What we learned helping clients through the latest Cyber Essentials audits

At LeftBrain, we’ve been guiding an increasing number of creative and remote-first teams through Cyber Essentials and Cyber Essentials Plus certifications. These frameworks offer a solid foundation for security, especially for small businesses, design agencies, and film studios who want to meet client expectations without unnecessary complexity.

In this interview, our GRC Lead Lucas Jansen shares what we’ve learned from recent audits, what patterns we’ve seen, and how teams can get real value from the process.

Can you introduce yourself and your role at LeftBrain?

I'm Lucas Jansen, the GRC Lead here at LeftBrain. I oversee both internal and client-side security certifications. That includes leading projects around Cyber Essentials and ISO 27001 compliance.

Why are more creative studios choosing to get Cyber Essentials certified?

It's becoming a real necessity. Cyber crime is now widespread. It used to mostly affect larger companies, but automated attacks and bots mean that smaller businesses are just as exposed.

At the same time, expectations are rising. Even if you're not a large organisation, the people you work with often need you to have a guaranteed baseline of security. Cyber Essentials acts as a trust signal. It shows that you take security seriously.

The other thing is that it's genuinely achievable. Cyber Essentials is designed for small and medium-sized businesses. It’s a great way to start thinking about cyber security and get some strong foundations in place.

What are some of the top lessons you’ve seen come out of recent audits?

1. Tool visibility is too low

A lot of teams don’t know the full scope of tools being used across the business. We’ve seen situations where companies are paying for tools they no longer use or have tools that overlap. That means wasted spend and a lack of clarity around what’s actually in use.

2. Remote work increases risk

The shift to remote work has changed how we secure devices and networks. You’re no longer just thinking about one office. You need to consider every environment your team might work in — at home, in cafés, or co-working spaces. There are a lot of risks introduced simply because devices are no longer in a fixed, secure location. Cyber Essentials helps address this by securing endpoints in a practical way, without being too restrictive.

3. The real benefit is peace of mind

Most clients feel overwhelmed at the start. They’re unsure about what they’re meant to be doing or who’s using what. Certification gives them a clear picture of their environment and what they’re doing to reduce risk. That clarity is powerful. It means they can focus on doing their work — especially in creative industries — without constantly worrying about security threats.

Any advice for creative teams thinking about getting certified?

Don't wait until it's a requirement. Security is often seen as a blocker, but it's meant to be an enabler. It simplifies conversations with clients and gives you the tools to be prepared.

With the right support, Cyber Essentials is a smooth process. And the benefits go well beyond certification. You gain better awareness of your tools, understand how things are secured, and build confidence in how you deliver your work.