Get in touch
Hub Login

Cyber Essentials impact evaluation: key takeaways

Advice, Citation Cyber Services /
PCI Scanning

In October, the Department for Science, Innovation and Technology (DIST) published the Cyber Essentials impact evaluation, designed to assess whether the Cyber Essentials scheme has had a positive impact on increasing cyber resilience, whether it’s providing value and is an effective use of resources.

What is the Cyber Essentials scheme?

The Cyber Essentials scheme was set up to help organisations defend themselves against the most common internet-based cyber threats. There are two levels of certification – Cyber Essentials and Cyber Essentials Plus – and the scheme focuses on five key technical control areas, which are:

  1. Firewall configuration
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management

To assess the effectiveness of Cyber Essentials, DIST carried out a combination of surveys, interviews and case studies in 606 organisations with current or lapsed certifications and 516 organisations that hadn’t adopted the scheme.

What were the key findings?

  1. Effectiveness of Cyber Essentials
    • Improved protection – Cyber Essentials mitigates 99% of internet-originating vulnerabilities, showing that it’s a robust baseline for security
    • High confidence in controls – 82% of Cyber Essentials users trust that the scheme provides protection against common cyber threats
    • Supply chain assurance – more than a third of contracts in the surveyed organisations now have Cyber Essentials as a compulsory requirement for their suppliers, showing how important it’s become as a supply chain standard.
  1. Awareness and risk management
    • Risk identification – 64% of certified users report an improved ability to identify common cyber threats
    • Improved awareness – users now have more concern about cyber attacks due to an improved understanding of the risks. Certified organisations scored higher in concern levels (5.8 out of 10) compared to non-certified organisations (3.7).
  1. Confidence in cyber resilience
    • Improved understanding – 85% believe the scheme has improved their understanding of cyber risks
    • Operational confidence – 91% feel that Cyber Essentials has boosted confidence in putting risk-reduction measures in place and protecting against attacks.
  1. Driver of best practices
    • Beyond technical controls – 76% of users have put more preventative measures in place, like adopting ISO 27001, introducing better software or solidifying internal procedures
    • Strengthening culture – 71% of users say the scheme has strengthened their organisation’s overall commitment to cyber security and has opened up more conversations and a feeling of shared responsibility among staff
  1. Wider market impact
    • Competitive edge – 69% of certified organisations see increased market competitiveness, with the certification often acting as a key decision-making factor when it comes to securing contracts
    • Reduced due diligence – almost half of users (48%) report saving time when their suppliers are Cyber Essentials-certified, as it streamlines the process and reduces admin burdens.
  1. Insurance benefits
    • Organisations that opted for the included liability insurance identified it as a meaningful layer of added protection, with 80% less cyber insurance claims reported for certified businesses than for those without certification.

It’s also evident that even without the certification, organisations are still getting value from it – 13% of non-certified organisations use Cyber Essentials guidance to strengthen their defences and protocols.

The report’s recommendations to strengthen Cyber Essentials

The report also made some recommendations to maximise the impact of Cyber Essentials, including:

  • Promoting accessibility – continuing to position Cyber Essentials as a cost-effective and easily achievable solution for organisations who need cyber protection, especially small and micro businesses
  • Expanding support networks – strengthen the capacity of certification bodies to provide more tailored support for organisations look to get certified
  • Supply chain influence – the report recommends advocating for Cyber Essentials more in supply chains, showing its value in reducing risks across businesses
  • Refining due diligence processes – providing guidance to reduce unnecessary checks for certified organisations during contract negotiations
  • Tailored outreach – develop targeted communications for different business sectors and sizes to show how certification reduces risk and helps achieve bigger business goals
  • Raising cyber awareness – carry out educational campaigns on the financial, legal and reputational risks of cyber attacks to encourage organisations to get certified

It’s clear from this report that Cyber Essentials isn’t just an effective baseline for cyber resilience, but strengthens businesses on a deeper level, too. It’s proven to build awareness, confidence and action, positioning it as a critical tool in reducing cyber risks.

Cyber Essentials with Citation Cyber

Choosing Citation Cyber for your Cyber Essentials certification is a no-brainer. You’ll get instant access to our user hub Atlas to manage your application, guidance from our cyber security experts to help you complete your self-assessment questionnaire and a free re-sit if required – oh, and we can do it all in one day. Click here for more information.

Cyber security services based in the UK with offices in Lancaster and Manchester. We offer a range of cyber security solutions, from threat mitigation to testing, training & much more.

  • info@citationcyber.com

Citation Cyber

Our Solutions

Copyright © 2023 Citation Cyber Limited. All Rights Reserved.

Scroll to Top