Rawpixel.com - stock.adobe.com

Cyber Essentials at 10: Success or failure?

The Cyber Essentials scheme passed its 10th anniversary in June 2024. CyberSmart's Adam Pilton reflects on progress and argues that more needs to be done to raise security awareness among Britain's small business community

Cyber Essentials was launched in the UK to much fanfare in June 2014, aiming to help businesses “to guard against the most common cyber threats and demonstrate your commitment to cyber security”. It focuses on five areas of broad ‘technical controls’: firewalls, secure configuration, user access control. malware protection and patch management.

Since the scheme was introduced, IASME has reported that 132,094 Cyber Essentials certificates have been awarded. Yet, small businesses remain targeted by cyber crime with alarming regularity. In fact, 43% of cyber attacks target SME businesses, and 60% are out of business within six months of a cyber attack. This means it remains critical for the security industry to assess the successes and failures of Cyber Essentials as they relate to the core aim of the certification scheme: To keep UK businesses, particularly small businesses, safe from the effects of cyber crime.

Cyber Essentials as a baseline

In the broadest possible terms, Cyber Essentials has been successful. This is because it has helped many organisations get cyber security basics in place.

When working in law enforcement to protect and investigate cyber crime, one of the major contributing factors to an organisation being breached, or otherwise hit by cyber criminal activity, was that they did not have the basic controls in place, leading to them being viewed by cyber criminals as low hanging fruit, and could be targeted by actors on the lower end of the sophistication spectrum, which is to say, threat actors who have simply downloaded a phishing or ransomware kit, and are trying their luck.

Cyber Essentials, and the associated frameworks it suggests, have managed to protect against the basic forms of cyber attacks to which SMEs routinely fall victim. While it is unlikely that the frameworks suggested by Cyber Essentials would protect an organisation entirely from attacks on the more persistent, sophisticated end, it has provided organisations with the ammunition to defend against the more everyday instances of cyber crime, which for a small business can be equally as devastating as the sophisticated ones.

Cyber Essentials awareness

Unfortunately, Cyber Essentials has been somewhat less successful on the awareness front. The recent Cyber security breaches survey 2024 suggested that awareness of Cyber Essentials is declining; 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme, consistent with 2023 but representing a decline over the last two or three years. Awareness is higher among medium businesses (43%) and large businesses (59%). This is significantly behind where we’d like it to be and could reflect the declining marketing budget associated with Cyber Essentials.

Read more about Cyber Essentials

However, the survey also contained some positive news. Although only 3% of businesses and charities report adhering to Cyber Essentials directly, a much higher proportion (22% of businesses and 14% of charities) report having technical controls in all five of the areas covered by Cyber Essentials.

Room for improvement: Cyber Essentials and the cyber security industry

As with any scheme or framework such as Cyber Essentials, there is room for improvement, in both awareness and uptake. 130,000 UK SMEs have taken advantage of Cyber Essentials, but this remains only a fraction of the UK’s 5.51 million SMEs. That the Cyber Security Breaches Survey suggests some have frameworks adjacent to Cyber Essentials in place is encouraging, but still leaves a significant gap between the kind of uptake the scheme would have hoped for.

This, unfortunately, is reflective of a wider problem within the cyber security industry.  SMEs are chronically underserviced, and their concerns from a security perspective do not generate the same kind of attention as those of an enterprise. As such, the educational work around Cyber Essentials, and SME security more generally, hasn’t been done to the same level as it has for enterprise organisations. This means the perception of security as ‘too complex’ for small businesses persists.

It’s important that the industry as a whole combat this narrative. While the profit margins on securing small businesses may not be as seismic, and the breaches and security incidents less likely to be of interest to the press, Cyber Essentials can represent the difference between survival and failure for the 99% of businesses that make up the UK’s economy.

Adam Pilton is a cyber security consultant at CyberSmart and former detective sergeant investigating cyber crime at Dorset Police.

Read more on Security policy and user awareness

Data Center
Data Management