Skip to content

Search the site

What essentials? UK businesses remain "unaware" of NCSC cybersecurity certification

Less than 2% of UK private businesses are NCSC certified- and half of the SMEs don't even know about certification schemes

The NCSC Cyber Essentials is a solid government-backed certification to build resilience against cyber attacks. Unfortunately, it doesn't have many takers.

According to the latest numbers, just over 100,000 NCSC certificates have been issued since the program's inception.

Given that there are over 5.5 million private businesses registered in the UK, that is less than 2% of firms. Even discounting sole traders, that is a dismal number.

Despite a significant restructuring to ensure companies maintain basic cyber hygiene and restrictions on bidding for government contracts on companies without the certification, and consistent good press- a certification gold rush isn't quite on the horizon.

(In fact, in late 2021, The Stack let its readership know they'd be mad not to get the certification)

A recent survey conducted at Infosecurity Europe might answer why SMEs aren't getting certified. Mostly, it's because they are unaware of the programme.

According to the survey conducted by Lookout Inc., an endpoint to cloud security company, 40% of professionals have "no clue" about the scheme.

For small to medium-sized businesses (digital and otherwise) this is a missed opportunity.

The certification not just covers the basics needed to build internal defences to the most common types of cyber attacks- it also provides automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20 million annual turnover, as part of the Cyber Essentials Plus program.

(According to insurance underwriter data that SMEs that are certified are 60% less likely to make a claim than those without Cyber Essentials)

“The stats highlight a continuing concern within the cybersecurity industry – awareness,” said Bastien Bobe, Lookout Field CTO EMEA told The Stack.

“As cybersecurity experts, we have a level of responsibility to help raise awareness around security best practices, habits, and behaviours for the organisations we work for and the wider public. However, if we ourselves struggle with understanding frameworks, regulations and standards designed to keep us safe, then that is an issue," he added.

The recent update to Cyber Essentials requirements take into account the rise of remote work and the rise of 'BYOD' (Bring Your Own Device) workspaces. This also includes the elevation of asset management to "highly recommended core security function."

Devices not owned by organisation scope guidelines, NCSC Cyber Essentials 2023

Along with awareness issues, there is also lack of market pressure to pursue certification.

According to the same study, 41% of security professionals would still choose to partner with a third-party supplier if they were not NCSC accredited, stating "it's not a deal breaker."

With an average cyber-attack costing SMEs up to £4,200, not only does this leave open supply chain vulnerabilities, it costs the businesses significantly in the long-run.