Cybersecurity is a growing concern for businesses of all sizes, but it can be especially challenging for small firms with limited resources and expertise. The UK government's Cyber Essentials scheme aims to make basic cyber hygiene accessible to organisations of all types and sizes. A recent impact evaluation conducted by Pye Tait Consulting on behalf of the Department for Science, Innovation and Technology (DSIT) offers compelling evidence that the scheme is delivering strong protection and value, particularly for smaller businesses.

If your small business is looking to strengthen its cyber resilience, Cyber Essentials is certainly a worthwhile step to consider.

Providing a Solid Foundation

The Cyber Essentials scheme is centered around five key technical controls:

1. Firewalls

2. Secure configuration

3. User access control

4. Malware protection

5. Security update management

According to the evaluation, these controls when properly implemented can mitigate 99% of internet-based vulnerabilities. Furthermore, 82% of surveyed Cyber Essentials users expressed confidence that the controls provide effective protection against common cyber threats.

Improving Awareness and Confidence

Beyond the technical controls, Cyber Essentials is elevating small businesses' awareness and understanding of the cyber risk landscape. Almost two-thirds (64%) of scheme users agree that certification better enables their organisation to identify common, unsophisticated cyber attacks. Most users (85%) also believe the scheme has directly improved their understanding of cyber security risks and the steps they can take to reduce them.

This heightened risk awareness appears to be translating into greater confidence. 91% of surveyed organisations say Cyber Essentials has directly improved their confidence in being able to consistently implement risk reduction measures. The same proportion feel more confident that they are protected in the event of a common cyber attack.

Stimulating Positive Behaviours

Importantly, Cyber Essentials seems to be acting as a catalyst for small businesses to adopt wider good practices beyond just the core technical controls. Approximately three-quarters (76%) report taking additional steps to improve their cyber resilience after becoming certified.

71% agree the scheme has strengthened how seriously their organisation as a whole takes cyber security. Qualitative evidence points to Cyber Essentials fostering more holistic, "business as usual" attitudes where all staff are encouraged to play their part in staying secure.

Benefits Across the Value Chain

While Cyber Essentials can help individual small businesses shore up their own defenses, the evaluation highlights the scheme's wider positive impacts across supply chains. 61% of Cyber Essentials users say they are more likely to choose suppliers who are also certified. 75% have more confidence in certified suppliers.

Meanwhile, 79% of certified organisations believe the scheme increases the confidence of their own customers. This confirms Cyber Essentials' value as a tool for small businesses to provide assurance and demonstrate basic cyber hygiene to the market.

A Worthwhile Investment

Ultimately, the research paints a clear picture of Cyber Essentials as a cost-effective cyber security solution for small businesses. The prescriptive, non-risk-based approach taken by the scheme makes it an accessible entry point for organisations with limited expertise. And the evidence shows it provides a robust baseline of protection along with a raft of wider organisational benefits.

You can learn more about the scheme and how to get certified on the NCSC website.

New here? Welcome aboard! Join the Focus community to get insights straight to your inbox.

Need help standing out? Let us spotlight your business or service—partner with us.

Do you have a tip, question, or big win? We’re listening! Share it with us, and we’ll feature it.

Looking for expert advice? Our team of public sector pros has your back—get in touch here.

Until next time!