Small businesses typically benefit the most from a Cyber Essentials or Cyber Essentials Plus certification, according to new research conducted for the UK’s National Cyber Security Centre.

The NCSC commissioned BritainThinks to perform a baseline review of Cyber Essentials to look at how the scheme has influenced cyber security attitudes and behaviours on UK organisations to date. The results were published on the NCSC website(1) in November 2020.

The survey revealed some interesting trends:

• Certified organisations are more likely to be business-to-business companies, rather than business-to-consumer.

• Certified organisations are more likely to recognise the cyber security threats to their organisation, but they are also more likely to feel protected against those threats.

• For medium-sized and larger organisations, the Cyber Essentials and Cyber Essentials Plus schemes tend to reinforce existing attitudes and behaviours.

• Genuine attitudinal and behavioural change as a result of becoming certified seems to be restricted to smaller and newly established companies.

Delving into the data

It’s probable that the ranks of Cyber Essentials certified businesses are filled with business-to-business companies because of the effects of public sector procurement policies. Public sector procurement processes often demand Cyber Essentials as a baseline indicator of good cyber security practices and that creates a real driver for business-to-business companies to get certified.

It’s fantastic news that so many large and medium-sized organisations see Cyber Essentials and Cyber Essentials Plus as an important seal of approval on the cyber security processes they have in place. We have definitely seen internal cyber security awareness raise throughout the companies we have worked with to achieve Cyber Essentials and Cyber Essentials Plus as they work through the process.

The most striking finding for us, however, has to be the finding that so many smaller businesses are experiencing genuine attitudinal and behavioural change as a result of gaining certification. This news is something of a double-edged sword. On the one hand it is absolutely great to hear that the Cyber Essentials scheme is driving the outcomes it was designed to promote.

On the other, it is worrying that so many small and new businesses that undertook the Cyber Essentials certification were starting from a less-than-optimal position. It’s clear that everyone involved in promoting the scheme still has work to do to get the remaining non-participating UK small businesses signed up to the scheme and aware of the risks and the remediations.

How can Cyber Essentials and Cyber Essentials Plus help?

The NCSC survey also revealed some interesting results from the certification process:

• The vast majority (93%) of certified organisations say they are confident they are protected against common, internet-based attacks.

• Smaller organisations are typically implementing the controls for the first time in order to become certified.

• Larger organisations often already follow the controls.

• Among organisations that are already certified, Cyber Essentials / Cyber Essentials Plus is seen to have a positive impact on a wide range of factors, including management’s understanding of cyber risk.

• Most strikingly, organisations with Cyber Essentials or Cyber Essentials Plus are more likely than those without to take further steps to improve their cyber security, beyond the CE technical controls.

• They are also more likely to identify attacks.

• Two thirds of those organisations with Cyber Essentials or Cyber Essentials Plus who experienced an attack said that the scheme had a positive impact on their ability to respond to the attack.

• Furthermore, certified organisations say that certification has a positive impact on customer confidence.

What do these findings mean?

The findings of report highlight how beneficial Cyber Essentials and Cyber Essentials Plus can be for an organisation. There is a raft of demonstrable positive impacts.

For us, the most positive news is that attacks are more likely to be identified and more likely to be better dealt with. The fact that Cyber Essentials is also driving uptake of controls beyond those required for certification is also really positive news. It suggests there is a cultural change happening as a result of certification that really helps to build a programme of continued cyber security improvement in participating organisations.

What next?

If you aren’t already Cyber Essentials certified, read our guide. 

Alternatively, if you would like advice about or support to get Cyber Essentials certified, reach out to our team with an initial 15 minute chat which you can book here. We are always happy to answer any questions you may have about the scheme.

If you are Cyber Essentials certified but are interested in finding out more about additional controls that could help protect your organisation, your people and your data, don’t hesitate to reach out as well.

The NCSC hopes that certification will encourage organisations to promote Cyber Essentials to others in their supply chain and to interact with its own advice more frequently. If you are interested in doing this, you can stay up to date with news updates from NCSC here(2).

Sources:
1. https://www.ncsc.gov.uk/information/setting-baseline-ce-prior-to-iasme

2. https://www.ncsc.gov.uk/section/keep-up-to-date/ncsc-news