The majority of businesses are facing increasing pressure to demonstrate robust cybersecurity practices, whether this is from regulators, auditors, or the less obvious and less vocal group, clients.
One of the most effective ways to do this is by securing a recognised cybersecurity certification. There are several available, depending on the country in which you are based, but we strongly recommend Cyber Essentials, which is a UK government-backed certification developed by the National Cyber Security Centre (NCSC), as a starting point for businesses that are looking to get serious about protecting client data and building trust.
We have some reservations regarding the breadth of the cyber certifications, and the Cyber Essentials certification framework is no different, e.g., it doesn’t require encryption of data and devices, which is something I’ve discussed in previous articles and social posts, but it still offers substantial value and, importantly, structure to help businesses establish a solid cybersecurity foundation.
Think of your Business like a House
Implementing appropriate cybersecurity controls are akin to installing deadbolts, alarms, security cameras on your property, alongside setting some basic rules for your family follow, e.g., don’t open the door to strangers.
Cyber Essentials is like an inspector coming around to your property and shaking the fence, trying the front door handle, and seeing if there is a window ajar that could let in burglars. If all the checks are passed, then they provide you with a sign that you can put in your front garden to advertise that your property is secure.
In the context of your business, this covers firewalls, security configurations, user access controls, malware protection, and patch management, which all together manage the digital security of your business and, if configured correctly, reduces your risk of data breaches and unauthorised access.
Businesses certified under Cyber Essentials are statistically 80% less likely to suffer from common cyberattacks. But the value goes beyond technical protection – it’s also a trust signal.
Cybersecurity Certifications by the Numbers
As cybersecurity incidents have become more and more common, I am finding the general awareness amongst businesses is increasing, but just to add some colour, I thought the below stats were quite interesting when I looked into the research around the Cyber Essentials scheme in particular –
- 79% of businesses agree that having Cyber Essentials has had a positive impact on the confidence of clients.
- Businesses with Cyber Essentials controls are 92% less likely to make a cyber-related insurance claim.
- 69% of businesses with Cyber Essentials believe they are more competitive (I thought this one was particularly interesting and displays how it’s also a mindset component within leadership teams).
- 94% of businesses surveyed said that having Cyber Essentials reduces the burden of cyber security.
- Businesses with Cyber Essentials saved 22% of their allotted time on due diligence per year.
- 73% of businesses agree that it is better to work with a vendor that folds Cyber Essentials than those that don’t.
These stats seem consistent across different jurisdictions in which they have a formal cybersecurity certification scheme.
7.7 million cybercrimes were experienced by businesses over the past year in the UK, which approximately accounts for half of all businesses.
Client Confidence is Often Silent
Research indicates that 58% of consumers notice reports in the media about companies losing customer data, which is a high degree of awareness. Additionally, 78% of consumers agree that life is risker today than it was fiver years ago, which mirrors feedback we get from our clients that talks about regulators and auditors taking more time to review cyber controls. What was particularly interesting from the papers that I’ve read, is that nearly half of consumers think that governments should hold these companies accountable for their failures, which could be through regulation or fines.
I think it’s fair to say that clients care about the cybersecurity posture of your company, and this works both ways, i.e., they are talking with their wallets about working with companies that can demonstrate strong controls and are moving away from companies that don’t or experience a breach.
A common question I receive is how to ‘demonstrate’ such controls, and that’s where cyber certifications can give you an edge. In the case of Cyber Essentials, they provide branded assets that can be show in email signatures, on your website, to clearly signpost your adherence with at least a basic level of cybersecurity.
It may be a bold statement, but I would argue that it could be considered a marketing cost to get a cybersecurity certification if you are working in a B2C and high trust industry, e.g., financial services.
If you want to attract and retain clients in a modern digital world, cybersecurity is now a mandatory, rather than optional consideration.
What does a Cybersecurity Certification Cover
Certifications set a baseline for security practices. Cyber Essentials doesn’t just recommend good habits (it mandates them). By requiring organisations to document and implement specific controls, it forces a level of discipline that many businesses lack.
A few of the key aspects, and why they’re important, of the Cyber Essentials scheme are as follows –
- Firewalls and internet gateways: help prevent unauthorised access to your networks and protect team members and company data.
- Secure configuration: reduces exposure to common vulnerabilities and risk of exploitation.
- Access controls: revise access to data and systems based on user roles, something that isn’t often done for small and medium sized businesses on a routine basis.
All in all, the scheme provides a practical, effective, and scalable framework to follow, making it ideal for small to medium businesses that generally do not have a dedicated cybersecurity team.
Cyber criminals can find your business anywhere. No matter your business’ size or location, cyber attacks are no longer a question of ‘if’ but ‘when’.
Cybersecurity is on a Scale
As mentioned earlier, while Cyber Essentials covers key critical areas, encryption remains a notable omission. Encryption ensures that intercepted or improperly accessed data remains illegible and unusable for attackers to exploit. For financial services firms handling sensitive customer information, this is not just a technical benefit, it’s a business imperative.
The important thing to note is that cybersecurity, like a lot of risk mitigation practices, is that they are on a scale, and not black and white. If I was to implement the most secure policies in your organisation over the coming weekend, I’d be surprised if any of your users were able to log into their computers, let alone their inboxes on Monday morning.
Certifications only ensure a minimum standard, but as per the stats above, a minimum standard puts your well ahead of most businesses, and helps to ensure your business remains productive.
Going beyond the basics
I encourage that your technology systems be designed from the ground up to cater for cybersecurity and to consider Cyber Essentials as a necessary brick in the building block of your infrastructure. Here’s a few actionable steps to inspire your cybersecurity journey:
- Encrypt storage on end-user devices (phones, laptops, workstations).
- Ban flash drives that are not encrypted, and make use of corporate sharing tools (SharePoint, etc).
- Ensure your email server enforces encryption for all messages.
- Use secure messaging platforms for receiving sensitive client information such as passports, financial records.
- Confirm that data-at-rest in your CRM, marketing, and financial tools is encrypted.
- Mandate encryption for all backups, especially those stored offsite.
Real world impact
We have personally experienced and have worked with a financial services client that faced the harsh reality about the necessity of backup encryption. The firm experienced a ransomware attack that not only compromised their primary systems but also infected their backups. Since the backups weren’t encrypted, the attackers accessed and corrupted that data as well. Without clean backups to restore, the business endured significant downtime, financial losses, and a loss of client trust.
Final thoughts
Protecting your business should never be about meeting just the bare minimum standards. Reach out to me to discuss how encryption can enhance your cybersecurity strategy and keep your data safe from emerging threats. Together, we can build a resilient foundation that safeguards your future.
Source(s):
Cybersecurity in 2025: What Consumers Really Think – Davies Hickman