Could Cyber Essentials be changing for the better?

According to a report published by the Department of Science and Information Technology (DSIT) in late June, Cyber Essentials and Cyber Essentials Plus could be improved if its recommendations are carried out by the bodies involved – DSIT, National Cyber Security Centre (NCSC) and the ISAME Consortium who runs the scheme.

The government-owned Cyber Essentials scheme aims to help organisations of all sizes defend themselves against the most common cyber threats and reduce their online vulnerability.  It provides reassurance to organisations and their customers that systems are more resilient to basic cyber-attacks and aims to provide cost-effective, basic cyber security, via two levels of certification – Cyber Essentials and Cyber Essentials Plus.

The government is keen to increase the number of businesses which hold the certifications particularly as 34% of surveyed users stated that they became Cyber Essentials certified to comply with public sector contract requirements.  Ideally, a greater proportion of organisations would adopt Cyber Essentials for the value that it brings in building cyber resilience.

Worryingly, 64% of those surveyed had not heard of the scheme prior to being questioned.  Many organisations questioned (of all sizes), had also not heard of or considered schemes and standards such as ISO 27001 and National Institute of Standards and Technology (NIST).  Four in five surveyed organisations that have never held Cyber Essentials, however, consider cyber security to be very important to their organisation.

The following key recommendations were made by the authors of the report following analysis of the survey responses:

1. Increase basic awareness and understanding about security threats and provide users with an informed choice about the most appropriate solution for them
2. Improve information, tools and guidance aimed at current and potential users
3. Provide more tailored information to different types and sizes of organisation, and consider more targeted and high-profile marketing and communications
4. Consider the feasibility of adapting aspects of the Cyber Essentials scheme to be more responsive to current user needs
5. Commit to strengthening scheme robustness and transparency

Many organisations felt that Cyber Essentials could be better tailored to a wider variety of sectors and should reflect the size of the organisation.  Academic institutions, in particular, commented that Cyber Essentials has limited applicability to educational settings and therefore view it more as a ‘tick box’ exercise.  Larger organisations mentioned that the scale of their operations means they take a risk-based approach in addition to the general standard that Cyber Essentials enforces with some smaller organisations feeling that the process could be simplified.

Whilst the Cyber Essentials certification is not hugely onerous, if it is possible to make the scheme more accessible to organisations by carrying out these recommendations, it is hoped that more organisations will become Cyber Essentials and Cyber Essentials Plus certified.

Whether you would like to know more about Cyber Essentials specifically, or any other ways in which you can help protect your organisation from cyber threats, please give the team at the Business Cyber Centre a call.  We offer free advice and cost-effective solutions, because in business, cyber security isn’t an optional extra.