show image

Is the UK’s cyber essentials scheme working?

Launched in 2014, the UK’s “cyber essentials” scheme is designed to equip organisations with a grounding in basic security practices like patching and access management.

The programme is a flagship part of the UK’s cyber strategy, but so far it has been difficult to determine what kind of impact it’s had on the ways organisations operate.

However a new survey, published on GOV.UK without much fanfare today (12 March), provides some sense of the progress made by the programme, and the wider national strategy, to date. So what does it show?

1. The basic cyber security gap is narrowing, slowly

When the first version of this survey was carried out in 2018, 54 per cent of businesses (710,000) reported a basic cyber security gap, meaning they lacked “the confidence to carry out the kinds of basic tasks laid out” in the cyber essentials scheme and hadn’t procured external support. Today, that figure has fallen to 48 per cent, equivalent to 653,000 businesses, suggesting the scheme is working, albeit slowly.

2. The advanced skills gap is proving harder to close

The two surveys also measured organisations’ confidence in dealing with more complex security matters, such as pen testing and forensic analysis. On this front, progress has been significantly more limited. The percentage of organisations struggling with advanced skills has fallen by just one point, from 31 to 30 per cent. Perhaps it’s no surprise, however, that it’s been easier to make significant progress when it comes to basic cyber hygiene, especially when there’s a specific programme in place to assist organisations.

3. Organisations are better prepared to respond to incidents

Reassuringly, given the scale of the security challenge facing the country, organisations are making progress when it comes to incident response. The number of organisations saying they do not feel confident in their ability to deal with a breach or an attack has dropped from 35 to 27 per cent. Improved resilience is welcome news, but how many of those organisations feel better prepared to respond to an incident because they’ve experienced one?

The industry take

RSA Security’s Ben Tuckwell described the report as “concerning, but not particularly surprising”, adding: “It’s hard to find the right people to fill cyber security job roles, there’s no two ways about it. One big piece of recruitment advice for businesses would be to look after your own, as word of mouth and recommendations go a long way.

“Recruiting cyber skills is only half the battle; the other half is retaining staff and making sure new recruits are actually effective in their roles. For the former, businesses should look for technologies that can help keep existing security teams interested and engaged, as well as operating more proactively, rather than, for example, constantly responding to security alerts.”