A decade of Cyber Essentials – the benefits and challenges of a rapidly growing scheme
It’s ten years since the UK Government launched Cyber Essentials to give organisations of all sizes a way to demonstrate they had the most important technical cyber security controls in place and to help make the UK the safest place to do business online. The annually renewable baseline cyber security scheme centres around five technical controls that help protect any organisation from the most common cyber attacks.
Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials but also includes a technical audit of the applicant’s IT systems to verify that the controls are in place. In this way, it gives more assurance that an organisation is complying with the scheme.
Cyber Essentials was always designed to have three functions
Protect: The scheme has been proven to reduce an organisation’s vulnerability to cyber attacks (including ransomware) and research from insurers show that organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance than those without.
Educate: The responsibility for the cyber risk in any organisation belongs to the business owner and cannot be outsourced to anyone. For this reason, it is crucial that the people within the organisation actively engage in learning and understanding the essence of good security. Small steps that are inexpensive and simple can become embedded into an organisation’s every day working practices and this will develop a security conscious culture. Many firms say that working towards the certification acts as a useful checklist to ensure they have not overlooked anything, and describe the process as highly educational.
Certify: The annual Cyber Essentials assessment is a useful process for an organisation to review their cyber security against an approved framework. A business can take control of their cyber risk and demonstrate to their customers and supply chain that they can be trusted with the information they hold . Today, Cyber Essentials is widely recognised as an industry standard and is frequently asked for when bidding for contracts or applying for funding.
Fortifying the Collective Cyber Resilience of the UK
Data has shown that the technical controls of Cyber Essentials mitigate the majority of high volume, low-skill attacks perpetrated through the internet. Therefore, one of the easiest ways to make the UK more secure is to help organisations to implement the technical controls at scale across the country. Mass adoption of these measures remains the best way to defend against cyber threats.
Confronting the ostrich approach
In their 2024 Annual Review, the National Cyber Security Centre (NCSC) describe the current cyber threat landscape as ‘diffuse and dangerous’ where there is an increase in both the number of of cyber incidents and the impact of those incidents. The majority of cyber attacks rely on techniques and vulnerabilities that are well known and we have the knowledge and the capability to defend against them. Despite this, the NCSC believe that the severity of the threat facing the UK is – worryingly – underestimated by organisations from all sectors and right across the country with basic cyber security practices too often ignored. Many organisations continue to bury their head in the sand and this level of denial puts pressure on the UK’s national cyber resilience.
The NCSC say that the UK needs to ‘wake up to the severity of the cyber threat’ and that ‘all organisations, public and private, need to see cyber security as both an essential part of operational resilience, and a driver for business growth’, rather than just a ‘necessary evil’.
Providing cyber security assurance in global supply chains
As digital supply chains become increasingly complex, robust but achievable cyber security requirements are crucial for managing the threats within the supply chain. It can be extremely challenging to assess the cyber security of suppliers and Cyber Essentials certification provides a tangible way for organisations to gain confidence that their suppliers, or other third parties, have effectively implemented fundamental technical controls.
One compelling testament to the scheme’s efficacy comes from one of the UK’s largest pensions & life companies, St. James’s Place who mandate *Cyber Essentials Plus (CE+) across their partnership network of over 2,800 independent businesses.
“In such a large supply chain, this had its challenges, but the decision is already showing a positive impact. Security incident numbers have significantly reduced… we have seen around 80% reduction in cyber security incidents, which directly correlates to controls and best practice implemented through Cyber Essentials.”
Matthew Smith, Divisional Director of Cyber Security, St. James’s Place.
Growing the cyber security ecosystem throughout the UK
Cyber Essentials is also fuelling growth across the wider cyber security sector. Delivery Partner, IASME license the Cyber Essentials assessment process to over 350 cyber security firms known as, ‘Certification Bodies’ (CBs) across the UK and Crown Dependencies and cyber security experts within the CBs assess applications, conduct audits and issue certificates. 84% of these companies are micro or small businesses and distribution includes all of the devolved nations, Crown Dependencies, areas with relatively few cyber security businesses and areas awaiting regeneration. The Cyber Essentials scheme gives the Certification Bodies the income and market to grow, with some of these organisations growing tenfold.