Cunliffes Property and Construction Consultants are a multidisciplinary practice offering architectural design, project management, building surveying and quantity surveying all under one roof. They have been a trusted name in the construction industry for over two decades and work with a team of 25 professionals across various locations. The company has built a reputation for delivering high-quality professional services to a broad range of clients, specialising in the education sector. However, as the industry increasingly relies on digital tools and data exchange, cyber security has become a critical focus for the organisation.
The Challenge
As a company bidding for government contracts, including projects for the NHS, Cunliffes faced growing requirements to demonstrate robust cyber security measures. Many of these contracts required either detailed cyber security questionnaires or proof of certification, such as Cyber Essentials. Mark Gotham, an architect and the company’s designated cyber security lead, explained, “We were being asked more and more about our cyber security policies and protocols. It became clear that achieving Cyber Essentials certification would not only streamline the bidding process but also provide peace of mind for our clients and ourselves.”
However, as a construction company with no in-house IT team, navigating the technical requirements of Cyber Essentials posed a challenge. Mark, who had been tasked with overseeing the process, admitted, “It was a steep learning curve. Some of the technical questions, like those about firewalls, password policies, and software updates, were beyond our expertise.”
The Solution
To address these challenges, Cunliffes engaged Remo Belisari (ChCSP), Founder and Managing Director of RB Consultancy Ltd, to guide them through the Cyber Essentials certification process. Remo is a Chartered Cyber Security Professional, NCSC-assured Cyber Advisor and a Cyber Essentials Assessor and was able to provide both advisory services and certification support, working closely with Mark, who in turn worked with the company’s external IT provider.
The first step was creating a comprehensive asset list, which included details about all devices, operating systems, and software versions. “Having a clear understanding of what we had was fundamental,” said Remo. “It allowed us to identify what was in scope for Cyber Essentials and apply the necessary controls.”
While not a formal requirement for Cyber Essentials, Remo went above and beyond by providing templates for an information security policy and other essential documentation. This proactive support highlights how engaging with Cyber Essentials, especially with the guidance of a Cyber Advisor, can serve as a catalyst for broader cyber security improvements. Regular catch-up sessions between Mark and Remo were instrumental in addressing technical questions and ensuring compliance with Cyber Essentials requirements.
One of the key challenges was addressing the use of personal devices by employees, as many team members relied on their own mobile phones for work. This raised concerns about software updates, password security, and potential vulnerabilities. To tackle this, Remo conducted an in-person training session at Cunliffes’ office, focusing not just on how the Cyber Essentials controls worked but also on why they were essential for closing security gaps. By using real-life examples of cyber attacks on similar organisations, the session helped employees connect the dots between the controls and the risks they mitigated. This approach was pivotal in shifting mindsets. “At first, there was some resistance, especially around personal devices,” Mark noted. “But the training session was a turning point—you could see the light bulbs going on. People really started to understand the risks and the importance of each Cyber Essentials requirement, which brought them on board and reduced resistance.”
The Outcome
In September 2025, after highly effective preparation and collaboration, Cunliffes successfully achieved Cyber Essentials certification. The certification has not only streamlined the process of bidding for government contracts but also significantly improved the company’s overall cyber security posture.
The certification has also had a positive impact on the company culture. Employees are now more aware of cyber security risks and proactive about protecting both their work and personal devices.
“Going through the Cyber Essentials process was incredibly beneficial,” said Mark. “It helped us identify and address blind spots we didn’t even know we had, like outdated devices and missing firewalls. If we hadn’t gone through this process, we might have been blissfully unaware until something went wrong.”