UK Cyber Essentials. What Is It Good For? 

After surveying attendees at Infosecurity Europe 2023, Lookout found that 40% of security pros have no clue about UK Cyber Essentials

Only 28% of organisations had fully implemented Cyber Essentials and many admitted they were unfamiliar with the scheme, according to those surveyed by cybersecurity firm Lookout during Infosecurity Europe 2023.

Lookout surveyed 246 security professionals who visited their stand at the event. The company said that of those that had not implemented the scheme, over half (58%) said a lack of awareness or understanding as the reason why their organisation had not done so. 

Speaking to Infosecurity about the findings, Bastien Bobe, Field CTO EMEA at Lookout, said: “I think this low implementation rate of the framework is likely due to a lack of time and resources among cybersecurity teams in general. IT engineers are often overworked and under pressure, which makes it difficult for them to keep up with the latest cybersecurity threats and best practices.”

According to a UK government report published in April 2023, only 14% of businesses and 15% of charities are aware of the Cyber Essentials scheme – although this rises to 50% of medium businesses and 59% of large businesses.

Other barriers to accreditation noted by Bobe include the cost, which he said can be a barrier for small businesses and organisations with limited resources.

The government research also found that many of those organisations that choose to get accredited only do so because they have to fulfil contractual requirements with public sector clients.

The NCSC Cyber Essentials scheme is a UK government backed programme that aims to help UK organisations improve their cyber resiliency against the most common cyber-attacks. There are two levels of certification provided by Cyber Essentials, a basic level and ‘plus’, which organisations can achieve when showing commitment to cybersecurity. 

The scheme was first launched in 2014 in a bid to improve baseline security among UK organisations.

Bobe explained: “The certification is simply a validation of the cybersecurity best practices that any company should implement by default as soon as they use an IT system. It will not be able to protect companies targeted by advanced cyber-attacks, but it will significantly reduce the risk of exposure for most of them.”

The NCSC’s Cyber Essentials Partner, the IASME consortium, can help organisations to get certified.

• Reassure customers that you are working to secure your IT against cyber-attacks
• Attract new business with the promise you have cybersecurity measures in place
• You have a clear picture of your organisation's cybersecurity level
• Some UK Government contracts require Cyber Essentials certification

One of the main aims of Cyber Essentials is to help secure the supply chain but Lookout’s survey of Infosecurity Europe attendees found that 41% would still choose to partner with a supplier if they were not accredited, stating it's not a deal breaker.

Third party software vulnerabilities have grown significantly in recent years, with SolarWinds, MoveIT and Ivanti attacks recent examples of such incidents.  

Commenting on this finding, Bobe said: “I think some organizations may not be aware of the importance of security accreditation and it's not only valid for Cyber Essentials. They may not understand that the supply chain is one of the most common entry points for cyber-attacks.

“Additionally, as far as I know, there are no financial penalties if your company is not accredited, so if top management does not perceive cyber threats as a significant risk, they may not see the value in investing in any security accreditation that does not carry financial penalties for non-compliance or breaches,” he added.  

ADVERTISEMENT

Given the findings from both Lookout and the UK Government there is some room for improvement for the Cyber Essentials scheme to enhance adoption.

The UK Government’s review made several recommendations for DSIT, IASME and NCSC:

• Increase awareness about security threats and present users with an informed choice about the best solutions for them
• Improve information, tools and guidance for current and prospective users
• Provide more tailored information to different types and sizes of businesses
• Consider adapting Cyber Essentials to be more responsive to current users’ needs
• Strengthen robustness and transparency

Enjoyed this article? Make sure to share it!

Looking for something else?