The Department of Science, Innovation and Technology published an evaluation report on the Cyber Essentials scheme at the end of October 2024. 

Cyber Essentials is a government-backed scheme intended to help organisations across the UK protect themselves from common cyber attacks. Cyber attacks come in many shapes and sizes, but the majority are very basic in nature. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Cyber Essentials is designed to provide advice to prevent these attacks. 

There are two levels of Cyber Essential certification: 

  • Cyber Essentials, the basic, self-assessment option centred around five technical control areas; and, 
  • Cyber Essential Plus is also centred around the five technical control areas but has the addition of independent testing and sampling of an organisation’s infrastructure to verify compliance. If successful, the organisation is offered a certificate which is valid for a year. 

The five technical control areas are firewall configuration, secure configuration, user access control, malware protection and security update management. 

The evaluation conducted by DSIT had 4 main objectives: 

  1. Assess whether the Cyber Essentials scheme has had a positive impact on increasing the cyber resilience of the UK economy.
  2. Evaluate whether there are common positive impacts or negative consequences for organisations which do or do not gain certification.
  3. Identify the extent to which Cyber Essentials is providing value for money and is an effective use of resources.
  4. Provide evidence-based recommendations for maximising the effectiveness of Cyber Essentials.

The purpose of these objectives and the evaluation is to discover how effective Cyber Essentials is, discover what motivates organisations to become certified, their views on the scheme guidance and information processes, as well as how easy it is for the organisation to adopt the technical controls. 

Objective 1: Building Cyber Resilience 

The evaluation highlights that Cyber Essentials has positively influenced UK businesses by reducing vulnerabilities and encouraging proactive cyber security measures. Certified organisations show high levels of preparedness against cyber threats, with 91% of users saying that the scheme has directly improved their confidence at being able to consistently implement steps to reduce cyber security risks, thus fostering resilience. Key benefits also include stronger defences against phishing attacks and ransomware and improved awareness of best practices. Some sectors, especially SMEs, face barriers such as resource limitations which hinder their adoption of cyber security measures and broader economic resilience however this can be resolved on an individual basis. 

Objective 2: Impacts on Certified and Non-Certified Organisations 

For certified organisations, benefits include improved confidence when supplying services, better risk management, and compliance with regulatory requirements. Certification also often opens doors to partnerships requiring robust cyber security, with 35% of those surveyed stating that they first became certified as the scheme was mandated in government contracts. 

For non-certified organisations, they may face competitive disadvantages, especially in supply chains that require certification. Few organisations can feel left out due to the perceived difficulty or cost of implementing Cyber Essentials. 

The evaluation noted that there was an overall need to ensure inclusivity and again, reduce the negative effects on smaller businesses. 

Objective 3: Value for Money 

Adoption rates remain uneven across sectors which raises questions about whether current incentives and support adequately reached underserved organisations, particularly SMEs. Nevertheless, certification delivers tangible security and reputational benefits for organisations, outweighing the costs for many, and efforts to scale the adoption of the certification through simplified processes show promise in making it cost-effective. 

Objective 4: Recommendations for Maximising Effectiveness 

Recommendations that emerged from the evaluation include: 

  • Continue to promote Cyber Essentials as an affordable and responsive cyber security solution aimed at organisations that may otherwise lack basic protection. 
  • Continue to invest in the scheme’s supportive approach to helping organisations gain and sustain certification, by growing the supportive network of Certification Bodies and assessors. 
  • Stimulate wider and more effective use of Cyber Essentials as a supply chain assurance tool. 
  • Help clients to identify how they could improve the efficiency of cyber security due diligence processes where their suppliers are Cyber Essentials certified. 
  • Encourage more organisations to prioritise cyber security by conveying more tailored information about the benefits of being Cyber Essentials certified to different sizes and types of organisations. 
  • Consider providing more basic information to organisations that have never been certified to help them better understand the Cyber Essentials scheme and why it would be a good investment.
  • Continue to work with insurance providers to convey the latest evidence on the effectiveness of the Cyber Essentials technical controls and how the scheme contributes to organisational cyber resilience. 
  • Consider rolling out more targeted and high-profile marketing and communications stressing the potential hard-hitting consequences of a cyber attack. 

Implications for UK Cybersecurity Policy 

The recommendations emphasise the need for an accessible, inclusive cybersecurity framework to strengthen the UK’s digital resilience. Promoting Cyber Essentials as an affordable, practical solution and enhancing support networks for certification are critical steps. Encouraging adoption as a supply chain assurance tool and tailoring outreach to various business types ensure broader reach. Integrating insights from insurance providers and highlighting the consequences of cyber attacks align with national priorities to build awareness, improve supply chain security, and standardise protections, fostering a more resilient economy and digital infrastructure. 

Conclusion

The Cyber Essentials impact evaluation highlights significant benefits for certified organisations, from enhanced cyber resilience to competitive advantages. However, adoption barriers for SMEs need to be addressed. Stakeholders should explore certification to safeguard their systems and strengthen the UK’s cybersecurity framework. 

For businesses seeking guidance or certification in Cyber Essentials, contact us at principledefence@principledefence.com.

Book a Call

We have experts here to help you