The reality of cyber risk: Understanding commodity attacks
A widespread misconception, particularly among small and medium-sized enterprises (SMEs), is that they are not at risk of cyber attacks because they are not high-profile targets. In reality, most cyber attacks are automated, high volume and indiscriminate, designed to exploit common vulnerabilities rather than specific organisations. These common untargeted attacks are known as commodity cyber attacks.
Commodity attacks are carried out by opportunistic criminals using readily available tools to exploit weaknesses such as outdated software, poorly configured accounts, and unsupported systems. These attacks are not about targeting high-value organisations but rather about finding easy entry points—similar to a burglar looking for an unlocked door or open window.
Without basic security measures in place, organisations of all sizes are vulnerable to these attacks. The consequences can be severe, ranging from financial losses to reputational damage and erosion of trust among customers and supply chain partners.
The prescriptive controls of Cyber Essentials are designed to address risk, as they are based on a comprehensive risk assessment conducted by the UK Government, which identified the five core technical controls needed to mitigate common internet threats.
The genesis of the Cyber Essentials scheme
Over a decade ago, CESG (the Communications-Electronics Security Group), the information security arm of GCHQ and a precursor to the National Cyber Security Centre (NCSC), developed the “10 Steps to Cyber Security.” This guidance aimed to help organisations protect themselves against cyber threats. While well-received, many organisations still sought clearer, actionable advice, often asking, “What do we actually need to do?”
In response, the government collaborated with industry experts to identify the most common cyber threats (commodity attacks)—and the technical measures required to mitigate them. Drawing on their expertise and analysis of past incidents, they distilled these measures into five essential technical controls. These controls became the foundation of the Cyber Essentials scheme, designed to help organisations of all sizes reduce their risk of falling victim.
Despite rapid technological advancements, these five controls remain as relevant today as they were a decade ago. Most cyber attacks exploit basic vulnerabilities, and even sophisticated attacks often begin with something as simple as a phishing email. By implementing these controls, organisations can significantly reduce their exposure to common threats.
Establishing a baseline
The Cyber Essentials scheme provides a clear, actionable framework to help organisations protect themselves against the most common cyber threats. Unlike the internationally recognised ISO 27001 standard*, which requires organisations to understand and assess their own risks and determine their individual risk appetite, Cyber Essentials takes a different approach.
The UK Government has already conducted a comprehensive risk assessment, considering the threat of commodity cyber attacks, and has defined an acceptable level of risk. Based on this assessment, they identified the five core technical controls that all organisations must implement to reduce their exposure to common internet threats. These controls include:
1. Secure configuration
Set up computers securely to minimise ways that a cyber criminal can find a way in
2. User access control
Control who can access your data and services and what level of access they have
3. Malware protection
Identify and immobilise viruses or other malicious software before it has a chance to cause harm
4. Security update management
Prevent cyber criminals using vulnerabilities they find in software as an access point to your systems
5. Firewalls
Create a security filter between the internet and your network
By mandating these controls, Cyber Essentials establishes a consistent baseline of security across all certified organisations. This is particularly important for government contracts, where the government, as the data owner, requires a foundational level of security to protect sensitive information which is not dependant on the risk appetite of individual organisations.
For more assurance, Cyber Essentials Plus includes a technical audit to verify the effective implementation of the controls.
Proven effectiveness and continuous improvement
Since its launch in 2014, Cyber Essentials has proven to be highly effective in reducing the effect of cyber attack. In contrast to other cyber security standards, there is reliable data that proves the efficacy of the controls. Insurance data tells us that organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance than those without.
Additionally, one of the UK’s largest pensions and life companies, St. James’s Place mandated Cyber Essentials Plus certification for over 2,800 independent businesses in its network. They saw an 80% reduction in cyber security incidents.
Why Cyber Essentials matters
In recent years, there has been a significant increase in cyber attacks, resulting from vulnerabilities within supply chains. Cyber Essentials certification can be used as an indispensable tool for reducing these risks. The scheme provides a standardised, affordable, and effective means of assessing and improving the cyber resilience of suppliers, both domestically and globally and can be strategically integrated into the supply chain risk management process.
By consistently implementing foundational cyber security measures, organisations not only strengthen their own defences, but when adopted at scale, also contribute to fortify the overall resilience of the UK economy.
*Read the NCSC blog that explores whether an equivalent cyber security standard can deliver the same outcomes as the Cyber Essentials scheme? Cyber Essentials: are there any alternative standards? – NCSC.GOV.UK