Cyber Essentials awareness low but importance high
20th December 2018
Four years after Cyber Essentials was first launched, only nine per cent of UK businesses are aware of the government’s flagship cyber security scheme. The Cyber Security Breaches Survey 2018 confirms that despite over four in ten firms experiencing a cyber breach, the awareness of Cyber Essentials is at its lowest level since 2015. Looking at the figures for all UK organisations, only four per cent of businesses, and two per cent of charities are certified for the Cyber Essentials standards.
What is Cyber Essentials?
The Cyber Essentials scheme is designed to help UK organisations improve their cyber security defences and publicly demonstrate their security commitment to their customers and stakeholders. Launched by the UK Government in 2014, the scheme awards Cyber Essentials and Cyber Essentials Plus certificates to organisations who can prove they have implemented five groups of security control measures. These controls include firewalls, secure configuration, access control, malware protection and patch management.
Why is awareness of this scheme so poor?
The Cyber Security Breaches Survey 2018 report found that most organisations surveyed had not seen any publicity about Cyber Essentials. Some had no idea that the Government provided any cyber security advice at all. Other firms who were aware indicated that they thought that Cyber Essentials was too basic or not tailored to their business needs.
Not just a box-ticking exercise
While the uptake of Cyber Essentials certification has been low, the scheme is acknowledged by business leaders as a significant aid in helping any company achieve a basic level of effective cyber protection. It also allows firms to demonstrate to their customers that they take cyber security seriously. Cyber security is increasingly seen as providing a huge competitive advantage in retail and consumer markets. For many smaller firms, Cyber Essentials is the first step to achieving compliance with other business-critical standards such as PCI DSS and ISO 27001.
How to achieve Cyber Essentials
The basic Cyber Essentials certification process requires the completion of a self-assessment questionnaire (SAQ). It is recommended for organisations that need the minimum level of security and who have staff who are office-based. Cyber Essentials Plus includes the requirements for Cyber Essentials and an additional technical assessment. It is recommended for larger organisations who have office, remote workers and third-party contractors. The nature of the technical assessment depends upon the Accreditation Body and usually consists of a vulnerability scan or full penetration test.
Who awards the certificate?
Five Accreditation Bodies have been appointed to manage the Cyber Essentials scheme. These include APMG International, CREST, IASME, IRM and QC Management Standards. Each of these organisations recruits and manages Certification Bodies who process the applications and award the certificates. Cyber Essentials must be re-validated every twelve months by the original Certification Body.
The benefits of Cyber Essentials certification
- Protect your organisation from approximately 80% of cyber attacks
- Prove to your customers that you take cyber security seriously
- Win new business by confirming you have cyber security measures in place
- Satisfy the minimum security requirement for local and HMG government contracts
- Reduce the cost of cyber insurance premiums
Wizard Cyber helps organisations achieve Cyber Essentials or Cyber Essentials Plus certification at the first attempt. We first review the status of the existing cyber security controls and if required, assist in the implementation and configuration of additional measures. We then help in the completion of the technical and complex self-assessment questionnaire (SAQ) form. For Cyber Essentials Plus, we also perform the penetration test and prepare for the on-site visit by an approved Certification Body.