Cyber Essentials has been protecting organisations from cyber attacks for over a decade now. In a new report from the UK Government, 91% of Cyber Essentials users believed that the scheme has directly improved their confidence in being protected in the event of such an attack.
The government established Cyber Essentials “to help protect organisations of any size against the most common internet-originating cyber attacks”. This refers to attacks requiring little technical skill, often using tools and techniques that are easily accessible online. The requirements of Cyber Essentials set out a baseline level of cyber security that all organisations can achieve, and should strive to exceed.
With a huge survey of UK businesses, including those never certified by the scheme, the government wanted to answer the question: “Is Cyber Essentials Worth It?”
Increased Confidence in Cyber Security
Users of Cyber Essentials were demonstrably more concerned and aware of cyber threats and their potential impacts than their uncertified peers. The report revealed that 85% of certified organisations believe the scheme has enhanced their understanding of cybersecurity risks, while 91% feel more confident in consistently implementing protective measures. This level of engagement demonstrates that Cyber Essentials is not just a checklist but a practical tool for fostering a culture of cyber security within organisations. Almost three-quarters (71%) of surveyed Cyber Essentials users agree that the scheme has directly strengthened how seriously their organisation takes cyber security.
The National Cyber Security Centre (NCSC) has consistently warned about the growing sophistication of cyber threats, yet 53% of Cyber Essentials users rely solely on the scheme for external assurance of their cyber security. In an increasingly threatening threat landscape, more could be done to encourage users to build on their Cyber Essentials certification to protect themselves against a wider range of attacks. However, despite a lack of further formal assurance, 76% of certified organisations have taken additional preventative measures beyond the required controls, reflecting a deeper commitment to security.
Comparatively, among businesses without certification, 72% lack any formal cybersecurity framework.
Why Cyber Essentials Works
One of Cyber Essentials’ strengths lies in its accessibility. The scheme provides organisations, particularly small and medium-sized enterprises (SMEs), with clear, actionable steps to protect against common cyber threats. It focuses on five key technical controls: firewalls, secure configurations, access controls, patch management, and malware protection. For resource-constrained SMEs, this framework offers an affordable way to build a foundational level of security.
How Cyber Essentials Adds Value
Beyond cybersecurity, Cyber Essentials is increasingly recognised as a business enabler. The report highlights that 69% of certified organisations believe it enhances their market competitiveness, while 61% are likelier to choose CE-certified suppliers. Even a significant portion of non-certified organisations share this view, with 23% expressing greater confidence in working with CE-certified businesses.
This competitive advantage is particularly evident in government contracting, where certification is often mandatory. Approximately 35% of organisations pursued Cyber Essentials to meet government requirements, the single most common reason for getting certified. While 15% of certified organisations mandate certification for their suppliers, 33% are considering mandating it in the future. Strengthening these requirements could amplify the scheme’s impact. Even when it’s not mandatory, just under half of Cyber Essentials users (45%) take Cyber Essentials into account when assessing the cyber risk that a supplier poses to them.
Room for Improvement
Despite its benefits, Cyber Essentials remains underutilised, with certification rates sitting at 3% of UK organisations. However, there is a stark contrast in certification rates between different-sized businesses. Just 0.2% of micro-businesses (<10 staff) are certified, compared to 30.8% of large businesses (>250 staff). Expanding the scheme’s reach will require overcoming barriers such as cost perception, limited awareness, and a lack of understanding about its relevance outside government contracts.
Certification has been growing steadily over the years, with internal trend data showing growth increasing from 500 certifications per month in January 2017 to more than 3,500 in February 2024.
Cyber Essentials has proven its value as a foundational cybersecurity tool, delivering tangible benefits for organisations that adopt it. However, its low uptake suggests that more work is needed to promote the scheme and integrate it into broader business practices.
For organisations still on the fence, the message is clear: Cyber Essentials is more than a box to tick to work with the government, it’s the first step toward protecting your digital assets, building trust with partners, and staying competitive in an increasingly threat-prone world.
OmniCyber Security is an IASME-accredited certification body for Cyber Essentials and Cyber Essentials Plus. We have years of experience with the scheme and have helped countless organisations of all sizes start their cyber security journey. Contact us today to start yours.
