Lookout has released the results of a survey conducted at Infosecurity Europe, which evaluated the opinions of 246 security professionals towards the NCSC Cyber Essentials framework.
The research found only 28% of organisations had fully implemented Cyber Essentials, with over a third (40%) of security professionals claiming they were unfamiliar with the scheme.
Of those that had not implemented the scheme, over half (58%) said a lack of awareness or understanding as the reason why their organisation had not done so.
The NCSC Cyber Essentials scheme is a UK government backed programme that aims to help UK organisations improve their cyber resiliency against the most common cyberattacks.
There are two levels of certification provided by Cyber Essentials, a basic level and ‘plus’, which organisations can achieve when showing commitment to cyber security.
Achieving the basic Cyber Essential certificate indicates the organisation knows how to prevent the vast majority of common cyberattacks. With Cyber Essentials Plus, there is an added hands-on technical verification and vulnerability scanning that is conducted on the systems used by the organisation.
Of those that answered they were Cyber Essential certified, 58% stated they had the standard level while 42% had completed Cyber Essential Plus. The top three benefits experienced from being certified were: an improvement in cybersecurity measures (60%), an increase in customer trust and confidence (54%), and compliance with regulatory requirements (48%).
“The findings from the study are concerning and showcase the work needed to be done to not only build awareness around the NCSC Cyber Essentials framework, but also to get more organisations accredited,” said Bastien Bobe, Field CTO EMEA at Lookout. “In the modern, remote-working world, with mobile and cloud-based threats on the rise, it is imperative to deploy cloud-native defences that can deliver zero-trust security to safeguard corporate data from any location, device, application or network.
“The objective for many businesses is to reduce their overall risk. However, to achieve this, they must have a proactive security strategy that enhances their own cybersecurity practices as well as ensures compliance with industry standards and accreditations – specifically frameworks like UK Cyber Essentials.”
When gauging the opinions on the number of cybersecurity certifications, laws and regulations, 24% of security experts believed there are too many to keep track of.
Yet, over three quarters (79%) stated all organisations should be required to prove they meet a basic standard of security, like Cyber Essentials, to mitigate the risk from common cyber threats, with the majority (89%) stating it’s important.
Indeed, nearly half of security professionals (47%) check if their third-party suppliers are UK Cyber Essentials certified. Alarmingly, 41% would still choose to partner with a supplier if they were not accredited, stating it’s not a deal breaker.
Nevertheless, threat actors will continue to target those that are not taking security seriously, and the negative impact this is having on the wider supply chain is a cause for concern.
So much so the NCSC issued a warning because of the rising number of cyberattacks from vulnerabilities exploited within the supply chain. For instance, organisations wanting to bid for UK government contracts – which may involve handling sensitive information or providing IT services or products – being Cyber Essentials certified is mandatory.