Cyber Essentials Scheme Celebrates 10 Successful Years

The government-backed Cyber Essentials certification scheme is celebrating its ten year anniversary. The initiative was launched by the National Cyber Security Centre (NCSC) in 2014 to protect businesses and organisations from the most common cyber attacks and security threats.

As it enters its tenth year, the programme has proved to be successful, with over 190,000 Cyber Essentials certificates issued, and a sharply growing uptake of the scheme in recent years. The certification is essential if you supply government or public bodies, and working with cyber security support services can help to provide the highest level of protection. 

The NCSC Deputy Director for Cyber Growth, Chris Ensor said: “As the cyber threat landscape evolves, attackers continue to exploit the same vulnerabilities which they targeted back in 2014, when the Cyber Essentials scheme was first launched. That’s why I strongly urge all organisations to make Cyber Essentials a foundational part of their cyber resilience.”

“The data is clear, implementing the five controls significantly lowers the risk of experiencing a cyber incident. For organisations lacking the necessary in-house expertise, support is readily available through companies offering the NCSC-recognised Cyber Advisor Service.”

What does the Cyber Essentials programme involve?

The Cyber Essentials programme has five core components: Firewalls and internet gateways; secure configuration; access control measures; malware protection; and patch management. To achieve certification, your business will need to meet certain requirements and standards in these five areas. 

For the basic level of certification, you can complete a self-assessment of your IT infrastructure and submit evidence for review. To achieve the higher level of certification, the assessment will need to be carried out by a third party. 

What are the benefits of Cyber Essentials certification?

As previously mentioned, the certification is obligatory if your business supplies government organisations or public bodies, and it is helpful for other compliance requirements such as GDPR. It also boosts credibility and trust in your business, and gives you peace of mind that your cyber security measures adhere to best practice. 

A certification is evidence that your business is protected against the most common cyber threats, thus reducing your vulnerability to security breaches. This reduces the risk of disruption to business continuity, catastrophic data loss, financial loss, damage to reputation, and potential legal penalties. 

The cyber security Minister Feryal Clark delivered a speech in the House of Lords to mark the ten year anniversary of the programme, and also to reflect on the successes and highlight the ongoing importance of Cyber Essentials to the business and economy. 

Clark explained: “Recent insurance data shows us that organisations with Cyber Essentials are 92% less likely to make a claim on their insurance than those without it. Additionally, where organisations require their third parties to get Cyber Essentials, we know they experience fewer third party cyber incidents.”

Referring to an independent impact evaluation report into the scheme, Clark continued: “The evaluation concludes that Cyber Essentials is providing cyber security protection to organisations of all sizes. 82% of certified organisations are confident the controls provide protection against common cyber threats.”

She added: “It further concludes that Cyber Essentials is improving organisations’ awareness and understanding of the cyber security risk environment, enabling them to become more informed and confident in mitigating cyber risks.”

“We know it works, and we now need more organisations to embed the Cyber Essentials controls and grasp the economic benefits of secure digital adoption.”

How to access the Cyber Essentials programme

If you want to acquire the basic level of certification, then you can complete a self-assessment questionnaire. You are strongly encouraged to make a review of your IT infrastructure to identify any gaps in your current security measures. 

Consider aspects such as firewall protection levels, anti-malware tools, and access controls. You will need to submit evidence of adequate protection in order to receive the certification.

If you wish to have the highest level of certification, Cyber Essentials Plus, then it’s necessary to have a third party review. This level may be required if you wish to pursue certain contracts, and adds an additional layer of credibility and trustworthiness to your business. 

Once certified, it’s important to stay up to date with regular patches and updates to maintain standards and ensure the highest level of cybersecurity protection.