Running a small, service-based business doesn’t automatically exempt you from thinking about environmental responsibility. In fact, in many ways it makes the question more uncomfortable. When your footprint is modest, it’s easy to tell yourself that the impact is negligible, that bigger organisations are the ones who need to worry about policies, plans, and accountability.
At Cyber Rebels, that didn’t sit quite right.
Our work is rooted in responsibility. We spend our time helping people understand risk, recognise consequences, and make better decisions — often in areas where harm isn’t immediately visible but can be deeply felt over time. It would be inconsistent to apply that thinking outwardly while ignoring how we operate ourselves.
That’s why we chose to pursue Green Small Business certification.
Responsibility isn’t about scale, it’s about intent
Cyber Rebels doesn’t manufacture products or run energy-intensive infrastructure. We’re a training and education business, largely digital, with a deliberately low operational footprint. From the outside, it would be reasonable to assume that environmental impact simply isn’t a major concern for a company like ours.
But impact isn’t only about volume. It’s about habits, decisions, and patterns of behaviour — the same things we talk about every day in cybersecurity training.
How often do we travel when we don’t need to? How do we choose suppliers and tools? What do we store, duplicate, or retain unnecessarily? How do we balance convenience against long-term cost, both financial and environmental?
These are small decisions in isolation, but they add up over time. Ignoring them because the business is “small” didn’t align with the standards we expect elsewhere.
Why certification mattered more than a policy
It would have been easy to write an environmental policy, publish it on the website, and move on. Many organisations do exactly that, often with good intentions. But policies without accountability tend to drift into the background — well-worded, rarely revisited, and disconnected from day-to-day practice.
Green Small Business certification offered something more useful: structure.
The process required us to clearly articulate how we think about environmental responsibility, where our actual impact sits, what reasonable improvement looks like for a business of our size, and how we document, review, and act on those decisions.
Crucially, it required us to back that thinking up with an action plan, not just statements of intent. That mattered more to us than the certificate itself.
A natural extension of our ethical approach
Much of our work exists in spaces where trust is essential. Safeguarding, online safety, cybersecurity awareness, and data protection all depend on people believing that the organisation delivering the training takes responsibility seriously.
Ethical practice isn’t something we bolt on after the fact. It informs how we design sessions, how we talk about risk, and how we interact with learners. We avoid fear-based messaging, we respect boundaries, and we’re careful not to exaggerate threats for effect. Sustainability fits naturally into that mindset.
It’s the same principle applied in a different direction: think long-term, minimise harm, and take responsibility for the consequences of your choices.
Keeping it proportionate and honest
We’re also very conscious of not overstating what this certification represents.
Green Small Business certification doesn’t mean that Cyber Rebels has a large environmental footprint, nor does it mean that sustainability is the core focus of our work. What it does mean is that we’ve taken a considered, proportionate approach to environmental responsibility — one that reflects the reality of how we operate rather than an aspirational image.
That distinction matters. Over-claiming erodes trust, particularly in sectors like education and public service where scrutiny is rightly high. Our aim has always been to be transparent rather than impressive.
Practical changes, not symbolic gestures
The most valuable part of the process wasn’t the final recognition, but the reflection it prompted.
We reviewed how we deliver training and reinforced digital-first delivery where appropriate, reducing unnecessary travel. We looked at how documentation is shared and stored, favouring digital formats and reducing duplication. We reviewed suppliers, tools, and platforms with an eye on efficiency rather than novelty.
None of these changes are dramatic on their own, but they’re realistic, sustainable, and repeatable — which is exactly the point.
Why we’re talking about it publicly
We don’t see this certification as something to promote aggressively, and we’re cautious about turning it into a marketing message. But we do believe in transparency.
Many of the organisations we work with — schools, charities, SMEs, public-sector teams — are under increasing pressure to demonstrate good governance, ethical behaviour, and sustainability. Often, they’re navigating these expectations with limited time and resources, trying to balance responsibility with practicality.
By sharing why we chose to pursue Green Small Business certification, we’re not positioning ourselves as an example to follow, but as a small organisation that’s thinking carefully about how values translate into action.
A continuing commitment, not a completed task
Certification isn’t an endpoint. If anything, it’s a reminder to keep revisiting the same questions as the business evolves. What makes sense now may not be enough in two years’ time. As our services expand or change, so too should the way we think about responsibility and impact.
That mindset — review, reflect, adjust — mirrors how we approach cybersecurity education itself. Threats change. Behaviours drift. Assumptions need challenging. Improvement is ongoing, not something you complete once and forget.
Green Small Business certification is one small part of a broader commitment to operating responsibly, ethically, and with intention. It sits alongside our safeguarding practices, our data protection approach, and our emphasis on human-first, behaviour-based training.
Not as a headline achievement, but as another quiet decision to do things properly.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
