A third of SMEs fail to even seek Cyber Essentials certification

News by Jay Jay

Four in five UK businesses surveyed achieve Cyber Essentials certification, but the figure for SMEs is more like two thirds, down to budget restrictions and failure to understand the benefits.


Setting the standard (pic: Wolfgang Filser/EyeEm/GettyImages)

In a survey of 251 UK IT managers, over 80 percent reported that their businesses have obtained Cyber Essentials certification, a government-recommended standard that confirms that a business has implemented certain basic cyber-security policies and practices that make it less likely to suffer a cyber-attack.

But the figures vary widely from SMEs where a third were not certified, wheres only six percent of large (750 employees) organisations were not.

This is up from less than half of large businesses in the UK having received their Cyber Essentials certification a couple of years ago when the British Chambers of Commerce carried out a digital survey of UK businesses.

The survey's findings painted a big question mark on the government's ability to encourage small and large businesses to apply for accreditations, not only to win government contracts but also to make their customers believe that their data were in safe hands.

Two years down the line, having suffered countless cyber attacks in the process, businesses operating in the UK seem to have learned their lesson. Even though 43 percent of all businesses in the country experienced cyber attacks over the past twelve months, over 80 percent of them have obtained Cyber Essentials certification, implying that they have the tools in place to detect and defeat cyber-attacks and protect sensitive enterprise and customer data.

The survey carried out by CyberGuard was to understand if UK businesses are employing sufficient methods to reduce cyber-security risks and to defend against cyber-attacks.

Some 69 percent of IT managers interviewed by CyberGuard said that their firms signed up for Cyber Essentials as they understood the benefits of being so and 84 percent of those who obtained the certification said it has helped their business to win contracts, thereby implying that the accreditation process has certainly benefited a majority of businesses operating in the UK.

"We encourage companies to become Cyber Essentials certified since it can help protect against most common cyber-attacks. In 2019, it should be paramount that businesses who rely on technology protect customer and employee information - as well as their own. Becoming Cyber Essentials certified is a great start to implementing strong and secure cyber security practices," said Paul Colwell, chief technology officer at CyberGuard.

Despite the positives, a lot of work remains to be done to ensure that all businesses operating in the UK have the necessary tools in place to eliminate cyber-security risks. The survey found that 19 percent, or one in five of UK businesses, are yet to receive Cyber Essentials accreditation. Of small businesses employing between 20 and 49 employees, 33 percent are yet to receive their accreditation.

67 percent of IT managers told CyberGuard that a lack of understanding about the cyber security standard has held back their firms from applying for accreditation. This suggests that the government will have to put in more effort in the days ahead to inform the benefits of Cyber Essentials certification, especially to small and micro businesses.

While 42 percent of IT managers at firms that lack accreditation said that lack of funds was the reason behind the lack of certification, 29 percent said that they didn't consider the certification important for their businesses. This, despite the fact that GDPR has introduced large penalties for organisations that suffer cyber-attacks as a result of weak cyber-security policies.

According to James Romer, chief security architect for EMEA at SecureAuth, a lot of work needs to be done by businesses, small, medium or large, to eliminate cyber-risks and to prevent the emergence of new threats.

He said that cyber-risks can be effectively addressed through complete identity management platforms, combining identity access controls alongside user awareness programmes. Many organisations have not correctly identified the importance of implementing strategic identity solutions as a priority to improve their cyber-defences.

"It’s clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyber-attacks in the future.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop