The UK government has urged more organizations to become Cyber Essentials Certified, highlighting the significant impact the scheme has had on preventing damaging attacks.
On the 10th anniversary since Cyber Essentials was introduced, the government published the results of an evaluation of the scheme’s effectiveness that was carried out in 2023.
The voluntary scheme, introduced in 2014, provides basic controls organizations should implement to mitigate the risk from common internet-based threats.
There are two levels of Cyber Essentials certification. The first, Cyber Essentials, is a basic, verified self-assessment option centered around five technical control areas. These are firewalls, secure segmentation, user access control, malware protection and security update management.
The second is Cyber Essentials Plus, which is based on the same five technical control areas, with addition of independent testing and sampling of the organization’s infrastructure to verify compliance.
In June 2023, the UK government revealed that just 35,000 organizations have been certified across the country.
Positive Impact of Cyber Essentials
Most Cyber Essential users (82%) surveyed for the impact evaluation said they were confident that the technical controls provide protection against common cyber threats. A similar proportion (80%) believe the controls help to mitigate cybersecurity risks within their organization.
The report also cited an evaluation of the scheme in 2015, which found that 99% of internet-originating vulnerabilities are mitigated using the technical controls and none mitigated without them.
For over half (53%) of Cyber Essentials users, the scheme appears to provide the only form of external assurance for their cybersecurity. Additionally, almost three-quarters of organizations that have never obtained Cyber Essentials are not using any other security scheme, standards and principles.
In addition, 85% of Cyber Essentials users believe the scheme has directly improved their understanding of cybersecurity risks, while an even greater proportion (88%) believe that the scheme has directly improved their understanding of the steps they can take to reducing those risks.
Read now: UK Government: 75% of UK Businesses Experienced a Cyber Incident in 2023
The analysis also found evidence that implementing Cyber Essentials controls helps to catalyze wider operational and behavioral change. For example, 76% of users reported having taken additional preventative actions beyond the Cyber Essentials technical controls.
Most (86%) believe the scheme has directly strengthened their senior management’s understanding of the risks posed by cyber-attacks.
Commenting on the findings, National Cyber Security Centre (NCSC) Deputy Director for Cyber Growth, Chris Ensor, said: “As the cyber threat landscape evolves, attackers continue to exploit the same vulnerabilities which they targeted back in 2014, when the Cyber Essentials scheme was first launched. That’s why I strongly urge all organizations to make Cyber Essentials a foundational part of their cyber resilience.”
He added: “The data is clear, implementing the five controls significantly lowers the risk of experiencing a cyber incident. For organizations lacking the necessary in-house expertise, support is readily available through companies offering the NCSC-recognized Cyber Advisor Service.”
Growing Recognition of Cyber Essentials
The most common reason (35% of users) why organizations become Cyber Essentials certified is that the scheme was mandated in government contracts.
Users also reported that 33% of all contracts they entered into over the preceding 12 months required them to be Cyber Essentials certified.
Another notable finding was that 15% of users have made it mandatory for their suppliers to become Cyber Essentials certified and plan to continue doing so. A further 33% are actively considering mandating Cyber Essentials in the future, while 45% take Cyber Essentials into account when assessing the cyber risk that a supplier poses to them.
These figures suggest that these technical controls are acting as a benchmark as part of supply chain assurance.
Additionally, 69% of Cyber Essentials users believe the certification has increased their market competitiveness, including experiencing increased commercial activity since becoming certified.