Press release: Cyber Confidence at MSPs high, despite falling victim to data breaches

MSP report

CyberSmart research reveals high levels of cyber confidence in MSPs, despite 87% experiencing a breach in the past 12 months.

London, UK – July 10th 2024 – New research conducted by CyberSmart, a leading provider of SME security solutions indicates that nearly all MSPS report high rates of cyber confidence across their organisations, despite the vast majority having experienced at least one data breach in the past 12 months.

The research, conducted by OnePoll in Spring 2024, polled 250 senior leaders at UK-based Managed Service Providers, found that an overwhelming majority of MSPs – 87% – had experienced at least one data breach in the past 12 months, with 16% indicating they had experienced more than 5 incidents in the same timeframe.

This track record on cybersecurity stands in contrast to the associated cyber confidence that the surveyed MSPs reported. Almost all – 97% – of the MSPs surveyed suggested that their organisation had either a ‘fair’ amount of cyber confidence or a ‘great deal’ of cyber confidence.

Another interesting aspect of the results is that this confidence appears to be projected onto MSP customers too, with respondents reporting that they believed 85% of their customers had either a fair or a great deal of cyber confidence.

What are the top threats to MSPs?

Both the customers and providers identified ransomware and malware infection as the top concern, at 55% and 57% respectively. For MSPs, inflation and spiralling costs came in second (43%) and for customers, exploitation of unpatched or undisclosed vulnerabilities was the second most concerning threat (44%).

“The associated confidence noted by MSPs is heartening but needs to reflect the reality on the ground for MSPs, and their own perception of their security posture is concerning and highlights the need for the cybersecurity to step up and work closer with Managed Service Providers,” said Jamie Akhtar, Co-Founder and CEO at CyberSmart.

“MSPs, due to the levels of privileged access they will have into multiple companies, make for an appealing target for cybercriminals. This, coupled with the fact they are responsible for the IT infrastructure of companies without IT or security resources, means it is paramount that security providers work closer with them to protect the £ 5.5 million SMEs who in many cases turn to MSPs to keep them safe. Failure to do this could be existential for many of their customers.”

MSPs suggested that a focus on cybersecurity training, IT policies and fostering a more security-conscious culture would help them to achieve complete cyber confidence.

You can download your copy of the report here.

Why you could be eligible for free Cyber Essentials certification

funded Cyber Essentials certification

Do you run a small charity or legal aid firm? If so, you could be eligible for funded Cyber Essentials certification to help you put basic cybersecurity measures in place. Here’s everything you need to know.

What is the funded Cyber Essentials scheme? 

Small charities and legal aid firms protect and serve some of the most vulnerable in our society. However, unfortunately, they’re also a key target for cybercriminals. The NCSC’s Cyber Breaches Survey 2022 revealed that 30% of UK charities identified a breach in the last 12 months.

The reason for this is simple. Charities and legal aid firms process large volumes of highly sensitive data but often have relatively weak defences – making them an ideal target for cybercriminals.

To counter this, the National Cyber Security Centre and IASME have launched the new Funded Cyber Essentials Programme. This offers small organisations in high-risk sectors free, practical support to help put basic cybersecurity controls in place and achieve Cyber Essentials certification. 

How does the scheme work? 

Qualifying organisations will receive up to 20 hours of remote support with a Cyber Essentials Assessor – all at no cost. Our assessors will spend this time helping you identify and implement the improvements needed to meet the 5 technical controls of Cyber Essentials. We’ll follow this up with an assessment to ensure everything is in place. 

With our guidance, you’ll be ready to take the Cyber Essentials and Cyber Essentials Plus certifications. If it’s not possible for you to complete Cyber Essentials Plus after 20 hours of support, we’ll give you clear directions on how to become assessment ready. 

Is the certification free? 

Yes. IASME has agreed to fund both Cyber Essentials and Cyber Essentials Plus certification for successful applicants to the scheme.

Who is eligible for the scheme? 

To qualify for this scheme, your organisation must be:

  • A micro or small business (1 to 49 employees) that offers legal aid services
  • A micro or small charity (1 to 49 employees) that processes personal data

No previous cybersecurity experience or certification is required. Even if you’re completely new to cybersecurity, we’ll guide you through the process.

How long is the scheme running for? 

The scheme runs until the end of March 2023. However, it’s worth noting that IASME is offering a limited number of funded packages. So it’s worth getting your application in as soon as possible. 

What is Cyber Essentials?

The Cyber Essentials scheme is a UK-government-backed cybersecurity certification that outlines the security procedures a company should have in place to secure its data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.

Cyber Essentials Plus includes all of the same technical controls but with one major difference. Whereas Cyber Essentials is a self-assessed certification, Cyber Essentials Plus includes a technical audit of your systems. This next step gives you 

complete peace of mind your cybersecurity is up to scratch. And, your clients and partners don’t have to take your word for it that you’re cyber secure – they can rely on the expertise of a professional.

Can I apply to the scheme through CyberSmart? 

Yes. As the UK’s leading provider of cybersecurity certifications, we’re proud to be taking part in this scheme. 

To apply for the scheme, head to IASME’s Funded Cyber Essentials page and fill in the form at the bottom of the page. If you’re successful in your application, IASME will pass you over to us (or another certification body) to complete the certification process.

Alternatively, if you’re one of our partners or MSPs and want to refer a customer for the scheme, get in touch. We can apply on your client’s behalf and ensure the support and certification is carried out by CyberSmart.

Want to know more about cybersecurity certifications? Check out our in-depth guide to cybersecurity certifications in the UK.

Why managed service providers (MSPs) are a target for cybercriminals

According to security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – Managed Service Providers (MSPs) are increasingly at risk of cyberattacks. But why? What makes MSPs such an enticing target for the bad guys? And, more importantly, what can MSPs do to protect themselves and their customers? 

Why are MSPs being targeted? 

Upon first hearing, it might sound odd that cybercriminals are targeting, and often successfully attacking, MSPs. We think of MSPs as IT and cybersecurity experts with good defences, so surely there are more tempting targets?

Unfortunately, this is only partially accurate. Although it’s true that many MSPs do have pretty robust cyber defences, there’s another reason they get cybercriminals champing at the bit.

MSPs are so attractive to hackers because they can typically remotely access clients’ networks and IT environments. And, that’s before we mention how much data the average MSP has access to – everything from financial information to breakdowns of customers’ security. 

In short, MSPs are being targeted for the same reason as supply chains. Successfully breaching an MSP means cybercriminals gain access to much more than the initial target. It could lead to ‘follow-on’ activity across the MSP’s whole customer base.

In other words, it’s a huge win for the bad guys. And cybercriminals are very obviously aware of that fact. According to new research by N-able, 90% of MSPs suffered a successful attack in the last 18 months. The study also found that the number of attacks prevented by MSPs almost doubled during the same period.

What are the consequences of a breach?

The impact of a successful attack on an MSP can be severe. The best way to think about it is to split the consequences into two categories – direct and indirect. Let’s deal with direct first.

Perhaps the most obvious impact of a breach is the disruption it could cause an MSP. Your business could be hit with a lengthy clean-up operation, systems downtime, and a big dent in staff morale. What’s more, depending on the kind of attack, there may be a financial aspect to the disruption.

A ransomware attack could lead to your business having to make a hefty payout. Meanwhile, a serious malware attack, with a long period of systems outage, could lead to you haemorrhaging revenue.

Likewise, the reputational damage to any MSP successfully breached could be grave. Most MSPs pride themselves on their strong security and market themselves thus to customers. So the news of an attack could seriously weaken customer trust, leading to a PR nightmare and potential loss of revenue.

We’ve dealt with the direct consequences, let’s move on to indirect. As we mentioned earlier, the major reason why cybercriminals are targeting MSPs is due to their customer base. And it’s your customers who could be the most affected by an attack.

A real-world example of this is the REvil ransomware attack on Kaseya, the MSP software provider. The breach spread to dozens of MSPs and over 1,500 of their customers, illustrating just how fast an attack could get out of control.

What can MSPs do to protect themselves and their customers? 

We’ve painted a pretty terrifying portrait so far. However, just because the consequences can be dire, it doesn’t mean there aren’t things you can do to protect your business and customers. Here are a few of the most important.

Set up multi-factor authentication (MFA)

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

MFA is also a sure-fire way to protect your business against cyberattacks. Passwords alone are vulnerable to data leaks and brute-force attacks. MFA, on the other hand, is very tricky for even the most sophisticated hackers to crack. 

Back up your systems and data

Backing up your systems and data can provide you with a vital failsafe after an attack. In some cases, it can even help you avoid having to pay a ransom. And, when it comes to what to back up, use this simple rule of thumb: ‘anything you don’t want to lose, back up’.

For more on how to do it, read this.

Segregate networks 

Both you and your customers should segment networks and systems as much as possible. What do we mean by segment? Well, one example is to never use admin credentials across multiple customers or systems.

Another is to ensure that no one has access or privileges beyond what they need to do their job. That might sound harsh but, in the event of an attack, it’ll allow you to isolate affected systems, customers, or accounts.

Train staff

At CyberSmart, we’re constantly pushing the importance of training. After all, if your staff don’t know which security behaviours are harmful or don’t know the warning signs of an attack, they’ll struggle to protect themselves or your business.

Training can fix this. And it’s probably the single most important thing you can do as a business. Find out more, here

Develop incident response plans

A successful attack on your business isn’t inevitable. Nevertheless, statistically, it is likely. So you need a coherent, easy-to-action response plan, in case the worst does happen.

You’ll also need to encourage or help your customers to develop their own. Currently, just 4% of MSPs report that all their clients have an incident response plan. And, this means thousands of weak links across the IT sector. 

Regularly patch software

Patching or updating any software you use, so that it doesn’t have easily exploited weak points, is incredibly simple but very important. Over time, even the best software develops vulnerabilities, suffers a breach, or simply becomes outdated. Applying patches released by the software provider can fix this.

Think of it as being like fixing a puncture. You apply the patch so no air can leak out. Updating your software effectively does the same thing, giving you air-tight cybersecurity. 

The best part? It won’t take you anywhere near as long as fixing a puncture, just a couple of minutes each month. 

Map your supply chain risks

Last of all, understand your supply chain risks. Assuming you’ve locked down your own cybersecurity, identify who among your customers or suppliers could pose a risk. Alongside this, talk to your customers and partners about their cybersecurity. The best defence against threats is a unified approach and common strategy.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights on the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity

CyberSmart forges new channel partnerships to reach SMEs

We are delighted to announce two exciting new partnerships this week at CyberSmart. The first with Ingram Micro Cloud, part of one of the world’s leading channel distributors (IMUK), and the second with Synaxon UK, one of Europe’s largest channel buying groups.

Through these partnerships, we are extending our reach to allow us to help many more SMEs who are struggling to balance the demands of their business with the risks of cyber security.

“The team at CyberSmart is thrilled to be teaming up with new partners to do what we do best, and that is to defend the underdogs,” says Hugh Furness, CyberSmart’s Head of Channel Strategy.

“SMEs are often neglected in cybersecurity. With a lack of resources and expertise, they are an easy target for bad actors. With the help of these partners’ help, we hope to extend our reach and foster a strong security culture across the channel.”

The streamlined CyberSmart service makes it easy for any business to achieve the UK government-backed security certifications including Cyber Essentials, Cyber Essentials Plus, and IASME-GDPR. And the prevention of cyber attack doesn’t stop at certification. A compliance software ensures every device, personal or professional, used by a business is always secure.

Timing is everything

Cyber security is more important than ever. As the UK begins to reopen and offices welcome staff back, many businesses have emerged from the crisis into a hybrid world. The mix of remote and office working adopted by many organisations brings with it new security risks.

A recent report from VMWare reveals that 91% of organisations have seen an increase in cyber attacks as a result of employees working from home. Online protection has become more important than ever before, but many businesses, especially smaller ones, still find the idea of it daunting.

“Cybersecurity is a huge issue and the importance of achieving Cyber Essentials certification and demonstrating that you are ready to protect your organisation, employees, and data, has never been greater,” echoes Mike Barron, Managing Director of Synaxon UK. “Our partnership with CyberSmart has come at exactly the right time. With more companies now operating virtually and most employees working at home, that’s becoming crucial. We’ve received an immediate and extremely positive response from Synaxon UK members who are using CyberSmart to get certified themselves and encouraging their customers to follow their lead.”

“Adding to our Cyber Security portfolio, CyberSmart aligns perfectly with our desire to create a unique environment in which our partners get the best in-house solutions, services and support,” concurs Colin McGregor, General Manager – Cyber Security, Ingram Micro UK, “We’re excited to show our partners just how we can facilitate their cyber needs, with CyberSmart no doubt contributing to this success.”

The CyberSmart team believes that every organisation should be able to easily comply with recognised standards to protect their data and infrastructure. Synaxon and IMUK will help us deliver that ability to many more businesses.

About our new partners

Ingram Micro Cloud (IMC), a division of Ingram Micro UK Ltd, was established in 2014 to help its partners realise their share of the cloud market opportunity. Ingram Micro Cloud is a master cloud service provider (mCSP), offers channel partners and enterprises access to the leading global Cloud commerce platform, expertise, solutions and enabling programmes that empower organisations to realise their potential in the digital economy. Ingram Micro Cloud is the leading Cloud aggregator in the UK and a software company that is the powering engine for the channel.

Synaxon UK was launched in the UK in 2008 and has since become firmly established as the market-leading channel services group. Synaxon is much more than a dealer buying group. It’s a thriving, dynamic and forward-thinking community that works to advance the development and growth of its members. Synaxon offer a wide range of services as well as personalised account management and business development support to help MSPs, resellers, retailers, and office products dealers thrive.

A note from our CEO, Jamie Akhtar, on Covid-19 and business continuity


As the Covid-19 virus outbreak continues to escalate across the planet, I would like to update you on how the situation is being addressed at CyberSmart

First and foremost, our thoughts are with all who have been affected by coronavirus, especially the ones who have contracted the virus and to their families that support them. Our team wishes you a speedy recovery.

Our team, customers and partners

The safety of our employees, their families, and our partners and our clients, is our greatest priority. That is why we have transitioned the business to fully remote operations, effective as of Monday 16th March. 

Remote working is a practice that has been tried, tested and encouraged since the beginning of our business – we are “remote by design”. With team members across the globe, the ability to work remotely has always been an integral part of our business continuity strategy, and we are grateful for that now. This experience allows us to continue delivering our services to the highest standard, and uninterrupted, even in unprecedented times like these. 

We will be releasing these very practices we follow, alongside tips from our team, on our new dedicated small business resilience page .

We hope this information helps our customers, partners and any other members of the business community to take on remote working safely and productively.

Business as usual

CyberSmart’s daily operations are carrying on unaffected and we foresee no impact on our operations. With information security at the core of what we do, our team is particularly well-prepared to maintain business as usual, and continue to serve our customers with the highest quality of service.

Because of our remote capabilities, we are now delivering all certification fully remotely. This includes Cyber Essentials Plus which is normally conducted by an in-person auditor. However, our team of assessors is able to use the CyberSmart app to remotely test all devices who have it installed and help you achieve certification. Remote audits can be conducted regardless of if your team is in the office or working at home. We support both company provided and users own devices (BYOD) so all situations are catered for. As always, we commit to rapid turnarounds – we will get you certified in as little as 24 hours for Cyber Essentials and 7 days for Cyber Essentials Plus. 

Be aware of your security

I’d like to urge our customers and the public about the importance of cybersecurity to businesses right now as we are seeing an increase in opportunistic people using these ambiguous times to make gains for themselves through phishing and cyber breaches. 

We urge you to take a look at our content for all the tips to make your business safe and, should you have questions, please contact our team. We are here to use our in-house expertise to aid and advise, free of charge.

We urge you to take a look at our content for all the tips to make your business safe and, should you have questions, please contact our team. We are here to use our in-house expertise to aid and advise, free of charge.

CyberSmart is here to help

These are unprecedented, challenging times and I believe we will only make it through by bringing the business community together and supporting each other. As we become more socially distant, it is more important than ever that we stay connected. 

Please feel free to reach out to me and our team on if there’s anything you think we can support with.

Stay positive, stay healthy and remember – together we are stronger.

Jamie Akhtar

CTA button

Small businesses at risk of multimillion pound fines for breaking GDPR rules

A new survey has revealed many small business owners are still clueless about GDPR. The results suggest small businesses could be in breach of GDPR without even realising it, as half of the participants appeared confused when answering questions surrounding data protection and privacy regulations.

A worrying 4/10 didn’t know that losing paperwork could be a data breach, or that emailing or faxing personal details could potentially be breaching data regulations also.

Are you being extra careful when sending that email?

Scarily, 45% of businesses did not know that the ICO (Information Commissioner’s Office) needed to be informed when data was breached and individuals’ rights were affected. It also showed they were unaware and failing to ensure confidential paperwork such as signing in and visitor’s books were kept in a protected environment.

It’s essential as a business owner you stay well informed and aware of GDPR and data protection to ensure you continue to create trust in your employees and consumers. By staying up to date with the changing data laws, you will show that you are consistent in protecting personal and private information.

Breaking GDPR is easily done within a business – it’s as simple as storing files with personal data outside of a defined structure. Many SMEs are digitally renovating their businesses with more intricate technology, however, this essential move is increasing their exposure and vulnerability for cyber-attacks.

The fact that new threats are constantly evolving and developing – and 43% of cyber-attacks are aimed at SMEs – highlights the lack of knowledge surrounding GDPR. Small businesses now need to look at investing more time in digital security. This will not only prevent any future attacks but show that you are being proactive with your digital approach.

What can you do?

By maintaining your security and safeguarding your business, you are able to protect your organisation long term. Utilising Cyber Essentials, Cyber Essentials Plus and IASME GDPR Readiness certifications, which are compliant with the Data Protection Act (2012), you can ensure that you are prioritising your business and data while giving your employees and consumers that added assurance.

Safeguarding your data should be your priority. Considering crisis incidents such as extortion, cyber attacks, and industrial espionage are just a click away, it is critical that SMEs assess their ability to survive a cyberattack, and there are steps to take to prevent and manage this if the worst were to happen.

How confident are you that your business is fully compliant?

Data privay toolbox

Proactive IT Security Compliance vs Reactive cybersecurity firefighting

Proactive IT Security Compliance vs Reactive cybersecurity

When it comes to cybersecurity, MSSPs traditionally provide two standard services: proactive or reactive. Some businesses prefer the reactive approach and require a fix for security issues only when they arise. For other businesses, horizon scanning and taking a more proactive approach fits their risk appetite and lets them stay one step ahead.

Being an MSSP, you have a responsibility to guide clients to the best approach for their business and one that matches their risk appetite. In this blog post, we look at the reasons why proactive compliance is better for businesses than a reactive approach when assessing cybersecurity firefighting.

The Reactive vs. Proactive Approach

A reactive approach towards security embraces the philosophy of wait until the security perimeter is breached then acting to fix it. An MSSP is typically responsible for cleaning up the mess after the security incident using this approach; one that might work with other services, but with cybersecurity, may have business crippling impacts.

Once a security incident has occurred, the damage has already been done. The loss of data and extended downtime of any systems has already caused financial, reputational or other losses to the client. Add on the cost in time and effort to ‘fix’ and the potential impacts, coupled with the loss of productivity or revenue do not make happy reading.

A proactive approach, on the other hand, is about anticipatory prevention measures and rapid notification that drives responsiveness. In this approach, the MSSP is responsible for assisting the client address the potential security risks before they can become problems. 

Cyber attacks do not sleep, and the proactive approach to cybersecurity defensive measures is the best approach to leave little to no room for attackers to exploit the system. The earlier a problem area or attack vector is identified, the easier it is to fix or to close the door to a potential breach. A proactive approach is a great way to ensure clients’ infrastructure is protected 24/7. It requires continuous engagement with clients and involves the design and deployment of preemptive strategies, tools and techniques with an awareness of threat intelligence to prevent security issues from becoming a concern.   

Drawbacks of Reactive Cybersecurity

The reactive approach may save cost for clients initially, but in the long run, it increases the risks of:  

  • Increased costs. Once a breach has occurred, the financial impacts can be severe. GDPR data-breach fines are not insignificant to any business and the reputational damage costs could be even higher. For SMEs, these costs could be the difference between staying in business or having to close. And that is bad for the client and bad for the MSSP.
  • Inappropriate damage control tools. The reactive firefighting approach is not about protecting businesses for the future. Instead, it is about running a damage control campaign to counter the effects of an ongoing security incident. There is no clear direction to take and often no clear security baseline to revert to rapidly to regain business control. When the breach occurs, the business may well blame the MSSP for not taking care of security more adequately.
  • No clear resolution method. Unlike compliance, you never know what to expect with a reactive call from a client. The best method to resolve the issue may well vary according to the type of incident, the extent of the damage, and the size of the business. This makes it difficult to position pre-defined expertise or resources necessary to deliver reactive services. This uncertainty adds cost to the MSSPs business model that can be difficult, to pass through to clients.

Proactive Cybersecurity Compliance

A proactive compliance approach has a number of benefits for MSSPs:

  • Reduced costs and recurring revenue. A data breach or ransomware attack can lead to substantial losses for a business. The financial losses may include damaged infrastructure, lost data, fines imposed by regulatory bodies, reputational damage and the cost of lost productivity. The risk of realising these costs can be mitigated through a proactive compliance approach. For MSSPs, the benefit is in offering clients a subscription-based compliance model. Since compliance is an ongoing process, your business can focus on building a recurring revenue stream based on a predictable financial model.
  • A well-defined approach. Compliance can be achieved through well-defined processes such as the one used by CyberSmart. A proactive compliance service can be effectively planned and priced by MSSPs. As a preemptive approach, you know exactly the resources and personnel will need to dedicate to each client.
  • Avoid disruptions and build credibility. The ultimate goal of compliance is to prevent risks to clients that could disrupt their business. Offering proactive services to clients delivers ongoing protection against cyberattacks and offers longer-term client relationships built on trust.


Cyberattacks are evolving, the targets change frequently and the risks and threats are not going to go away if we pretend they do not exist. For businesses, they should not sit back and wait to be breached but they should be encouraged to keep on the front foot and lower their risks. 

MSSPs focusing on selling compliance that delivers lowered risk of cyber attack is a great opportunity in the ever-expanding, digitally connected marketplace. Being proactive has great commercial benefits for them and their clients. It can build recurring revenue streams and a sustainable reputation for the MSSPs. For businesses, the benefits or a reduced risk profile are clear.

CyberSmart Active Protect provides everything your clients need to protect their businesses around the clock.  If you would like to learn more about how we can help you sell proactive security, feel free to reach out to us.

How Cyber Essentials standards added 20% to an MSP’s the bottom line

Compliance standards are highly effective when providing security services as an MSP. Here we share a specific case, where one of our partners has managed to positively impact their bottom line, by providing Cyber Essentials certification suing the CyberSmart platform.

Golum IT, a London-based MSSP and security consultancy faced a big challenge: clearly demonstrate the value of their added services to their customers. Despite using the latest technologies, well trained sales people and account managers, the company found it difficult to showcase how much impact their work added to the cybersecurity of their clients. 

Introducing monthly reporting

As an initial step, the company began providing extensive reports to its customers on a monthly basis. These reports contained an extreme level of detail about threats faced and preventive measures deployed. To Golum IT’s surprise, even the deepest of insights on the effectiveness of measures deployed, struggled to nudge the scepticism of their client base.

Ultimately it was identified that, besides skim reading over the executive summary, these reports remained largely unread; the problem wasn’t the level of reporting, but simply the complexity and sheer volume of information provided.

Introducing external benchmarks

In order to maintain a high level of transparency, whilst simplifying reporting, Golum IT decided to introduce external standards to measure the effectiveness of their work. Although basic on the surface, the Cyber Essentials standard, with its 5 control areas, provided “headings” for every measure in place. In other words, instead of reading through X amount of pages of reporting, customers now receive a 1 page report, outlining the alignment of the company’s security posture to Cyber Essentials and what can be done to improve. 


Initially there was concern that Cyber Essentials was perceived as too basic to be used as a benchmark. In reality however, the brevity and clarity of reporting was more important than the need for in-depth knowledge. Of course, in some instances customers have additional questions, however they are very specific and based on reports produced. 

By introducing these reports based on the CyberSmart platform, customers  clearly saw and understood the value of its implementation, leading to more deployment and sign-ups of CyberSmart.

The Future of Cyber Essentials

Cyber Essentials has become the fastest-growing information security standard in the world. So there’s no doubt the scheme has been successful. However, the future of Cyber Essentials is uncertain, and this is putting the cybersecurity of UK businesses at risk.

As a member of the first cohort of GCHQ cyber accelerator, the London Office for Rapid Cybersecurity Advancement (LORCA), working closely with NCSC and DCMS, and presenter at CYBERUK, we have had the unparalleled opportunity to draw insights from key stakeholders. After discussions with stakeholders from businesses, industry and government, one thing is clear – there is substantial confusion in the sector. We are in a position to shed light on the challenges and bring clarity to a sector that is shaken and riddled with uncertainty. 

It’s important we consider the feedback of all stakeholders so that we can move forward in a concerted effort to ensure the future security of our nation. All stakeholders share the same vision, but with several conflicting perspectives, there is a lack of agreement to how we get there. As it stands, the scheme and it’s success so far is at risk. This uncertainty has led to underinvestment from the sector and confusion amongst the very organisations needing to be assured. 

If the foundation isn’t put in place for the scheme, much of the progress will be lost or at worse, reversed. If the right decisions are made, for the right reasons, then the scheme can achieve a level of success beyond anyone’s expectations.

In order to make those decisions, clarity of information and a source of truth is required. Here are the key characteristics that will underline the scheme’s future success.


Most information security standards are inherently unscalable – they require physical audits, extensive documentation and manual processes. Cyber Essentials set out to address this with self-attestation at the basic level. This allowed the scheme to scale in its initial phase but it’s still not ready for mass adoption. At the current take-up rate, it will take centuries to secure all the businesses that exist within the UK. A delivery chain is needed for the vast and diverse range of organisations within the country. In particular, current certification bodies and the thousands of managed service providers need to be engaged in order to deliver the assurance scheme to all that need it. 


Cyber Essentials at its basic level needs to be at a cost that every organisation can afford. That includes the costs of assessing, implementing, certifying and maintaining the standard on an on-going basis. The vast majority of SMEs do not have the ability to implement and maintain the scheme or have the resources to hire dedicated security professionals to assist. There’s also a huge skills shortage of professionals that are best utilised for ensuring the assurance of critical data and infrastructure.


The confusion, fear, uncertainty, doubt within the industry means security and compliance are often overwhelming for more organisations. The NCSC website, cohesive guidance and clear language have helped organisations understand what is needed to implement a baseline level of security. The issue remains, it doesn’t help them to implement this. Through the lowering of the technical expertise required to implement and maintain Cyber Essentials, it brings it within reach of many organisations previously inaccessible. 


For any scheme to succeed, it must be consistent. Any Cyber Essentials certification should be equal to another. There should be a single standard from an authoritative source, and this should be as objective as possible. The challenge is ensuring consistency across the diverse range of approaches to managing information technology that exists. This includes the micro and small business which don’t have an IT team, those that have third-party managed IT, and larger organisations with dedicated IT professionals.


In order to deliver assurance at this level of scale, we need to use digital systems and data. This brings with it the challenges of managing such data and the requirement for Security by Design and assured technology. However, this also provides real-time insights into the adoption, implementation, maintenance and effectiveness of controls. Data brings us closer to the truth and allows us to ensure the scheme is meeting its aims and adapting to the ever-changing landscape.


The effectiveness of the current scheme is driven by the focus on ensuring appropriate levels of assurance from a small yet comprehensive control set. With the majority of attacks originating from basic factors not being properly implemented or maintained. The assurance is only provided if continuous compliance is in place. In order to this, it needs to be easier to maintain than to fall out of compliance. 

The future of Cyber Essentials

Fast forward to 2025, after a concerted effort, the UK is now the world leader in cybersecurity. The country is the safest place to live and do business online. This was achieved by making assurance programs accessible, affordable and scalable. It has been brought to a level that everyone can attain with confidence that there is consistency. Data drives the on-going development of the schemes as they respond to the changing environment. Other countries look towards the UK as a model of how an adaptable scheme can defend and assure a nation.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button

How does Cyber Essentials benefit MSPs and their customers?

Cyber Essentials

Cyber Essentials is a UK-Government-backed cyber-security scheme which encourages businesses to take steps in order to prevent and protect themselves against the threat of cyber-attack. What you might not be aware of, however, is how beneficial a Cyber Essentials certification can be for managed service providers (MSPs) and their customers.

How to get Cyber Essentials certified

According to the official Cyber Essentials statistics, nearly half of businesses reported a cyber-attack in the past 12 months. And this is why the scheme dedicated to helping ensure businesses stay secure.

The Cyber Essentials certification serves as proof of your IT resilience, educating businesses across all sectors on the best way to protect themselves from a range of the most prevalent and threatening cyber threats. The Cyber Essentials certification is not just an award, but an ongoing education and protection process in which a business must put in place a range of security procedures and policies which help ensure sufficiently high levels of cyber-security within their IT infrastructure.

This helps prevent the risk of your business facing a cyber-attack, as well an ensuring that you have the infrastructure in place to appropriately counter and recover from an attack in the event of a disaster.

How does this Essentials benefit MSPs’ customers?

The threat of cyber-attack is heightened as an MSP or reseller and poses a very real threat to your customers, as well as your business. In order to tackle this, IT resellers can position themselves as cyber-security specialists, working with your customers to help them achieve a Cyber Essentials certification and transform their IT resilience.

This presents an incredible opportunity for you to add value for your customers and demonstrate your technical knowledge, helping them to make changes within their IT that will build their tolerance and tackle basic weaknesses and exploits in their infrastructure, preventing thousands of pounds worth of damage and threatening the survival of their business.

If you have any questions around Cyber Essentials and our partner hub or just want to have a chat, drop us a line at

This article was previously published by Marathon PS – one of our first partners.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button