Over a decade since the launch of the UK’s Cyber Essentials scheme, the number of UK businesses which are certified is “nowhere near” enough, the government has admitted.
Currently around 35,000 UK organizations are Cyber Essentials certified, according to the National Cyber Security Centre (NCSC).
Speaking to press during CYBERUK 2025 in Manchester, Jonathan Ellison, NCSC Director for National Resilience, acknowledged that this number is “nowhere near where we need to be if you think that there’s 5.5 million businesses in the UK.”
Despite the lack of uptake, a UK government report in October 2024 found that Cyber Essentials has had positive impact on the security of organizations that have taken part in the scheme.
“Cyber Essentials works, we know it works. It’s an evidence-based intervention that we know can make organizations more resilient,” Ellison noted.
He added that it is a “big priority” for the UK government in the year ahead to achieve better market penetration of Cyber Essentials.
To encourage organizations to take part in the scheme the government has made Cyber Essentials compliance a requirement for many government contracts, particularly those involving sensitive data.
Expansion of government funding for the scheme for certain sectors is also being considered.
Ellison noted that another important step is to make Cyber Essentials less daunting for small businesses.
“One of the things we’re going to try to do over the next year or so is build that pathway through to Cyber Essentials – how do we work in conjunction with other parts of the economy like banks and insurers to help that journey to Cyber Essentials,” he added.
The voluntary Cyber Essentials scheme, introduced in 2014, provides basic controls organizations should implement to mitigate the risk from common internet-based threats.
There are two levels of Cyber Essentials certification. The first, Cyber Essentials, is a basic, verified self-assessment option centered around five technical control areas. These are firewalls, secure segmentation, user access control, malware protection and security update management.
The second is Cyber Essentials Plus, which is based on the same five technical control areas, with the addition of independent testing and sampling of the organization’s infrastructure to verify compliance.
No tags.
