Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Is it Time to Make Cyber Essentials Compulsory?

Cybercrime continues to gather pace in the UK yet only five percent of UK companies comply with the Cyber Essentials standard. Is it time to put cybersecurity in the same category as health and safety and make Cyber Essentials legally required?

It seems that a day doesn’t go by that there isn’t a national news story of a company being affected by cybercrime. But the ones that reach the news tend to be larger household names and represent the tip of the cybercrime iceberg that includes many, many smaller companies who have been attacked in some way via the Internet. A recent UK government survey (Cyber security breaches survey 2023) found that thirty-two percent of businesses in the UK had suffered a breach or attack in the last twelve months. This potentially puts at risk a vast quantity of personal data of customers, employees and other individuals, with possible consequences for their online safety, finances and freedoms.

The Legal Picture

UK legislation focuses on the UK GDPR (General Data Protection Regulation), the post-Brexit version of the EU’s GDPR that became law in May 2018, but the Data Protection and Digital Information (No. 2) Bill that is going through Parliament at the moment promises to water this down to some extent, supposedly to free UK businesses from EU red tape.

There is no requirement for businesses in the UK to show that they have appropriate cybersecurity controls in place, and a lack of them only comes to light when there is a breach of personal data and the Information Commissioner’s Office (ICO) gets involved.

Cyber Essentials

And yet the UK does have a government-sponsored cybersecurity certification scheme called Cyber Essentials that has been running since 2014. Intended to address eighty percent of common attacks, the scheme requires certifying organisations to put in place controls in five areas:

  1. Firewalls
  2. Secure configuration
  3. Security update management
  4. User access control
  5. Malware protection

Certification is required to bid for central government contracts which involve handling sensitive and personal information, but there is no such formal requirement outside of this; it is left to the open market to decide the level of cybersecurity assurance needed to win business.

But awareness of such schemes is remarkably low amongst UK businesses, let alone amongst UK consumers, so it’s hard to see how customer demand is going to drive any kind of improvement in the cybersecurity posture of most companies.

A New Model of Regulation?

Imagine if health and safety were organised in the same way, where the expectation is that customers would buy goods and services from companies with the best record of protecting their staff, and so improve standards. This, quite rightly, doesn’t happen; instead the government mandates certain legal standards of health and safety and they are monitored closely by the Health and Safety Executive, who acts as a regulator.

So why could the same model not be adopted for cybersecurity in the UK, with mandated standards (for example certification to Cyber Essentials) that are policed by a central regulator, such as the National Cyber Security Centre or the ICO?

This would have the benefit of raising standards of cybersecurity in the UK massively, making it a much harder proposition for cybercriminals, saving companies money by avoiding breaches and protecting consumers’ personal data at the same time.

It wouldn’t erase cybercrime completely, but it would certainly make the UK a less attractive target and fit in with the current government’s ambition to capitalise on the opportunities presented by Brexit on the world stage.

Compulsory Cyber Essentials would be good for UK IT managed service providers, encouraging growth in an area identified by the UK Cyber Strategy as a priority.

Yes, it would be an extra cost for businesses, but at £300 fee for small company certification, it needn’t be crippling.

Final Thoughts

There comes a point where the only way to make something happen is for central government to step in and legislate for it, and maybe we’ve reached that point with cybersecurity. The alternative is for the UK to carry on as it is, constantly falling victim to anyone with a bad attitude and a keyboard. That doesn’t sound like the post-Brexit New Dawn the government is looking for, does it?

 

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO 27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 


More Cyber Essentials Resources

CertiKit is a provider of document toolkits and has helped more than 4000 organizations worldwide with their compliance.

Our Cyber Essentials Toolkit will help you align to the UK scheme easily and includes all the template documents, guides and email support required for efficient compliance.

For more guidance on implementing the Cyber Essentials scheme, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free Cyber Essentials Resources

We’ve helped more than 4000 businesses with their compliance

Testimonials

The toolkit is well laid out, clearly written and easy to adapt. I like the fact that it is compliant to the standard as a start point. This is difficult to achieve considering the diversity of organisations it is covering.

SSTL
UK

View all Testimonials