Is the Cyber Essentials Scheme Worth It For Your Organisation?

Written by Sam Jones
Oct 4, 2019 - 8 minute read

Too expensive? Value for money? Is the Cyber Essentials scheme right for your business? Grab your tea and a biscuit and let's dive into this...

New call-to-action

Last Updated January 2022

The simple answer? Yes.

But I'm sure you're thinking, it can't be that let's dive a little deeper!

Can you explain what the Cyber Essentials scheme actually is?

In simple terms, the Cyber Essentials scheme is there to help you protect your data against the most common cyber threats while also demonstrating to your clients that you care about their data and your cyber security measures.

Cyber Essentials makes it easy to understand which areas of your Cyber Security require attention by setting the cyber security standards your organisation will be assessed against.

As you work towards Cyber Essentials you'll find out where you need to improve your security and ensure you have the 'essentials' to being a cyber secure company.

There are the five technical controls associated with the Cyber Essentials scheme. Now, this is usually where people panic - what are technical controls?

To help you out, we've created an easy to understand infographic explaining the five controls below:


We're all the same really...

As I'm sure you're aware, every organisation has differences. From the size of the organisation to the leadership and culture within it, every single company is unique.

However, there is one thing that all companies, including your company, have in common - they all hold data.

This data, your data, is what is under threat.

I hope you've eaten your biscuits because the next statistic might make you feel a little queasy...

According to the 2021 Cyber Security Breaches Survey, 39% of UK organisations reported cyber security breaches or attacks over the 12 month period - and that's just the ones successfully identified or reported.



Scary right?

That's a LOT of organisations experiencing problems and that could include your organisation.

So you must be wondering, what exactly are these hackers and cybercriminals looking to do with your systems?

  • Hackers will be looking to infect your systems with Malware. Malware is software that is specifically designed to disrupt, damage, and gain unauthorised access to your computer systems.

  • Cybercriminals are incredibly clever and through the use of social engineering, they will find a way to the data that you care about most. This focuses on the use of deception to manipulate your employees into divulging confidential and personal information that will be used for fraudulent purposes.
  • All systems can have weaknesses and vulnerabilities. The weaknesses in your systems can be exploited by an attacker and your data will be breached.
  • With DDoS ( Distributed Denial of Service) attacks, hackers use multiple systems to flood and target the bandwidth and resources of your systems. In 2018, a popular developer platform known as Github suffered one of the worst DDoS attacks in history as they were hit with traffic that clocked in at a record-breaking 1.35 terabits per second. The threat is seriously real, hackers and cybercriminals do not care about the lives we live, just the data we hold.

We're all in this together and we all have a duty to keep data protected from those who want to harm and manipulate our organisations. This is where Cyber Essentials can help us.

What does Cyber Essentials bring to the table? 

With Cyber Essentials, the chance of a data breach in your organisation is reduced significantly, in fact, the cyber threat is reduced by approximately 80%. (Eight. Zero. You did just read that correctly!).

You might even have people in your ear begging you to invest in expensive cyber security tools when in reality, you only need to align yourself with the only UK standard, which is cyber essentials. Once you have Cyber Essentials, you can look to reduce the remaining 20% with those other tools.

When you are certified by an IASME Certification Body such as Cyber Tec Security, you can also complete the IASME Governance SAQ which includes the requirements for GDPR and this can mean potentially avoiding the 4% charge of your global turnover if you have a security breach.

There are a number of ways in which Cyber Essentials can benefit your organisation and you can view our 10 benefits of the Cyber Essentials scheme. 


Cyber Essentials vs Cyber Essentials Plus

We've found the culprits. These two levels of certification are the reason there is so much confusion in the industry around this question.

Knowing the difference between the two certifications in the Cyber Essentials scheme is what will allow you to truly understand why this confusion has been caused in the first place.

So what is the difference?

Cyber Essentials, sometimes referred to as Cyber Essentials Basic is a 'DIY' package. This means you can complete Cyber Essentials on your own and you will receive the certification for Cyber Essentials basic.

Cyber Essentials Plus has the same requirements as Cyber Essentials, except the system tests are carried out by an external certifying body, using tools and techniques which an in-house team may not have access to. You need Cyber Essentials basic to be eligible for the Cyber Essentials Plus scheme.

Put simply, Cyber Essentials shows your clients that you care about your cyber security whereas Cyber Essentials Plus shows your clients you are doing everything in your power to protect their data.

To know the difference between the two packages in more depth and detail, feel free to check out 'The difference between Cyber Essentials and Cyber Essentials Plus'. 

ce and ce  logo

So should I get Cyber Essentials Basic or Cyber Essentials Plus?

The truth is, ALL organisations need Cyber Essentials Basic to protect themselves from today's cyber threat, and the cost of Cyber Essentials Basic (starting at £299.99) means any organisation can reduce their cyber threat by 80% at an affordable price.

If you're a small organisation with perhaps not a lot of money or resources, Cyber Essentials Basic is a fantastic place to start. However, because it is a DIY method, there's no real verification that you're meeting the standard - we just have to assume your answers in the questionnaire are accurate!

That's why Cyber Essentials Plus is the favoured option. Getting that verification from a qualified external body gives you the confidence that you really are in line with this Government standard, as well as demonstrating this to clients, stakeholders, suppliers and so on. 

Imagine this scenario...

You are the managing director of a law firm with a global turnover of £10,000,000.

A hacker breaches your systems and gains access to unauthorised funds as well as the personal data of every client you have.

All data associated with your organisation is exposed and GDPR regulations have been breached.

Now, the ramifications of this are disastrous.

Without Cyber Essentials Plus, the information commissioners office can conclude you did not do everything in your power to stop this breach and you will be charged 4% of your global turnover (400,000).

Oh and believe me, this is nothing in comparison to the damage done to your reputation, especially when you have to notify your clients of the breach within 72 hours.

Would you expect any of this law firm's clients to remain with them after this breach? 




So as you can imagine, this law firm would view Cyber Essentials as an investment rather than a cost as it would save their organisation from serious harm if they were to ever experience a breach. 

According to the UK's head of the National Cyber Security Centre, Lindy Cameron, we should be getting complacent about cyber security.  


"Cyber security is still not taken as seriously as it should be, and simply is not embedded in UK boardrooms."


Earlier in this article, I mentioned how many UK businesses experienced a breach or an attack in the last 12 months, but it's worth noting that this number is decreasing because of schemes such as Cyber Essentials - for example, British organisations saw an 11% decrease in cyber security breaches or attacks according to the 2019 Cyber Security Breaches Survey.

The proof is in the pudding, once you take your cyber security seriously, a lot of your issues today are not an issue tomorrow.

If you would like to learn more about Cyber Essentials, we have created the Ultimate Guide to Cyber Essentials to help you on your journey to understanding Cyber Essentials and how it can help your organisation.


Topics: Cyber Essentials, Cyber Essentials Plus, Business Security, Cyber Attack


More by Sam Jones

Related articles
The Importance of Penetration Testing for SMEs: Safeguarding Your Digital Assets

Learn why penetration testing is crucial for SMEs to safeguard their digital assets, identify vulnerabilities, comply with regulations, enhance security, protect customer data, and make cost-effective security investments.

The Ever Evolving Role of the MSP!

Discover how Managed Service Providers (MSPs) can strengthen cybersecurity with a proactive approach and Cyber Essentials Certification. Learn about the evolving role of MSPs in safeguarding businesses against cyber threats.

Is ISO an alternative standard to Cyber Essentials?

Comparing ISO and Cyber Essentials for cybersecurity standards, this blog delves into their differences and importance in safeguarding against cyber threats.