Header image

Cyber Essentials: Time to Start Mandating Compliance?

If even a discount doesn't encourage take-up, what are the next steps?


“We offered to cover half the costs of the basic Cyber Essentials last year and got zero responses!”

Simon Newman, then CEO of the Cyber Resilience Center, tells a story of how engaged businesses are with the Cyber Essentials scheme, and in its efforts to promote compliance with the scheme he came up with an idea of offering a discount of £50 off the basic Cyber Essentials, and that had no interest.

“Then we did a pilot with the London Chamber of Commerce for their members where we said we would pay half the recommended retail price, and again we had zero uptake, which has been really disappointing,” he said.

Newman says as the Cyber Resilience Center is part-funded by government, and Cyber Essentials is the government's Flagship scheme for businesses as a way of demonstrating that kind of basic cyber Security credentials, “we wanted to make it a really important part of what we talked a bit about.”

Low Awareness?

Is this due to a lack of awareness of Cyber Essentials more generally, and the benefits of complying with it? Newman says when reviewing the efforts, he admits “we kind of went straight to solution without really understanding what the barriers and the challenges are.”

This is because awareness of Cyber Essentials is relatively low, Newman says. particularly amongst those organisations who are on the smaller side because for them, they don't even see cyber as a priority.

For those companies who are larger, many do Cyber Essentials as it is required as part of a tender for a contract. “So we find in many cases that they're required to take it as a result, as opposed to wanting to to take it as something to their toolkit.”

Newman is not completely critical of the scheme: he believes that it's scalable and relatively simple to implement for a small business, but too many do not see the value, or don’t understand the value.

This comes down to the messaging, and how as an industry we use a lot of technical terms that small businesses don't really understand, “and I think we've not been able to explain clearly enough the value of having something like Cyber Essentials.”

He says: “Because people don't see the risks that they're facing, that could be one side of it, but I think the messaging side is an area which I think needs a lot more work to be done to demonstrate the success factors of why Cyber Essentials can be a really good thing to have in place.”

Extra Costs

Newman likens the cost of implementing something like Cyber Essentials to getting an MOT test for your car, as you have the cost of the test but potentially a lot of additional expense also.

“For a small organisation you can very quickly looking at a £1000-2000 bill just to get through Cyber Essentials, so there's a number of factors for me which is just preventing people, or not encouraging enough people to take it as they should be.”

He said many small businesses would prefer to invest in something for their business that enables them in a more direct way, when the messaging should be about what Cyber Essentials can mean to your business, “but we’re a long way from that at the moment.”

Newman admits that it is hard for many smaller businesses to see the benefits, and also too many see attacks and breaches as something that happens to larger businesses, and they do not see the connection of what could happen to them.

Next Steps

Newman says government has a number of options around cyber awareness, and Cyber Essentials has been the carrot where it has been “we’d like you to do this and in some cases, the government will support you through it.” So is it time to switch to the stick and mandate compliance, as the cyber risk is so big? 

“So every business that sets itself up, and where every business is operating must have Cyber Essentials as a minimum priority,” he says, pointing that government funding would be needed “because that's the only way you're going to get a significant step change in a very short space and time.”

Newman concludes by saying that “being nice is not working” so we've got to look at mandating compliance. “If I was making a point to the new government is to say look given the state of the risk. It is a great standard, but the only way you're going to get a step change is by mandating that.”


Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood
Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

No events found.