Jamie Akhtar, CEO and cofounder of CyberSmart.
2014 seems like a lifetime ago, particularly in cybersecurity terms. In the 10 years since Cyber Essentials was launched in the U.K. on June 4th, 2014, the complexity of cyber threats and regulations that need to be considered has exploded. This makes it an excellent time to reflect on 10 years of Cyber Essentials.
The certification was aimed at helping businesses “guard against the most common cyber threats and demonstrate their commitment to cybersecurity.” The scheme emphasizes five key technical controls: firewalls, secure configuration, user access control, malware protection and patch management.
Despite this, small businesses are still frequent targets of cybercrime, making it crucial to evaluate the effectiveness of Cyber Essentials in achieving its primary goal: protecting U.K. businesses, especially small ones, from cyber threats. Here are five things we’ve learned from a decade of cyber essentials.
1. Cyber Essentials Remains An Excellent Security Baseline
Overall, Cyber Essentials has succeeded in helping many organizations establish fundamental cybersecurity practices. In the realm of law enforcement and cybercrime investigation, a common reason for breaches is the absence of basic controls, making businesses easy targets for less sophisticated cybercriminals. These attackers, often using simple phishing or ransomware kits, prey on vulnerable businesses.
Cyber Essentials and its suggested frameworks have proven effective in defending against these basic cyberattacks, which SMEs frequently face. Although the measures recommended by Cyber Essentials might not fully protect against more advanced and persistent threats, they provide essential defenses against everyday cybercrimes, which can be just as damaging for small businesses.
2. Awareness Of Cyber Essentials At 10 Is Fairly Low
Regrettably, Cyber Essentials has not been as successful in raising awareness. The 2024 Cyber Security Breaches Survey indicates a decline in awareness: only 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme. This is consistent with 2023 figures but represents a decrease over the past 2-3 years. Awareness is higher among medium businesses (43%) and large businesses (59%). It is possible—although not confirmed—that this shortfall could be reflective of reduced marketing activity for Cyber Essentials as it becomes a more established policy. Regardless, it is still somewhat lower than both the industry and the government at large would have hoped.
On a positive note, the survey revealed that while only 3% of businesses and charities directly adhere to Cyber Essentials, a more significant proportion (22% of companies and 14% of charities) report having technical controls in all five areas covered by the scheme.
3. There Is Still Significant Room For Improvement
Like any initiative, Cyber Essentials has room for improvement in both awareness and uptake. Although 141,712 U.K. SMEs have adopted the scheme, this represents only a small fraction of the U.K.’s 5.51 million SMEs. The Cyber Security Breaches Survey suggests that some organizations have similar frameworks in place, which is encouraging, but there remains a significant gap in the desired uptake.
Another significant gap is how Cyber Essentials has been marketed to MSPs and MSSPs. A substantial proportion of the organizations that were aimed at using Cyber Essentials will use a managed service provider. In this regard, the government has failed to adequately partner with the MSP community to ensure they understand the importance of the framework and are appropriately empowered to deliver certification to their customers. This gap has been (partially) filled by the private sector but in both marketing capabilities and
4. The Certification Reflects The Industry’s Shortcomings
This gap highlights a broader issue within the cybersecurity industry: SMEs are often underserved. Their security concerns do not receive the same attention as those of larger enterprises. Consequently, educational efforts around Cyber Essentials and SME security have not been as extensive as those of larger organizations. This perpetuates the perception that cybersecurity is “too complex” for small businesses.
5. Changing This Narrative Remains As Important As Ever
The industry must challenge this narrative. While securing small businesses may yield little profit margins or attract significant media attention, Cyber Essentials can be the difference between survival and failure for the 99% of businesses that comprise the U.K. economy. The industry must prioritize educating and supporting SMEs in cybersecurity to ensure the widespread adoption of critical protective measures.
In conclusion, while Cyber Essentials has made notable progress in establishing basic cybersecurity measures, there is still much work to be done to increase awareness and adoption among SMEs. The security industry must address these gaps to ensure all businesses, regardless of size, can protect themselves against cyber threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Source link