Why your business needs an IT hygiene rating.

IT SupportCyber SecurityBackupSecurity
Written By James Kimbley

You’ve seen the green Food Hygiene Rating sticker on a restaurant door. In a second, you know whether the basics are in place. Simple, trusted, visible. It tells you that the people who prepare your food care about your health and safety.

Now think about your business data. Every company now handles sensitive information — payroll, passports, private accounts — yet there’s no quick way for a client to tell if their information is safe. That’s a blind spot. You wouldn’t eat in a restaurant without knowing its hygiene rating, so why should anyone trust their data without an IT equivalent?

This isn’t about finger-wagging at small businesses. It’s about how you show trust. Many companies run what could be called “ad-hoc IT” — everyone’s busy, regulations are light, and the basics slip.

I know of an accountancy firm missing fundamental email protections like SPF and DKIM. The owner is aware of the issue but doesn’t care enough to fix it. Without those basics, criminals can spoof emails from the firm’s domain. Shouldn’t existing and potential clients be able to see that risk before they hand over sensitive data?

What an IT hygiene rating could look like

Like food hygiene stars, an independent body would run spot checks and publish a clear, date-stamped 1–5 score. The assessment would cover the essentials that stop most incidents and reduce the impact when something goes wrong. A credible rating should include:

  • Awareness & culture: Your team knows how to spot scams and use password managers to keep credentials secure. This is your human firewall.

  • Identity & email security: Two-step verification (2SV) and properly configured SPF, DKIM, and DMARC stop most account takeovers and spoofed emails.

  • Backups: Data is automatically backed up, including cloud apps, and regularly restore-tested.

  • Updates & patching: Devices and software are centrally managed and kept current with security patches.

  • Incident preparedness: A documented, rehearsed plan means you respond effectively when something goes wrong.

  • Partners & assurance: Having a named IT partner and certifications like Cyber Essentials adds accountability and independent assurance.

The 1–5 scale explained

Level 1 — At risk
No meaningful controls. No 2SV, poor patching, no verified backups, no email authentication. Everything runs ad-hoc.
What it feels like: nagging worry; every hiccup feels risky.

Level 2 — Basic but inconsistent
Some tools (e.g. antivirus, ad-hoc backups) are in place but unmanaged. Updates are irregular, 2SV not enforced, policies are informal. This is where most businesses are when they first seek help.
What it feels like: false comfort; gaps and doubts remain.

Level 3 — Baseline
Core controls deployed and documented. Cyber Essentials achieved. 2SV enforced, email authentication standards configured, patching in policy, annual user training, daily backups including cloud data.
What it feels like: solid footing; the background worry fades.

Level 4 — Managed and tested
Everything at Level 3 plus evidence of regular testing. Backups are immutable and restore-tested; phishing simulations and refresher training run quarterly; devices are centrally managed; incident response is rehearsed; privileged access is tightly controlled.
What it feels like: calm control; incidents trigger process, not panic.

Level 5 — Resilient
Continuous improvement. Security monitoring and alerting in place; quarterly access reviews; supplier checks; executive involvement in drills; lessons learned fed back into policy. Independent certification beyond Cyber Essentials (e.g. ISO/IASME).
What it feels like: quiet confidence; security becomes a business advantage you can prove.

How this helps your customers

Even though there’s no legal requirement for an IT hygiene rating, your clients still expect you to protect their data. A visible score — even a self-declared one based on clear criteria — helps you show that you take security seriously. That builds trust, reduces awkward questions from clients, and makes you stand out from competitors who leave everything hidden.

How this helps your business

Because there’s no regulation, most SMEs won’t bother — which is exactly why you should. Giving your business an IT hygiene rating shows initiative and care. It helps you:

  • Reassure customers and prospects that you’ve got the basics covered

  • Strengthen your position with insurers or partners who ask about risk controls

  • Reduce stress and downtime inside your business by making essentials visible and repeatable

You don’t need to stick a score on your office window like a restaurant. Instead, you can build trust where it matters — in your proposal documents. Including a simple section that explains how you secure client data makes you stand out immediately against competitors who leave those questions unanswered.

What to ask today (until a national scheme exists)

Until a formal scheme is introduced, ask your suppliers to evidence the essentials:

  • A current Cyber Essentials certificate

  • 2SV enforced for email and key apps

  • SPF, DKIM, and DMARC set to quarantine or reject, with monitoring

  • Centrally managed devices with timely patching

  • Backups that include cloud data and are regularly restore-tested

How Kimbley IT helps you reach Levels 4–5

With Kimbley IT, you get a modern, managed setup that makes the essentials effortless and auditable. Your team benefits from:

  • Enforced 2SV and correctly configured email authentication with continuous monitoring

  • Business data backed up multiple times per day to a separate platform, with scheduled restore tests

  • Centrally managed and patched devices

  • Clear, ongoing guidance to spot new scams

  • A rehearsed and current incident plan

In short: you get calm control, resilience, and confidence.

FAQ

What is an IT hygiene rating?
An IT hygiene rating is a simple 1–5 score that shows how well a business protects its data, similar to food hygiene stars for restaurants. The aim is to make digital safety visible and easy to understand at a glance. While most security certifications are hidden in technical reports, a hygiene score would give customers and partners a clear, immediate sense of whether your business has the basics in place to protect their sensitive information.

How is it different from Cyber Essentials?
Cyber Essentials is a voluntary UK government-backed certification that shows you meet a defined baseline of technical security controls, such as firewalls, patching, and malware protection. It’s valuable, but it’s optional — many businesses never pursue it. An IT hygiene rating, if introduced nationally, would be mandatory, simple, and visible. It would not only check technical controls but also cover broader, ongoing practices like company culture, backups, incident response, and supplier assurance. In other words, Cyber Essentials proves a minimum baseline at a point in time, while an IT hygiene rating would show how resilient and trustworthy your business really is on an ongoing basis.

Do small businesses really need this?
Yes. Small businesses often assume they’re too small to be a target, but that’s rarely true. Criminals frequently go after SMEs because they’re seen as easier targets, holding valuable data like payroll details, passports, and bank account information. An IT hygiene rating would give you a clear way to show customers and insurers that you take security seriously. Even without a national scheme in place, adopting the principles behind one sets you apart from competitors who treat IT as an afterthought.

How fast can you move from Level 1 to Level 4?
The speed depends on your starting point and how committed your business is to change. If the basics are completely missing, it may take a little longer to put solid foundations in place. But with focus and the right partner, most businesses can reach Level 4 — a managed, tested environment — in a matter of days. Moving to Level 5, which includes continuous monitoring and improvement, typically takes one to two months. It’s not a quick fix but a partnership, and the gains in resilience and confidence start showing almost immediately.

Can customers see my score?
That’s the goal. A visible rating would act as a public trust signal, much like food hygiene stars. Even if a national scheme doesn’t exist yet, you can still adapt the idea by sharing your own internal “hygiene level” in proposals or client documents. That transparency gives customers the reassurance they want and sets you apart from firms that keep everything hidden.

Bottom line

Food hygiene stars work because they’re simple, visible, and trusted. An IT hygiene rating would do the same for data. Until it exists nationally, use the questions above — and if you want a fast, honest IT hygiene assessment and a plan to reach Level 4–5, book a video call today.

 
James Kimbley
I am the founder of Kimbley IT.
www.kimbley.com
Previous

Do you need antivirus on macOS?
Next

What's the Easiest Way to Make Videos for Work?