The number of Cyber Essentials badges issued via the National Cyber Security Centre (NCSC) backed security certification scheme continues to increase but at a slower pace than is really needed to secure the resilience of Britain’s business community.
This is according to new statistics – covering the January to March 2025 quarter – published on Thursday 19 June by the government, which revealed that 10,064 base-level Cyber Essentials certifications and 3,272 advanced Cyber Essentials Plus certifications were awarded in the period.
This was a small advance on the period covering October to December 2024, when 9,790 Cyber Essentials and 3,388 Cyber Essentials Plus certifications were awarded.
Microbusinesses and small enterprises were the most heavily represented during Q1, accounting for 5,988 Cyber Essentials certifications respectively. A total of 1,780 medium-sized businesses received their badges, and 916 large enterprises were certified.
However, of the awards made during Q1, 7,557 were recertifications by existing scheme members – Cyber Essentials must be renewed every 12 months – and only 2,507 went to net new members, an indication that while Cyber Essentials is a general success, more work needs to be done to improve awareness of the scheme.
“Every 13 minutes, a UK business achieves Cyber Essentials certification. This progress is certainly something to celebrate, yet in the grand scheme, its uptake is limited to less than one in one hundred businesses,” said Andy Kays, CEO of Socura, a managed security services provider (MSSP) with offices in Cardiff and London.
“Disappointingly, only a quarter of UK businesses with 250 or more employees are Cyber Essentials certified. This is concerning, considering the certification covers a level of cyber hygiene that all businesses should already be following,” said Kays.
Recognising that there is often an expectation that working through compliance and certification processes can be something of an onerous chore, Kays pointed out that for businesses that are maintaining a decent standard of cyber hygiene, achieving Cyber Essentials compliance should be a doddle.
“Given the number of high-profile breaches in the news recently, Cyber Essentials presents an important opportunity to signal to customers, partners, and suppliers that cyber security is taken seriously. It also helps organisations lay the foundations for more proactive security measures,” he added.
What is Cyber Essentials?
Launched in 2014 under the auspices of CESG, then national authority for information assurance – later to be folded into the NCSC – Cyber Essentials was borne from recognition that the UK needed to be doing more to protect businesses and organisations from cyber attacks.
Investigations conducted by CESG in the early 2010s showed that many cyber attacks could have been prevented entirely if one or more of just five technical controls had been in place:
- Secure configuration – setting up computers to minimise potential entry points for bad actors;
- User access control – ensuring businesses control who can access data and services, and at what level;
- Malware protection – identifying ways to stop malicious software, including ransomware, before it has a chance to bed in;
- Security update management – stopping bad actors from accessing networks through software vulnerabilities with appropriate and timely patching strategies;
- Firewall implementation – creating a filter between the public internet and business networks and systems.
Together, these controls came to form the basis of Cyber Essentials, which has been delivered through NCSC delivery partner IASME since 2020, it has issued close to 190,000 certificates to date.
Crucially, any businesses seeking to operate certain UK government contracts to handle sensitive and personal data must hold Cyber Essentials certification.
Speaking on the occasion of the scheme’s tenth anniversary last year, cyber security minister Feryal Clarke said: “We have always believed Cyber Essentials helps drive better cyber security across the economy. However, we can now prove that it does.
“Recent insurance data shows us that organisations with Cyber Essentials are 92% less likely to make a claim on their insurance than those without it.
“Additionally, where organisations require their third parties to get Cyber Essentials, we know they experience fewer third-party cyber incidents,” she said.
Writing in Computer Weekly at the time, Adam Pilton, a cyber security consultant at CyberSmart and former detective sergeant investigating cyber crime at Dorset Police, said that in the broadest possible terms, Cyber Essentials was very successful because it has helped organisations that might otherwise have fallen by the wayside put some of the basics in place.
“When working in law enforcement to protect and investigate cyber crime, one of the major contributing factors to an organisation being breached, or otherwise hit by cyber criminal activity, was that they did not have the basic controls in place, leading to them being viewed by cyber criminals as low hanging fruit, and could be targeted by actors on the lower end of the sophistication spectrum,” said Pilton.
“Cyber Essentials … have managed to protect against the basic forms of cyber attacks to which SMEs routinely fall victim. While it is unlikely that the frameworks suggested by Cyber Essentials would protect an organisation entirely from attacks on the more persistent, sophisticated end, it has provided organisations with the ammunition to defend against the more everyday instances of cyber crime, which for a small business can be equally as devastating as the sophisticated ones,” he wrote.
