The UK Government’s Cyber Essentials scheme turned ten this year, and has had a marked impact on organisational resilience for businesses of all sizes, but it should not be considered a panacea, security experts warn.

The Cyber Essentials scheme was launched in 2014 to help protect organisations against the most common cyber attacks, and improve cyber resilience across the UK economy. Ten years later, a Government research paper released today suggests that some of those goals have been achieved – for companies large and small.

The research found the scheme to be helpful in providing cyber security protection to organisations of all sizes, including larger organisations that use other schemes, standards and accreditations. The initiative was found to have stimulated wider actions, good practice and behaviours among organisations that use it. It is also being actively used as part of supply chain assurance to inform the supplier selection process, instil confidence and demonstrate basic cyber hygiene to the wider market.

Commenting on the findings, William Wright, CEO of Closed Door Security said that Cyber Essentials is clearly delivering significant security benefits.

“Accredited businesses are clearly more cyber aware; they feel more prepared to handle routine cyber attacks and they feel confident with the controls they have in place. It’s also evident organisations feel more confident entering into partnerships with suppliers that are Cyber Essentials accredited, which shows how the certification is also being used to support third party resilience,” Wright noted.

At the same time, Wright says the study could raise some concerning “red flags”, particularly with the data suggesting that 53% of respondents revealed that Cyber Essentials is the only form of external assurance they have in place for their cyber security.

“If these organisations are only accredited with the basic version of the certification, this will not be enough to protect their systems against many of the attacks we are seeing today,” Wright said. “The basic version of Cyber Essentials is a self-assessment questionnaire, which is then examined by a Cyber Essentials assessor, but because the answers aren’t physically verified, there is no way to ensure that the data provided is accurate or that the controls have been implemented correctly."

Organisations that are serious about improving their cyber posture should strive to go beyond the Cyber Essentials Plus certification, Wright says, blending it with other principles, including NIST, CIS Controls and ISO 27001.

“Organisations should look at this evaluation to understand the benefits Cyber Essentials offers, but they must also be fully aware that the certification alone, especially the basic version, is not enough to defend against today’s sophisticated attacks,” he warned.

---