Last year, the UK Government's Cyber Essentials (CE) scheme celebrated its tenth anniversary, marking a decade of growth. The scheme is centered around five technical controls and is proven to protect organisations of all sizes from the most common cyber attacks
The efficacy of Cyber Essentials
As technology advances and cyber threats evolve, the Cyber Essentials scheme continually adapts to stay effective. The National Cyber Security Centre (NCSC) and Cyber Essentials Delivery Partner, IASME conduct a comprehensive review and update process of the scheme each year. During this process, feedback from customers and Assessors is considered, as well as changes in the IT landscape. The goal through this annual review is to ensure that Cyber Essentials remains relevant and effective as well as an accessible and user-friendly scheme.
Research from insurers shows that organisations implementing the Cyber Essentials controls are 92 per cent less likely to make a claim on their cyber insurance than those which don’t have Cyber Essentials.
In their 2024 Annual Review, the National Cyber Security Centre described the current cyber threat landscape as ‘diffuse and dangerous’ where there is an increase in both the number of cyber incidents and the impact of those incidents. The majority of cyber attacks rely on techniques and vulnerabilities that are well known to us and we have the knowledge and the capability to defend against them. Despite this, the NCSC believe that the severity of the threat facing the UK is underestimated by organisations in all sectors and locations and basic cyber security practices are often ignored.
The Cyber Essentials technical controls can stop the vast majority of commodity cyber attacks and is the minimum standard of security recommended by the NCSC. Mass adoption of Cyber Essentials will significantly help improve the cyber resilience of the UK at scale.
Cyber Essentials as a supply chain assurance tool
Cyber security in supply chains has long been a significant challenge. Traditionally, large organisations have imposed their enterprise security requirements on small suppliers, often overwhelming them with complex and varied security questionnaires. Small companies working with multiple enterprise clients face the time-consuming burden of completing these forms.
Recently, larger organisations have started to recognise the Cyber Essentials scheme as a straightforward way to establish a baseline level of cyber security within the supply chain. Certification provides a tangible way for organisations of all sizes to gain confidence that their suppliers, or other third parties, have effectively implemented fundamental technical controls.
Organisations who require their suppliers or other third parties to have Cyber Essentials are proven to reduce the number of cyber incidents across their network. Compelling evidence of the scheme’s efficacy as a supplier security tool comes from the wealth management firm St. James’s Place (SJP).
In 2023, SJP began mandating *Cyber Essentials Plus (CE+) certification across their network of partner organisations.
Matthew Smith, divisional director of cyber s ecurity, SJP said: “Security incident numbers have significantly reduced within the Partnership since 2023, evidencing the value and effectiveness of having the core controls in place. To put into numbers, we have seen around an 80 per cent reduction in cybersecurity incidents, which directly correlates to controls and best practices implemented through CE+.”
Benefits of using Cyber Essentials as a supply chain tool
The tool gives confidence that a supplier has technical controls in place.
Through certification, an organisation can have their adherence to a set of criteria or standards independently verified. This enables them to provide a form of evidence, to anybody that asks for it, that a certain standard has been met.
It is affordable and achievable for all organisations.
Though there is a cost attached to achieving Cyber Essentials, it is comparatively inexpensive. The cost of the certificate is £320-600 for basic Cyber Essentials and the approximate cost of CE+ will be from £2K depending on the size and complexity of the applicant’s network. Other certification schemes may be more costly, making them unattainable for many organisations.
It can also help to consolidate the lengthy security review process.
Organisations using Cyber Essentials within their supply chain risk management processes report increased efficiency and cost savings in the due diligence process. Requiring evidence of standardised minimum expectations reduces the time spent assessing suppliers. It is also helpful for the suppliers themselves, especially SMEs, who benefit from clear, tangible expectations rather than responding to long and complex or duplicate questionnaires.
Those using the tool can verify Cyber Essentials certifications across the supply chain.
Benefits of using Cyber Essentials as a supply chain tool
The tool gives confidence that a supplier has technical controls in place.
Through certification, an organisation can have their adherence to a set of criteria or standards independently verified. This enables them to provide a form of evidence, to anybody that asks for it, that a certain standard has been met.
It is affordable and achievable for all organisations.
Though there is a cost attached to achieving Cyber Essentials, it is comparatively inexpensive. The cost of the certificate is £320-600 for basic Cyber Essentials and the approximate cost of CE+ will be from £2K depending on the size and complexity of the applicant’s network. Other certification schemes may be more costly, making them unattainable for many organisations.
It can also help to consolidate the lengthy security review process.
Organisations using Cyber Essentials within their supply chain risk management processes report increased efficiency and cost savings in the due diligence process. Requiring evidence of standardised minimum expectations reduces the time spent assessing suppliers. It is also helpful for the suppliers themselves, especially SMEs, who benefit from clear, tangible expectations rather than responding to long and complex or duplicate questionnaires.
Those using the tool can verify Cyber Essentials certifications across the supply chain.
Organisations can use the Cyber Essentials Certificate Search on the IASME website to verify the Cyber Essentials and Cyber Essentials Plus certification of individual supplier organisations.
For organisations with large supply chains, it is possible to drop a large list of suppliers into the Cyber Essentials Supplier Check Tool to find out which suppliers are certified to either Cyber Essentials or Cyber Essentials Plus. These search functions make it significantly easier for organisations to verify if their suppliers are Cyber Essentials certified.
*Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials but also includes a technical audit of the IT systems to verify that the controls are in place.
Review the cyber security of your organisation against the five controls of Cyber Essentials with the free online Cyber Essentials Readiness Tool. The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.