed IT services, keeping them compliant, monitoring for issues, and making sure they're ready when renewal comes around. Because certification isn't a one-off. It's an ongoing commitment, and it's one that pays for itself every time they win a contract they couldn't have bid on before.