Willow vs Danzel — Navigating Cyber Essentials V3.3 Before the Deadline
Willow vs Danzel — Navigating Cyber Essentials V3.3 Before the Deadline  
Podcast: The Small Business Cyber Security Guy | Cybersecurity for SMB & Startups
Published On: Mon Mar 09 2026
Description: Imagine your website is a billboard: a shining Cyber Essentials badge promising security and trust. Now imagine a regulator, insurer or large customer asks one awkward question — and that glossy logo turns from an asset into potential evidence against you. In this episode we walk into that exact moment and refuse to let it be a surprise. Join Graham Falkner, Noel Bradford and our resident translator of tech, Lucy Harper as they pull apart the new Cyber Essentials changes and stitch the pieces back together into something a small business can actually use. We start with the simple truth: the requirements document (V3.2, V3.3 and whatever comes next) is the standard you must meet, and the Willow and Danzel question sets are the forms you fill in when you buy certification. Get the wrong combination, or try to recycle last year’s answers, and assessors will fail you — quietly at first, then painfully when a tender or a claim comes along. From there we map the conflict: scope, cloud and asset management. V3.3 pulls the rug on the old ‘that’s someone else’s problem’ attitude — cloud services, BYOD devices that touch organisational data, and remote workers are in the frame. If your asset list is a half-dead spreadsheet and some post-it notes, you cannot honestly answer whether you are compliant. The drama here is avoidable, but only if you stop pretending the messy bits aren’t part of your estate. We decode the five controls — firewalls, secure configuration, security update management, user access control and malware protection — and translate them into Monday-morning tasks: lock down admin interfaces, remove default accounts, document inbound firewall rules, treat vendor configuration changes as security fixes, and make sure anti-malware actually blocks things rather than sitting in the tray. Authentication gets a starring role. V3.3 clarifies passwordless (hello FIDO2 and passkeys) and treats modern approaches as valid multi-factor methods. SMS is grudgingly still acceptable, but it’s the floor, not the ceiling. If your tenant runs on Microsoft 365 or Google Workspace, we give concrete examples of what ‘good enough’ looks like for normal users and admins. We don’t stop at problems — we hand you a plan. Nail your scope and inventory; map assets to the five controls; enable MFA everywhere; clean up admin accounts; ensure critical vendor fixes are applied within the 14‑day window; and prepare evidence in a spreadsheet before you pay for the portal. Treat certification as a living process, not a sticker you won once. For the procrastinators, we lay out a rapid action plan: days 1–10 define scope and update your asset list; days 11–30 enable MFA, tidy accounts and prove you can hit 14‑day patches; days 31–60 tighten firewall rules, confirm anti-malware and run a dry self-assessment against Willow or Danzel depending on your purchase date. This episode is equal parts wake-up call and field guide — built for business owners who don’t have a security department but do have customers, contracts and reputations to protect. Listen for the practical checklist, the red flags that bite in tenders and post-breach enquiries, and the honest reassurance that Cyber Essentials will help you — if you stop gaming the edges and start being truthful about what you actually run. By the end you’ll either feel the pressure to act or you’ll be able to explain your scope in 30 seconds. Either way, we give you the first steps: patch your systems, turn on MFA, and stop pretending the cloud is somebody else’s problem.