Key takeaways from the Cyber Essentials Impact Evaluation Report
As anyone in the cybersecurity industry knows, October marks an important anniversary for the sector. The government-backed Cyber Essentials scheme turns 10 this year. And, alongside a bunting-draped celebration at the House of Lords, the Department for Science Technology and Innovation (DSIT) has commissioned the Cyber Essentials Impact Evaluation Report. Undertaken by Pye Tait Consulting , the study examines the scheme’s effectiveness, organisations’ motivations for certification, and the ease of adopting its technical controls. However, the report is also 110 pages long. So, to save you several hours, here are our key takeaways from the report.
Cyber Essentials technical controls boost cyber confidence
The study reveals that Cyber Essentials’ five technical controls are remarkably effective. Citing research on the protections, it concludes they mitigate 99% of ‘internet-originating’ vulnerabilities when implemented.
This isn’t really news. Researchers at Lancaster University concluded the same as far back as 2015. However, what’s far more interesting is how Cyber Essentials makes business leaders feel. A significant majority (82%) of users express confidence that these controls protect against common cyber threats, with 80% believing they help mitigate organisational risks. In other words, Cyber Essentials is a key step towards building complete cyber confidence.
Cyber Essentials has been effective in building cyber awareness
Cyber Essentials was always intended to do more than help businesses put technical controls in place. The plan was that by completing the assessment process, organisations would also become more aware of the threats and better equipped to counter them. Cyber Essentials has also been a success by this measure. The report reveals that Cyber Essentials users have a heightened ability to identify unsophisticated cyberattacks, with 64% agreeing that certification aids in this identification. And that’s not all. Certified organisations also demonstrate greater concern about cyberattacks and better appreciate the potential impact than non-certified organisations. The same is true for the understanding of cybersecurity. Most users (85%) reported an improved understanding of cyber risks and how to reduce them (88%). Perhaps most importantly, this positive trend was most notable among senior management, with 86% saying Cyber Essentials has improved their understanding.
Cyber Essentials stimulates wider security practices
Another of the original aims of Cyber Essentials was that it would act as a catalyst for bigger things. Think of it as a strong foundation that businesses could build the rest of their security architecture on top of.
Again, the study finds that the scheme has been largely successful at doing just that. 76% of certified organisations have taken additional steps beyond the technical controls to enhance their cybersecurity. Alongside this, almost three-quarters (71%) of respondents agreed that the scheme has strengthened how seriously they take cybersecurity. And, hearteningly, this has helped foster a culture of shared responsibility for cybersecurity within their organisations, encouraging regular discussions and proactive measures.
Cyber Essentials as a supply chain assurance tool
There’s also some evidence that Cyber Essentials has grown some extra functions over its ten-year lifespan. For example, Cyber Essentials is increasingly used as a supply chain assurance tool. Those surveyed revealed that a third (33%) of all contracts they’ve entered into in the last year required them to be Cyber Essentials certified. What’s more, a growing number of businesses are setting these obligations for their own suppliers. Some 15% of Cyber Essentials users have made it mandatory for their suppliers to be certified and plan to continue doing so, while a further third (33%) are actively considering mandating Cyber Essentials in the future.
Recommended by LinkedIn
However, there is definitely room for improvement on this count. Just under half of Cyber Essentials users (45%) take Cyber Essentials into account when assessing the cyber risk a supplier poses, meaning we’ve some way to go before Cyber Essentials can be considered a universal stamp of assurance for suppliers.
The scheme has created value beyond security for businesses
One of the biggest historical barriers to Cyber Essentials adoption, particularly among small businesses, has been value for money. It’s not uncommon for those new to the scheme to ask ‘Do I really need this?’ Nevertheless, those who’ve taken up Cyber Essentials certification have been overwhelmingly positive about the commercial benefits. 69% of surveyees noticed increased competitiveness post-certification. Meanwhile, 80% agreed that being certified can reduce the financial cost to their organisation of a common, unsophisticated cyberattack.
There’s also some evidence that Cyber Essentials has a positive impact on businesses’ cyber insurance costs. Firstly, through the, often free, bundled insurance offered alongside Cyber Essentials by many certification providers. And, secondly by dramatically decreasing the likelihood of a claim. The report cites the National Cyber Security Centre ’s 2023 Annual Review which suggests that 80% fewer cyber insurance claims are made when Cyber Essentials is in place, compared with organisations that have the same insurance policy and don’t have Cyber Essentials certification.
There is still room for improvement
Despite the positive findings of the report, it does have a blind spot. Although general cyber awareness among Cyber Essentials users is excellent, it’s debatable whether the same is true across society. The NCSC’s 2024 Cyber Security Breaches Survey revealed that awareness of Cyber Essentials has actually declined in recent years. Just 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. This is consistent with 2023 figures but represents a decrease over the past 2-3 years. Plus, while 141,712 certificates have been issued and thousands of businesses have adopted the scheme, this only represents a small fraction of the UK’s estimated 5.6 million businesses.
In short, we have an awareness problem. The report does list wider-reaching marketing campaigns among its recommendations, so it’s great to see that DSIT recognises the problem. But for the cybersecurity community, our mission is clear. Given the huge benefits felt by those who’ve already adopted Cyber Essentials, we need to reach more businesses and generate greater awareness of the scheme and security measures beyond it.
Achieve that and we’ll have helped build a far safer online environment for UK businesses by the time Cyber Essentials hits 20. Have you read our 2024 MSP survey yet? It’s full of insight on MSPs’ cybersecurity and the future of the industry. Get your copy here.
Business Consultant at ADNS Group. We help 100s of business's in the North East to improve their productivity, and to reduce IT related risk. We can help you too! Get in touch with me on 01642 130 784.
1moJohn P Lupton Dave Pollard