Does Cyber Essentials protect against ransomware?
Cyber Essentials materially reduces ransomware risk but does not eliminate it. The five controls - patching, MFA, malware protection, user access control, and firewalls - block the common initial-access routes for ransomware, but post-intrusion response requires additional controls.
Does Cyber Essentials protect against ransomware?
Cyber Essentials materially reduces ransomware risk but does not eliminate it. The five controls block the most common initial-access routes for ransomware - phishing-delivered malware, credential theft, exposed remote-access services, and exploitation of unpatched vulnerabilities - but post-intrusion containment and recovery require additional controls beyond CE.
How the five controls reduce ransomware risk
Patching (14-day rule)
A large share of ransomware initial access in UK incidents exploits known vulnerabilities with patches available but unapplied. The 14-day rule closes that window.
MFA on user and admin accounts
Credential stuffing and phishing-harvested credentials are two of the top three ransomware initial-access routes. MFA - phishing-resistant for admin accounts under v3.3 - materially reduces both.
No direct internet exposure of management services
RDP, SMB, and management interfaces exposed to the internet are a frequent ransomware entry point. The firewalls control requires these to be gated behind MFA and strong authentication.
Malware protection
Real-time endpoint protection catches the majority of commodity ransomware samples at the initial-payload stage.
Admin-account separation
Limits the blast radius if a standard user account is compromised.
What Cyber Essentials does not directly require
Ransomware resilience also depends on controls Cyber Essentials does not directly assess:
- Offline or immutable backups with tested restore procedures
- Network segmentation to limit lateral movement
- Privileged Access Management (PAM) beyond basic admin / user separation
- EDR / XDR with behavioural detection and response capabilities
- Incident response retainer or documented IR plan
- Security information and event management (SIEM)
- Tabletop exercises and ransomware-specific simulations
These sit above the CE baseline, in IASME Cyber Assurance Level 2, ISO 27001, or specialist ransomware-resilience programmes.
What the data says
The NCSC's own assessments suggest that organisations meeting the full Cyber Essentials controls are materially less likely to suffer successful commodity ransomware attacks than organisations without the baseline. That is a risk-reduction claim, not a guarantee - and it applies specifically to commodity ransomware rather than targeted, sophisticated campaigns.
What about cyber insurance?
UK cyber insurance policies typically treat Cyber Essentials (and especially Cyber Essentials Plus) as a positive underwriting signal. Ransomware sub-limits and extortion-cover terms are better for insured organisations holding CE than those that do not. See Cyber Essentials and cyber insurance.
Bottom line
Cyber Essentials is the strongest single step a UK SME can take to reduce ransomware initial-access risk at proportionate cost - but it is the baseline, not a complete ransomware defence. Combine CE with offline backups, an IR plan, and (for higher-risk organisations) EDR and segmentation.
Certify with Fig Group from £299.99 + VAT in 6 working hours.
Start Cyber Essentials from £299.99 + VAT | Cyber Essentials and cyber insurance | Free readiness check
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo