1 in 5 businesses unaware of the benefits of Cyber Essentials accreditation

28/11/23 Wavenet
Cyber Essentials accreditation

A worrying number of UK businesses still are not aware of the benefits of the Government-backed Cyber Essentials scheme. This is problematic as according to the 2022 Cyber Security Breaches Survey, 39% of UK businesses identified a cyber security breach or attack with the average cost of a data breach being between £4,200 and £19,400. This is particularly concerning since 56% of businesses hold personal data on customers in the cloud. However, there are methods that can be implemented to reduce the risk of data breaches. One such way is through being Cyber Essentials accredited. 

Cyber Essentials is a government-backed, industry-supported scheme which launched in June 2014. It aims to help all organisations protect themselves against cyber-attacks. When an organisation is fully compliant, they will receive a certificate to show stakeholders and customers that they have the necessary safety measures in place to reduce the risk of a cyber-attack. Cyber Essentials is a quality standard in many industries, and a necessity for businesses looking to win certain Government contracts. 

In a bid to understand how many businesses employ methods to reduce cyber security risks, Wavenet CyberGuard, surveyed 251 IT managers in UK companies, ranging from small businesses (20-49 employees) to large companies (750 employees or greater). The survey focussed on whether the business had achieved the Cyber Essentials certification. 

The results revealed that 19% of IT managers were unaware of the benefits of having a Cyber Essentials certification, with 1 in 10 (10%) unsure of whether their business even had the certificate. 

Of the businesses without Cyber Essentials accreditation, two thirds (67%) said that a lack of understanding had been the primary barrier to them applying, with 42% citing a lack of funds. Almost a third (29%) suggested that they did not consider it important.  

In terms of small businesses with between 20 and 49 employees, 33% claimed that they either were not Cyber Essentials certified or were not sure. This compares to just 6% of larger, enterprise organisations (i.e., those with over 750 employees).  

This finding is particularly worrying for both consumer and employee privacy; according to the Cyber Security Breaches Survey 2022, 39% of SMEs had experienced at least one cyber-attack in the past year. SMEs are at a higher risk of data breaches when compared to large organisations but are less likely to have Cyber Essentials certification in place. 

However, while there continues to be a lack of awareness around cyber security, there are some positives. Most of the businesses surveyed (81%) stated that they were Cyber Essentials certified, with 69% reporting that they understood the benefits of being so. 

There is a clear case for being certified. Of those accredited, 84% claimed that it has helped their business to win contracts, with other respondents highlighting the importance of the certificate in reassuring their customers. 

Paul Colwell, Chief Technology Officer at Wavenet CyberGuard states:

“Here at Wavenet CyberGuard, we encourage companies to become Cyber Essentials certified since it can help protect against most common cyber-attacks. In 2023, it should be paramount that businesses who rely on technology protect customer and employee information - as well as their own. Becoming Cyber Essentials certified is a great start to implementing strong and secure cyber security practices.”

Cyber Security

Latest blogs

See all posts
Placeholder thumbnail
Boardroom vs breach: 20 questions every IT leader should be asking about cyber security

Cyber threats are evolving faster than most organisations can keep up. Between new attack techniques, expanding digital estates, and the cyber skills shortage, even well-equipped IT teams are struggling to stay ahead. It’s no longer enough to tick compliance boxes or to simply deploy the latest tools. Real security starts with asking the right questions and acting on the answers. That’s why we’ve created Boardroom vs Breach, a 20-question self-assessment designed to help IT leaders and those responsible for cyber-security take a clear-eyed look at your current security posture, highlight blind spots, and spark critical conversations at board level. Why this matters The cost of a cyber breach isn’t just downtime – it’s trust, reputation, compliance fines, and lost revenue. Yet many companies don’t know if their defences are actually up to the task – do you? These 20 questions aren’t about theory; they reflect real-world weak points that we see every day. If you can’t answer them confidently, we can help. The 20 questions you need to answer Visibility & monitoring Do you have complete visibility of your IT assets? What visibility do you have into incidents and events across your infrastructure? How do you manage your security tooling? How many different tools are you running — and are they working together? Are your systems and endpoints patched regularly? Our advice: Gaining complete visibility starts with consolidating event data, automating alerts, and ensuring continuous oversight across your entire estate. Take a look at: Security Information and Event Management Vulnerability Management Managed Detection and Response Threat detection & response What happens if an incident occurs after hours? How do you find out? Who responds? When was your last penetration test? How regularly do you conduct them? What protections are in place for endpoints, email, and networks? What level of visibility do you have into potential breaches? Do you work with a partner that offers 24/7/365 response and real-world support? Our advice: Improve threat visibility and reduce response times by combining real-time monitoring with expert-led incident analysis and containment. Take a look at: 24/7/365 Managed Detection and Response Incident Response Retainers Penetration Testing and Red Teaming Cloud & modern IT risk Do you use public cloud services? Are you confident in how they’re secured? How do you manage and secure user devices remotely? What vendors are you currently relying on — and are they right for your risk profile? How do you secure your network beyond the firewall? Our advice: Extend visibility beyond the traditional perimeter by applying cloud-native monitoring, endpoint telemetry, and policy-based access control. Take a look at: Cloud Security Assessments Secure Access Service Edge (SASE) Endpoint Detection and Response (EDR) People, process & planning How are your users trained to detect attacks such as phishing? Do you have access to expert help in a crisis? What cyber expertise exists in-house — is there a dedicated security leader? How do you create a positive security culture, not just rules? What threats are most relevant to your industry? Are you meeting required regulations and compliance standards? Our advice: Build better situational awareness by aligning people and processes with continuous monitoring and clearly defined escalation paths. Take a look at: Security Awareness Training Virtual CISO Services Compliance and Risk Consulting And a bonus question, with potentially the most worrying answer of all… What would a breach cost your business — financially and operationally? Putting it all together While individual solutions can address specific security challenges, working with a trusted managed services and security partner ensures cohesive, round-the-clock support across every aspect of your cyber security posture — delivering greater efficiency, resilience, and long-term value. We work with IT and security leaders across all sectors to assess risk, build resilient cyber strategies, and deliver comprehensive protection that scales with your business. From real-world penetration testing to 24/7/365 threat detection, cloud security, and expert consultancy, we’re your trusted partner in securing the ‘now’ — and preparing for what’s next.

Read more

Stay service-savvy

Get all the latest news and insights straight to your inbox.