The UK government has responded to several concerns about its Cyber Essentials scheme, noting that just 35,000 organizations have been certified across the country.
Operated by the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC), and delivered through the IASME Consortium, Cyber Essentials was launched nine years ago in a bid to improve baseline security among UK organizations.
However, while certifications have grown from fewer than 500 per month in January 2017 to just under 3500 in the month of January 2023, the number of organizations following the scheme is a tiny percentage of the estimated 5.5 million private sector businesses in the UK.
Read more on Cyber Essentials: Cyber Essentials Scheme Set for April 2023 Update
A DSIT evaluation of the scheme published late last week revealed several concerns. Some users said they don’t think the controls are relevant to their organization, for example.
“In terms of scheme implementation, strategic stakeholders (representatives from government and industry) stressed the challenge of the current ‘one-size-fits-all’ approach where there are quite different challenges to implementing cyber security measures by organizations of different types, sizes and sectors,” the report added.
“As such they advocate more in-built flexibilities where this would be possible.”
There were also divergent opinions over whether the scheme is good value for money. Although 58% said they agree, a quarter (26%) were ambivalent and a minority (16%) disagreed or strongly disagreed.
“All surveyed organizations were asked in what ways they think the Cyber Essentials scheme could be improved in the future, with suggestions falling into the following five main themes: i) better tailoring and scalability; ii) improvements in communication, guidance and support; iii) reduced cost; iv) quality and scrutiny of assessments; and v) synergy with other security schemes,” the report continued.
According to government figures, only 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – although this rises to 50% of medium businesses and 59% of large businesses.
The report expressed concerns that many of those organizations that choose to get accredited only do so because they have to fulfil contractual requirements with public sector clients.
The review made several recommendations for DSIT, IASME and NCSC:
- Increase awareness about security threats and present users with an informed choice about the best solutions for them
- Improve information, tools and guidance for current and prospective users
- Provide more tailored information to different types and sizes of business
- Consider adapting Cyber Essentials to be more responsive to current users’ needs
- Strengthen robustness and transparency