Blog Is it Time to Make Cyber Essentials Compulsory?

Cybercrime continues to gather pace in the UK yet only five percent of UK companies comply with the Cyber Essentials standard. Is it time to put cybersecurity in the same category as health and safety and make Cyber Essentials legally required?

It seems that a day doesn’t go by that there isn’t a national news story of a company being affected by cybercrime. But the ones that reach the news tend to be larger household names and represent the tip of the cybercrime iceberg that includes many, many smaller companies who have been attacked in some way via the Internet. A recent UK government survey (Cyber security breaches survey 2023) found that thirty-two percent of businesses in the UK had suffered a breach or attack in the last twelve months. This potentially puts at risk a vast quantity of personal data of customers, employees and other individuals, with possible consequences for their online safety, finances and freedoms.

The Legal Picture

UK legislation focuses on the UK GDPR (General Data Protection Regulation), the post-Brexit version of the EU’s GDPR that became law in May 2018, but the Data Protection and Digital Information (No. 2) Bill that is going through Parliament at the moment promises to water this down to some extent, supposedly to free UK businesses from EU red tape.

There is no requirement for businesses in the UK to show that they have appropriate cybersecurity controls in place, and a lack of them only comes to light when there is a breach of personal data and the Information Commissioner’s Office (ICO) gets involved.

Cyber Essentials

And yet the UK does have a government-sponsored cybersecurity certification scheme called Cyber Essentials that has been running since 2014. Intended to address eighty percent of common attacks, the scheme requires certifying organisations to put in place controls in five areas:

1. Firewalls
2. Secure configuration
3. Security update management
4. User access control
5. Malware protection

Certification is required to bid for central government contracts which involve handling sensitive and personal information, but there is no such formal requirement outside of this; it is left to the open market to decide the level of cybersecurity assurance needed to win business.

But awareness of such schemes is remarkably low amongst UK businesses, let alone amongst UK consumers, so it’s hard to see how customer demand is going to drive any kind of improvement in the cybersecurity posture of most companies.

A New Model of Regulation?

Imagine if health and safety were organised in the same way, where the expectation is that customers would buy goods and services from companies with the best record of protecting their staff, and so improve standards. This, quite rightly, doesn’t happen; instead the government mandates certain legal standards of health and safety and they are monitored closely by the Health and Safety Executive, who acts as a regulator.

So why could the same model not be adopted for cybersecurity in the UK, with mandated standards (for example certification to Cyber Essentials) that are policed by a central regulator, such as the National Cyber Security Centre or the ICO?

This would have the benefit of raising standards of cybersecurity in the UK massively, making it a much harder proposition for cybercriminals, saving companies money by avoiding breaches and protecting consumers’ personal data at the same time.

It wouldn’t erase cybercrime completely, but it would certainly make the UK a less attractive target and fit in with the current government’s ambition to capitalise on the opportunities presented by Brexit on the world stage.

Compulsory Cyber Essentials would be good for UK IT managed service providers, encouraging growth in an area identified by the UK Cyber Strategy as a priority.

Yes, it would be an extra cost for businesses, but at £300 fee for small company certification, it needn’t be crippling.

Final Thoughts

There comes a point where the only way to make something happen is for central government to step in and legislate for it, and maybe we’ve reached that point with cybersecurity. The alternative is for the UK to carry on as it is, constantly falling victim to anyone with a bad attitude and a keyboard. That doesn’t sound like the post-Brexit New Dawn the government is looking for, does it?

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

More Cyber Essentials Resources

CertiKit is a provider of document toolkits and has helped more than 4000 organizations worldwide with their compliance.

Our Cyber Essentials Toolkit will help you align to the UK scheme easily and includes all the template documents, guides and email support required for efficient compliance.

For more guidance on implementing the Cyber Essentials scheme, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free Cyber Essentials Resources