From sole traders and charities, public institutions to global corporations, no organisation is immune to the growing threat of cyber attacks which continue to rise in scale and complexity, costing the UK billions of pounds annually. Recent high-profile incidents underscore the scale and severity of the issue.
Against this backdrop, the UK Government is encouraging every organisation to achieve Cyber Essentials certification, a scheme that encompasses the minimum recommended baseline of cyber security. The scheme is centred around five core controls that, if implemented correctly, will protect any organisation from the majority of common cyber attacks.
Designed to be suitable for organisations of all sizes, the scheme provides a clear, actionable framework for improving cyber security.
The five core controls that matter
The UK government conducted a cyber-risk assessment focused on ‘commodity attacks’. These are low skilled cyber attacks from the internet using easily available tools. In doing this, they identified the five essential technical controls which need to be in place in any organisation to reduce this risk to acceptable levels. These controls are designed to address the vulnerabilities most frequently exploited by cyber criminals. By establishing a consistent baseline, the Cyber Essentials scheme ensures that all certified organisations have addressed the risk of these common attacks, regardless of their individual risk appetite.
Since its launch in 2014, the Cyber Essentials controls have proven to be highly effective. The scheme is updated annually by the National Cyber Security Centre (NCSC) to address emerging threats and ensure its continued relevance and impact. Insurance data shows that organisations certified under Cyber Essentials are 92% less likely to make a claim on their cyber insurance compared to those without certification. By consistently implementing these controls, organisations can significantly reduce the risk of cyber attacks by closing common security gaps.
An independent impact evaluation revealed that 91% of Cyber Essentials users reported improved confidence in their ability to implement measures to reduce cyber security risks. Additionally, 86% stated that the scheme has enhanced their senior management’s understanding of the risks posed by cyber attacks.
The scheme requires all five controls to be implemented and this approach ensures a uniform baseline of security across all certified organisations. For those seeking an additional layer of assurance, Cyber Essentials Plus includes a technical audit to verify the effective implementation of these controls. An alternative route is in development for large organisations (over 250 employees) that cannot meet these prescriptive controls but use alternative technical controls that provide verified equivalent protection.
Why Cyber Essentials is for everyone
Sole traders and micro-organisations
For sole traders and micro-businesses (organisations with fewer than 10 employees), navigating cyber security can feel overwhelming. However, Cyber Essentials is designed to be straightforward and achievable, even for those with limited technical expertise.
For example, a sole trader working from home might only need to secure a laptop, a mobile phone, and a few cloud services like Microsoft 365 or Dropbox. The scheme provides clear guidance on how to identify the scope of your business, secure your devices, and implement essential controls like multi-factor authentication.
Even if you outsource your IT, the responsibility for cyber security ultimately lies with you as the business owner. Cyber Essentials helps you take control by providing a framework to ensure your IT provider implements the necessary controls.
Small and medium-sized enterprises (SMEs)
SMEs often face unique challenges when it comes to cyber security. Limited budgets and resources can make it difficult to implement robust measures. Cyber Essentials addresses this by being both affordable and practical.
The cost of certification is just £320 – 600 + VAT for basic Cyber Essentials, depending on the size of your organisation. Certification can open doors for SMEs as many government contracts and funding opportunities now require suppliers to be Cyber Essentials certified.
But Cyber Essentials is not just about meeting today’s challenges; it also prepares organisations for growth. By embedding good security practices into everyday operations, the scheme helps organisations develop a security-conscious culture that can adapt to evolving threats.
Large enterprises
For larger organisations, implementing Cyber Essentials at scale can be more complex, but it is no less valuable. The scheme provides a clear, standardised approach to cyber security that can be applied across multiple departments and locations. Mary Haigh, Director of Digital Delivery, and Deputy Global CIO at BAE Systems reports that after introducing Cyber Essentials across their organisation, they reduced their vulnerabilities eightfold.
Large enterprises often have extensive supply chains, which can introduce additional risks. Cyber Essentials certification simplifies the due diligence process and provides a tangible way to ensure that suppliers and third parties meet minimum cyber security standards. One of the UK’s largest pensions and life companies, St. James’s Place mandated Cyber Essentials Plus certification for over 2,800 independent businesses in its network. Overnight they saw an 80% reduction in cyber security incidents.
The IASME website offers certificate search tools to save time and effort in verifying the certification status of suppliers.
Get started with Cyber Essentials
For those new to cyber security, the Cyber Essentials Readiness Tool is an excellent starting point. This free online tool guides you through the requirements and provides a tailored action plan to help you prepare for certification.
Go to the Cyber Essentials Readiness Tool
Additionally, SMEs can take advantage of a free 30-minute consultation with an IASME Cyber Advisor. This session provides practical, jargon-free advice to help you improve your cyber security posture and navigate the certification process.
Book your 30-minute free consultation with a Cyber Advisor