User access control sits at the heart of the Cyber Essentials scheme, and for good reason. The majority of successful cyberattacks — ransomware, data breaches, account takeovers — exploit poorly managed user accounts. Whether an attacker guesses a weak password, phishes a credential, or simply logs in with an ex-employee’s account that was never disabled, the root cause is almost always the same: organisations have not applied the principle of least privilege, and they have not made unauthorised access sufficiently difficult. Cyber Essentials addresses this directly with a set of requirements that are straightforward to implement and, crucially, highly effective at reducing risk.
Standard Accounts for Day-to-Day Work
The first requirement is one that many small organisations get wrong by default: users should not carry out their everyday work — email, web browsing, document editing — using an account with local administrator rights. Standard user accounts limit the damage that malware can do. Ransomware running under a standard account cannot install drivers, modify system files, or spread as freely as it could with admin privileges.
This means your staff need two separate accounts if they require administrative access: a standard account for daily tasks, and a separate privileged account used exclusively for administrative work. The admin account should never be used to check email or browse the web. This is not merely good practice — it is a Cyber Essentials requirement. Assessors will ask about it, and a setup where the IT administrator’s single account doubles as their everyday email account is a clear failure.
Privileged Accounts: Separation and Discipline
Privileged accounts should be named in a way that distinguishes them from standard accounts (for example, admin-jsmith rather than jsmith) and should be used only when performing specific administrative tasks. Once the task is complete, the administrator should return to their standard account. These accounts should have MFA enabled, strong unique passwords, and should not be used to access the internet for general browsing.
Shared admin accounts — where multiple people know the credentials for a single account — are a common failure point. They make audit trails meaningless, complicate offboarding, and often go without MFA because nobody wants to hold the authenticator. Cyber Essentials does not prohibit shared accounts outright, but assessors expect them to be documented, to hold only the minimum necessary privileges, and to have MFA applied wherever technically feasible.
Removing Access When Staff Leave or Change Role
Accounts belonging to former employees represent one of the most persistent risks in any organisation. An ex-employee’s Microsoft 365 account, left active and unmonitored, is an open door. Cyber Essentials requires that accounts are disabled or deleted promptly when staff leave or move to a role that no longer requires the same access.
“Promptly” means on the day of departure, not at the end of the week when IT gets round to it. Build offboarding into your HR process: when a leaver is confirmed, the trigger to disable their account should be automatic or at minimum a checklist item with a named owner. The same logic applies to role changes — a member of staff who moves from finance to marketing no longer needs access to the finance systems, and that access should be removed.
In Microsoft 365, disabling a user account (rather than deleting it immediately) preserves their mailbox and data while blocking login. This is usually the right approach for the first 30 days, after which the account and licence can be reviewed.
Multi-Factor Authentication: What Is Required and Where
Since the Montpellier update to the Cyber Essentials technical controls, MFA is mandatory for all accounts that can access your organisation’s data via the internet. This is not limited to web applications. It covers any service reachable from outside your network — Microsoft 365, Google Workspace, webmail, cloud storage, VPNs, and remote desktop solutions such as RDP over the internet or tools like TeamViewer and AnyDesk. If someone can reach it from a coffee shop without being on your internal network, MFA is required.
Accepted methods under Cyber Essentials are:
- Authenticator apps (Microsoft Authenticator, Google Authenticator, Aegis) — these are the recommended approach
- Hardware tokens (YubiKey or similar FIDO2/TOTP devices) — particularly suited to privileged accounts
- SMS one-time codes — accepted for Cyber Essentials purposes, but the NCSC does not recommend SMS as a primary MFA method due to SIM-swapping risks
Biometrics alone (fingerprint, Face ID) are generally not sufficient unless combined with another factor. The key principle is something you know plus something you have — or a possession factor strong enough to stand alone.
Enabling MFA in Microsoft 365
For UK SMBs on Microsoft 365 Business Basic or Business Standard, MFA is included at no additional cost. There are two routes to enabling it. The first, and recommended, approach is Entra ID Conditional Access (previously Azure AD), which allows you to enforce MFA based on policies — for example, requiring MFA for all users when signing in from outside your office network. This requires an Entra ID P1 licence, which is included in Microsoft 365 Business Premium but not in Basic or Standard.
The second approach is legacy per-user MFA, available in the Microsoft 365 admin centre under Users > Active Users > Multi-factor authentication. This is less flexible but does not require additional licences. For most SMBs without Business Premium, this is the practical route. Enable it for every user, including administrators, and set a deadline for enrolment. Microsoft’s Security Defaults feature also enforces MFA automatically and is a reasonable starting point for organisations with no existing Conditional Access policies.
Google Workspace
In the Google Admin console, MFA enforcement is found under Security > Authentication > 2-step verification. You can require it for all users in your organisation and set an enrolment period. Google supports authenticator apps, hardware security keys, and Google prompts via the Google app. As with Microsoft, SMS is supported but not preferred.
Password Policies Under Cyber Essentials
Cyber Essentials aligns with current NCSC guidance on passwords. The requirement is a minimum of eight characters. Mandatory regular password changes — the old practice of forcing users to change passwords every 90 days — are not required, and the NCSC actively discourages this policy because it tends to produce weaker passwords (users simply increment a number). Passwords should only be changed if compromise is suspected.
The NCSC encourages the use of password managers, and so does good Cyber Essentials practice. A password manager enables users to have long, unique passwords for every account without the cognitive overhead that drives password reuse. For organisations using Microsoft 365, Microsoft’s own password manager (built into Edge and the Authenticator app) is available at no extra cost.
Handling Staff Who Resist MFA
Resistance to MFA is common, particularly in smaller organisations where staff are not accustomed to security controls. The most effective approach is to frame it as a requirement — which it now is under Cyber Essentials — rather than a preference. Run a short briefing explaining that MFA blocks the vast majority of account takeover attacks, and that without it the organisation cannot maintain its certification. Provide a clear enrolment guide specific to your platform, set a deadline, and have IT or a nominated person available to help. Most resistance dissolves once staff have successfully enrolled once and realise the friction is minimal.
Common Failures in Cyber Essentials Assessments
- The IT administrator uses a single account for both admin tasks and daily email — this fails the privileged account separation requirement
- Shared admin accounts exist without MFA, often justified as “too difficult to manage”
- Ex-employee accounts remain active in Microsoft 365 or Active Directory weeks or months after departure
- Service accounts have been granted domain admin or global admin rights “to make things easier” and have never been reviewed
- MFA is enabled for most users but not enforced — staff who skip enrolment simply continue without it
- Remote desktop is exposed to the internet without MFA, relying on password alone
Addressing these six points alone will put most UK SMBs in a strong position for their Cyber Essentials assessment — and more importantly, will significantly reduce the practical risk of a breach.
Related Cyber Essentials Guides
- Cyber Essentials — The Complete UK Business Guide
- What Is Cyber Essentials? The UK Business Guide
- Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
- The Five Cyber Essentials Controls Explained
- How to Pass the Cyber Essentials Self-Assessment Questionnaire
