10 Years of Cyber Essentials: Impact evaluation
This year marks the 10th year anniversary of the NCSC’s Cyber Essentials Certification Scheme. In celebration of this, the Department of Science, Innovation and Technology released an Impact evaluation of the Cyber Essentials scheme.
The impact evaluation highlights the importance of adopting the Cyber Essentials scheme to an array of business types and sizes, especially SMEs.
Table of contents
- What is Cyber Essentials
- Cyber Essentials vs Cyber Essentials Plus
- Benefits of Cyber Essentials to SMEs
- Evaluation findings
- Final thoughts
What is Cyber Essentials?
Cyber Essentials is a government-backed program that helps organisations protect themselves from common cyber-attacks and reach a robust cyber security baseline. The program was introduced by the UK government in 2014, with two levels of certification: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials
- Self-assessment of the IT estate
- Improves cyber security through the scheme's requirements
- Accessible and affordable to businesses of all sizes
Cyber Essentials Plus
- Requires a full external audit from an IASME-assured auditor
- Proves that the organisation has implemented baseline security requirements of the Cyber Essentials scheme
- Gives confidence to customers and suppliers
Benefits of Cyber Essentials to SMEs
External assurance of cyber security stature
Obtaining a Cyber Essentials certification provides your clients with a better understanding of your business's dedication to cyber security, showcasing that your business takes a proactive outlook to protect systems and sensitive information.
Deeper understanding and appreciation for cyber security
During the Cyber Essentials certification process, several points may be highlighted to bring your business into compliance with the certification. Even if your business currently has suitable high-level cyber security standards, there may be upgrades that can be implemented or areas that may not have been previously considered to be a weakness in your environment.
The Cyber Essentials scheme has been effective in providing cyber security protection to organisations of all sizes, improving an organisation's awareness and understanding of the cyber security risk environment.
Evaluation findings
The effectiveness of technical controls
The impact evaluation highlights the effectiveness of implemented technical controls from the Cyber Essentials certification. Data suggests that the scheme has been effective in providing a baseline for cyber security for businesses of all sizes.
Based on feedback from surveyed organisations, 82% were confident that the implementation of the technical controls required by Cyber Essentials had a positive impact on protecting their organisation from common Cyber threats.
Awareness and understanding of cyber security and risks
Implementing the technical controls outlined in Cyber Essentials significantly enhances an organisation's cyber security. This process naturally raises user awareness of cybersecurity best practices for organisations without prior measures in place.
While users may occasionally feel limited, these measures are designed to provide robust protection against simple and common cyber risks they might not have been previously aware of.
One main requirement of Cyber Essentials is that users do not have administrative rights to their daily user accounts. This is to prohibit background processes from gaining administrative rights and to reduce users from allowing rogue applications administrative permissions without a second thought, as a lot of us would simply click “Yes” to allow an application to perform operations when an Administrative Prompt appears on the screen.
Multi-factor authentication
This is a requirement for all accounts, and although it adds an extra step for you to access your account, it does provide another layer of security. For example, should a Threat Actor manage to obtain your email address and password, they would need to pass the multi-factor authentication challenge to sign into your account successfully.
A common method of obtaining these credentials is by phishing emails. They are becoming more complex and difficult to spot. Some phishing attempts contain a link redirecting you to a malicious sign-in page for the relevant portal or application. It prompts you to sign in using your credentials but does not sign you into anything.
Though the Cyber Essentials scheme increases user awareness, backing this with Cyber Awareness Training is very advantageous.
The evaluation found that there was a high level of confidence in an organisation's ability to protect itself from relatively simple cyber attacks such as phishing attacks.
Wider cyber security practices
As users and senior management become aware of cyber risks, good practices tend to become second nature, such as having to input multi-factor authentication when trying to access your account online.
Cyber Essentials highlights many technical controls and implements a robust cyber security baseline, the evaluation found that organisations were taking further steps to implement other preventative measures.
Cyber Essentials is actively used as part of supply chain assurance, helping to inform supplier selection processes and demonstrate basic cyber standards to the market.
Protecting supply chains and markets
Protecting the supply chain is vital for your business. Ensuring that you are dealing with suppliers that take cyber security seriously will give your organisation confidence that your data is protected. Benefits of the scheme to your supply chain:
- Increases resilience while reducing compliance burdens in supply chains
- Encourages growth in the UK cyber security sector
15% of Cyber Essentials users surveyed have implemented further assurance measures for suppliers by making it a mandatory requirement for them to be Cyber Essentials Certified, with an additional 33% of those surveyed considering implementing the same measures in the future, bolstering their supply chain assurance process.
The impact evaluation concluded that Cyber Essentials is being actively used by users as a Supply Chain Assurance Tool, in order to further manage potential cyber risks from their supply chain.
Final thoughts
By providing a clear framework for basic cyber security measures, the Cyber Essentials scheme has helped organisations mitigate common cyber threats and reduce vulnerabilities.
Implementing the Cyber Essentials Scheme has spurred further preventative measures to be considered, better practices to be adopted, and improved cyber hygiene to be used by users. As the cyber risks are highlighted to users, they are becoming more vigilant when dealing with cyber security threats.
Cyber security requires perpetual management and maintenance, and as new threats emerge, we must all stay vigilant and follow best practices to protect our organisations' and clients' data. Due to the emerging threats becoming increasingly complex, consistent evaluation of the implemented measures is necessary.
Ready to strengthen your security? Contact us today for an initial Cyber Essentials audit to help your business create a strong security baseline.