The UK government has launched a new campaign with the tagline “lock the door” on cyber criminals  to encourage businesses of all sizes to adopt basic security standards outlined in Cyber Essentials. It comes as cyber threats cost UK businesses £14.7 billion a year, with half of small firms experiencing an attack in the last 12 months. 

The government is updating its Cyber Essentials guidance in April, with a focus on tightening up the standards to protect firms against increasingly sophisticated threats. But many companies have been slow to adopt the basic standards, despite the security and reputational boost certification can bring. 

Why is this, and what can organisations do to begin to adopt the standards now? 

Inherent Confusion 

Part of the issue is a lack of clarity. There is a lot of inherent confusion around what Cyber Essentials means, the difficulty to achieve it, and what changes an organisation would have to make to get there, says Danny Roberts, cybersecurity consultant at Cyberis.  

There is also a big difference between the security posture of large and small businesses. Larger organisations with established security teams often already have the controls that Cyber Essentials requires. “So for them, it’s mostly a case of confirming they’re doing what they should be,” says Kirsty Paine, field CTO and strategic advisor at Splunk.  

But there tend to be more challenges in smaller organisations. “They may not have the time, resources, or in-house expertise to focus on cybersecurity, and it can end up competing with other priorities that feel more immediate for the business,” Paine explains. 

For a small or medium sized business, allocating significant budget to cyber security can feel “abstract,” agrees Martin Riley, CTO at Bridewell. “Leaders are often weighing immediate operational pressures such as growth, recruitment and supply chain resilience. Spending hundreds of thousands of pounds annually on a cyber programme can be difficult to justify when the return is framed around risk reduction, rather than revenue generation.” 

Among SMEs, there is also a dangerous mindset of being "too small to target," says Ian Glennon, senior security solutions architect at Qualys. However, modern cyberattacks are highly automated and opportunistic, he warns. “You do not need to be a primary target to become collateral damage. A small business might not yield a massive ransom, but they will still suffer crippling operational downtime from encrypted systems, or face ruinous cloud computing bills from compromised infrastructure.” 

Basic Cyber Essentials Measures 

The Cyber Essentials scheme rests on five non-negotiable pillars: Firewalls, secure configuration, user access control, malware protection and patch management.  

The April update transforms the framework from "best effort" to “a strict mandate” by universally enforcing multi-factor authentication (MFA) across all cloud services, closing "out-of-scope" loopholes, and strictly demanding a 14-day turnaround for critical security patches, says Dray Agha, senior security operations manager at Huntress. 

The April update (v3.3) “significantly tightens the auditing criteria,” closing loopholes that previously allowed organisations to “compartmentalise their audits and mask underlying risks,” says Qualys’ Glennon. “The scope is now uncompromising: If a device accesses organisational data, including bring your own device (BYOD) and remote working equipment, it is in scope.” 

On the face of it, these aren't challenging things to ask. Yet in reality, many organisations or industries rely on software that never evolved past Windows XP, points out Cyberis’ Roberts. “Others may have to update 50,000 machines, where the risk of a failed update could lead to significant downtime and loss of revenue. Many users or industries also require special permissions that, on the face of it, would not pass a self-assessment.” 

The 14-day remediation deadline for critical vulnerabilities will be “a significant operational shock” for organisations still relying on legacy thirty-day patching cycles, says Glennon. 

However, it is vital to understand that the standard requires "vulnerability fixes", which provides a degree of operational flexibility, says Glennon. “A fix does not exclusively mean deploying a vendor patch. It includes any robust mitigation applied while a patch undergoes internal testing.” 

Configuration changes, registry updates, disabling vulnerable services, or deploying specific scripts all qualify as valid fixes, according to Glennon. “Therefore, the requirement is less about rushing untested patches into production, and more about having a nuanced, rapid-response capability to neutralise the immediate threat.” 

Cyber Essentials Benefits 

It might seem like a complex task, but experts say the initial effort of adopting the April version of Cyber Essentials will be worth it. Cyber Essentials “slams the door” on roughly 80% of common, internet-based threats such as standard ransomware and phishing, Huntress’ Agha points out. 

Even beyond compliance, the guidance provides a “highly practical, actionable security baseline,” adds Glennon. “Systematically applying these controls drastically reduces your attack surface and lowers your overall operational risk profile, which ultimately protects your bottom line.” 

At the same time, certification is a “massive commercial differentiator that builds immediate supply chain trust, frequently lowers cyber insurance premiums, and acts as a hard prerequisite for winning government and public sector contracts,” says Agha. 

And once firms realise the benefits, the biggest barrier is often just getting started. The good news is there are publicly available knowledge hubs and resources that walk businesses through Cyber Essentials step by step, says Paine. “So organisations don’t have to figure it all out on their own.” 

A good place to begin is with a simple self-assessment, recommends Paine. “It helps businesses understand where they currently stand and identify any gaps in areas like access control, updates, or device security. In many cases, organisations will discover they already have some of the protections in place.” 

It’s also worth knowing that reviewing the guidance and assessment questions is free, so businesses can explore the requirements before committing to certification, says Splunk’s Paine. The certification process itself is relatively quick once the controls are in place, she adds. 

Technical controls also help boost security in line with the standards. With the update to Cyber Essentials on its way, firms should “turn on MFA everywhere immediately,” Agha advises. “VPN, cloud and mail identities, any authentication systems that touch the internet should have as many additional logon protections as possible.” 

In addition, security awareness training “is the best investment you can make for your security posture,” he says. 

Overall, focus on the controllables. Do not let your strategy be driven by fear, uncertainty and doubt when approaching advanced persistent threats, says Qualys’ Glennon. “Focus on operational hygiene and mitigating the most probable, immediate risks before they can be exploited.” 

Kate O'Flaherty Cybersecurity and privacy journalist