Mitigating Cyber Risks: Why Cyber Essentials Matters More Than Ever

According to the Department for Science, Innovation & Technology’s (DSIT’s) Cyber security breaches survey 2024, 50% of businesses reported experiencing some form of cyber security breach or attack from April 2023-2024.  For medium-sized businesses, this rate rises to 70%, and to 74% for large businesses.  DSIT estimates that the most disruptive breach faced by a medium or large business in this period came with an average cost of £10,830.  Meanwhile, the National Cyber Security Centre’s (NCSC’s) Annual Review 2024 revealed that, in 2024, its Incident Management (IM) Team received 1,957 reports of cyber attacks, which were triaged into 430 incidents that required support from the IM Team – up 16% from last year.

So, the scale of the current problem cannot be underestimated, nor can the potential cost to organisations.  The NCSC has said that ‘the severity of the risk facing the UK is being widely underestimated, and that the cyber security of critical infrastructure, supply chains and the public sector must improve. There is a growing disparity between the resilience of our infrastructure and the threat we face’.  

‍

‍

Looking to the future, these problems are almost certainly going to intensify.  The sophistication of technology, including AI technology, will continue to increase, and so too will the sophistication of the attacks that leverage it, as well as the complexity of the threat landscape.  Meanwhile, the number and availability of advanced cyber intrusion tools that facilitate attacks are also highly likely to grow significantly, in tandem with a decrease in the level of skill required to utilise them, therefore widening the pool of individuals and groups that have the tools at their disposal to carry out malicious activities.

Whilst the pervasiveness of cyber security breaches may suggest otherwise, preventing the majority of cyber attacks does not pose a significant technical challenge, with most relying on methods and vulnerabilities that are well recognised and understood.  According to the NCSC, ‘too many organisations are not implementing the most basic protective measures…millions of organisations are leaving themselves open to cyber attacks that we know how to prevent’.  As such, the problem is not an inability of organisations to protect themselves against the cyber threat, but a lack of awareness of the importance of doing so.  

How, then, can your organisation go about safeguarding its information and digital assets against attackers, and ensuring it avoids the many financial, reputational and even legal consequences associated with a cyber breach?  One of the most effective places to start is by certifying to the Cyber Essentials scheme.  Developed and endorsed by the NCSC and managed by its delivery partner, IASME, Cyber Essentials is aimed at offering a framework of fundamental security controls that organisations can implement to protect themselves against 80% of the most common internet-based cyber threats.

‍

Implementation of Cyber Essentials’ requirements has been proven to tangibly reduce the risk of an organisation suffering a cyber attack, with businesses that implement the scheme being 92% less likely to make a claim on their cyber insurance than those that don’t.  Meanwhile, one major wealth management company that asked its network of partnership organisations to certify to Cyber Essentials Plus (the scheme’s audited qualification) witnessed an 80% reduction in cyber security incidents following implementation.  

To achieve this, the scheme requires you to implement technical controls across 5 control themes; secure configuration, firewalls, security update management, user access control and malware protection.  This is relatively straightforward for most organisations, with only 2% of attempted certifications resulting in a ‘fail’ (down from 2.45% in 2023).  As such, the benefits provided by Cyber Essentials certification will, in almost every case, far outweigh the level of effort required to achieve it.  

It is, therefore, perhaps unsurprising that uptake of Cyber Essentials is on the rise, and that certified organisations are almost unanimous in their recommendation of the scheme to other businesses like theirs (89%), with it providing a simple yet effective framework of measures to significantly mitigate cyber risk.  This reflects the scheme’s numerous advantages, including reduced vulnerability to cyber threats and improved confidence among clients and partners.  As more organisations adopt Cyber Essentials, they contribute to a broader culture of proactive cyber security, collectively strengthening the UK’s defences against cyber crime.