Navigating Cyber Essentials

In September 2023 it was reported that the UK’s Electoral Commission failed a basic cyber-security test shortly before it suffered a cyber-attack. Bastien Bobe at Lookout explains why this basic security standard really is essential for business

 

Like a game of dodgeball, modern day UK businesses operating in this increasingly digital world are ducking, dodging and weaving away from the constant bombardment of cyber-attacks that is now plaguing everyday life.

 

Naturally, having robust defences and adequate security measures in place is paramount with advice and guidance provided by the government should be followed. In fact, the UK government-backed NCSC Cyber Essentials framework was created with this in mind, aiming to help UK businesses effectively fortify their systems against the world’s common cyber-threats.

 

But how widely is it being adopted, what is the perception within the industry towards the scheme, and are organisations doing the utmost to stay cyber-resilient?

 

Cyber Essentials adoption: unveiling the landscape

As it stands, there are slightly more than 100,000 NCSC certificates which have been issued since the program began. However, there are over 5.5 million private businesses that are registered in the UK, meaning that roughly less than 2% are Cyber Essentials accredited.

 

This is a shockingly low statistic given the dangers posed to businesses when suffering a cyber-attack. Moreover, a recent study which examined the views of security professionals towards Cyber Essentials found that there is a clear gap in awareness as 40% were unfamiliar with the scheme, with only 28% stating that their organisation had fully implemented the Cyber Essentials framework. 

 

Diving deeper into the study, it was revealed that over half (58%) of security professionals blamed their lack of understanding of the framework as the main as to why their organisations had not been certified.

 

Further education and awareness building for the industry and NCSC is clearly needed to share the importance and benefits of being Cyber Essential accredited which in turn will improve an organisation overall security posture. 

 

The anatomy of Cyber Essentials

There are two types of accreditations offered by the NCSC Cyber Essentials framework – standard and Cyber Essentials Plus. The standard certificate showcases the organisation has the capability to avoid many of the common cyberthreats in existence. To achieve Cyber Essentials Plus organisations will require a hand-on technical evaluation of systems, including vulnerability scanning. 

 

Naturally, there are many benefits to having a Cyber Essentials certification, including an improvement in cyber-security measures due to tests that occur, customer trust and confidence knowing the organisation is following security best practises. Moreover, the framework helps to ensure that the business is meeting its regulatory compliance requirements.

 

The threat landscape and supply chain implications

Seeing if an organisation is Cyber Essentials accredited goes a long way in building trust, not only for customers but also for other businesses that may want to partner: therefore, such checks should be carried out when partnering with suppliers and providers. Indeed, for organisations wanting to secure UK government contracts must have Cyber Essentials certification.

 

Supply chain cyber-attacks can be devastating, expensive and hold long-term ramifications for affected organisations. On average, the cost of cyber-attacks on supply chains is $4.35 million per incident.

 

The National Cyber Security Centre (NCSC) has, in response, issued a warning about the escalating number of cyber-attacks exploiting vulnerabilities within the supply chain. Despite its importance, recent findings have shown that just under half (47%) of security professionals check if their third-party suppliers have Cyber Essentials accreditation.

 

More worryingly, the same study revealed that 41% are willing to partner with a supplier even if that organisation is not certified, showcasing there is a clear disconnect between the perceived importance of certification and actual decision-making.

 

The call for a standard security baseline

Given the current threat landscape, the vast number of cyber-security certifications, laws and regulations, and the fact that organisations are under the microscope from customers to deliver on privacy, the ability to prove adherence to a security standard like Cyber Essentials is important. 

 

Indeed, more awareness needs to be created around the NCSC Cyber Essentials framework. Security professionals must be proactive and be aware of cyber-security certifications that will enhance their organisation. 

 

With that said, the imperative lies not only in adopting the framework but also in advocating for a standardised security baseline that mitigates the risk from pervasive cyber-threats. By doing so, organisations can not only safeguard their own interests but contribute to the collective resilience of the digital ecosystem.

 

In today’s landscape, fortified by remote work, mobile threats, and cloud vulnerabilities, deploying proactive security strategies aligned with industry standards is crucial.

 

---

  

Bastien Bobe is Field CTO, EMEA at Lookout

 

Main image courtesy of iStockPhoto.com