When you run a restaurant that takes card payments, stores customer data, runs the floor on broadband and handles supplier invoices by email, “we don’t really need cyber security” is not a position you can defend in 2026. It was barely defensible five years ago. Today it is the sort of statement that gets you dropped from a tender panel, declined by an insurer, or on the front of the local paper after a card breach. And yet I still hear it - usually phrased as “we’ll look at it when we have to” - from operators who would not dream of running a kitchen without a food hygiene rating.
I want to make a specific, narrow argument in this post. Not that you need a full-blown security programme, not that you need to hire a CISO, and not that you need to spend five figures a year on tooling. I want to argue that Cyber Essentials - the base, UK government-backed certification - is the minimum bar any serious hospitality operator should be clearing, and that if you are not clearing it today, you are taking a commercial risk that is entirely disproportionate to the cost of fixing it.
What Cyber Essentials actually is
Cyber Essentials is a UK government-backed certification scheme administered by IASME on behalf of the National Cyber Security Centre. It was deliberately designed as a minimum bar. The whole point of the scheme is that the government needed something small and mid-sized organisations could actually achieve - a short list of sensible technical controls that, if you get them right, will stop the large majority of commodity internet attacks before they land. It is not supposed to make you unhackable. It is supposed to stop you from being the easy target in the room.
There are two levels. Cyber Essentials is a self-assessment verified by a certification body. Cyber Essentials Plus adds a hands-on technical audit where an assessor actually pokes at your estate. Most operators start with the base certification. CloudMatters itself holds the base, not Plus - we go through the process every year, and I think it is important to be straight about that rather than pretending we hold something we do not.
The commercial case
If you strip out the technical language, Cyber Essentials is doing five commercial jobs at once for a hospitality business.
It keeps you eligible for tenders. Corporate catering, university contracts, public sector work, concessions in venues and transport hubs, franchise applications into the bigger groups - these now routinely ask for Cyber Essentials as a qualifying condition. No certification, no bid. I have watched operators with excellent food and excellent operations fail at the procurement gate because they could not tick a box that would have cost them a few thousand pounds and a month of preparation.
It shifts your insurance numbers. Cyber insurance underwriters are leaning hard on Cyber Essentials as a cheap, credible signal of baseline hygiene. Operators who hold it are being offered better terms on renewal. Operators who do not are seeing premiums rise, excesses climb, and in some cases are being declined outright. If you are buying cyber cover, holding the certification almost always pays for itself on the first renewal.
It passes supplier due diligence. The big hospitality groups are pushing compliance down their supply chains because their own auditors are pushing them to. If you supply a national group, operate a concession inside one of their estates, or sit in their franchise network, expect to see Cyber Essentials on the questionnaire. It is easier to hold it than to argue your way around it every twelve months.
It protects customer trust. Card breaches make the local press within 24 hours in hospitality. Being able to say you hold a government-backed certification is worth more than any amount of marketing copy about how seriously you take guest data. When something goes wrong on a neighbouring site, guests who were wavering move to the operator who can answer the question credibly.
It answers board and investor questions. If you have outside investors, a board, or an acquirer on the horizon, “are you Cyber Essentials certified?” is an early, cheap question that sets the tone for the rest of the conversation. Answering yes moves you past it in thirty seconds. Answering no turns it into a discovery exercise, and discovery exercises before a deal are never fun.
The operational case
Separate from the commercial case, there is a plainer one: the five control areas the scheme asks for are table-stakes good practice. If you cannot pass them, you are exposed to the most common attack patterns in use against UK small businesses today.
The five areas are firewalls, secure configuration, user access control, malware protection and security update management. Each one maps directly onto things that actually go wrong in restaurants and hotels. A flat network where the EPOS talks to the guest Wi-Fi. A back-office PC still running a default local admin account. Shared manager logins on the point of sale. Tablets in the pass with no endpoint protection. Router firmware that has not moved in two years because nobody owns the relationship with the broadband supplier. None of these are exotic attacks. They are the ones that actually happen, week in and week out, to operators who never thought they were interesting enough to be a target.
If you cannot pass Cyber Essentials, the problem is not really the certificate. The problem is that your estate has holes the scheme was designed to find. The certificate is just the forcing function that makes you fix them.
Common misconceptions
Three objections come up every single time I raise this with an operator, and all three are wrong.
“It is too expensive.” For a typical mid-sized hospitality operator, the all-in cost of getting certified - assessment fee, remediation work, a bit of tooling - lands in the low single-digit thousands of pounds, depending on scope and the state of the estate. That is less than the excess on most cyber insurance policies, and a fraction of what a single day of EPOS downtime costs on a busy Friday.
“It is too technical.” A good managed service provider does the heavy lifting. You should not be reading the IASME requirements document in bed. You should be running your restaurants while somebody who does this every week walks your estate through the gaps, fixes them, fills in the self-assessment with you and sits in on the conversation with the assessor. If your current hospitality IT provider cannot do this, that is a separate and important conversation.
“We are too small to be a target.” Small and mid-sized businesses are attacked more often than large ones, not less. The economics of modern attacks favour volume - automated scans, commodity phishing, reused credential dumps - and small operators are the sweet spot because they have money, data and almost no defences. “We are too small” is precisely why you are being targeted.
The path from zero to certified
For an operator starting cold, budget four to eight weeks from the first conversation to a pass. Most of that time is remediation work, not paperwork. The sequence tends to look the same every time: take an inventory of every in-scope device, establish a patch cadence you can evidence, put working endpoint protection on everything that needs it, turn on multi-factor authentication for every administrative account, get the firewalls and routers into a defensible state, clean up shared logins, and pull together the short policies the assessor wants to see. Proper network design and segmentation does a lot of the heavy lifting on the firewall and secure configuration controls.
The typical gaps in hospitality are predictable. Shared EPOS manager logins. Flat networks. Tablets in service with no central management. Kit the broadband supplier dropped off in 2019 and nobody has touched since. A back-office PC that is everyone’s and therefore nobody’s. None of these are hard to fix in isolation. They are hard to fix all at once while the sites are trading, which is why starting six weeks before a tender deadline is a bad idea and starting now is a good one.
Cyber Essentials vs Cyber Essentials Plus
The base certification is the right starting point for almost every hospitality operator. It is self-assessment verified by a certification body, it is affordable, and it clears the commercial hurdles I described at the top of this piece - tenders, insurance, supplier due diligence. CloudMatters holds the base, and for most of the operators we work with, the base is genuinely the right call.
Cyber Essentials Plus adds a hands-on technical audit. It is the right step up when a specific contract requires it, when you are handling unusually sensitive data, or when your board or investors have decided they want the stronger signal. Do not chase Plus for its own sake - chase it when there is a concrete reason - but do not be afraid of it either. If you are running the base cleanly, moving to Plus is a manageable next step, not a leap.
How we approach it
Our approach to getting operators certified is deliberately unglamorous. We start with a scoping conversation to work out what is in scope and what the estate actually looks like today. We run a short gap assessment against the current requirements. We do the remediation - the firewall work, the patching, the MFA rollouts, the access clean-up - as part of the managed service, so you are not juggling three suppliers. We complete the self-assessment with you rather than at you, because the person running the restaurants should understand what they are signing. And we sit beside you through the assessor conversation. Four to eight weeks, fixed expectations, no sales theatre.
If Cyber Essentials is on your list for this year - whether because a tender asked for it, your insurer is pushing, a franchise partner has raised it, or you have simply decided that 2026 is the year you stop carrying the risk - talk to our Cyber Essentials team and we will walk you through what a sensible path looks like for your estate. It is the cheapest insurance policy you can buy, and it is the minimum bar any serious hospitality operator should be clearing.