LONDON, ENGLAND – FEBRUARY 14: A logo is displayed on a television screen in the National Cyber Security Centre on February 14, 2017 in London, England. The National Cyber Security Centre (NCSC) is designed to improve Britain’s fight against cyber attacks and act as an operational nerve centre. (Photo by Carl Court/Getty Images)

Most UK businesses are unaware of government initiatives to help support and improve their basic cybersecurity practices, new survey data revealed today, and few adhere to its certification schemes. Julia Lopez, the minister of media, data and digital infrastructure, called on businesses to “take cybersecurity seriously” in response to the findings.

UK government cybersecurity support
Some smaller organisations report that cybersecurity certification is costly and complex, according to the Cyber Security Breaches survey. (Photo by Carl Court/Getty Images)

Just three out of ten businesses surveyed have heard of the government’s Cyber Aware email security programme, according to the government’s latest Cyber Security Breaches survey. This proportion has crept up from 21% in 2017. The programme encourages businesses and citizens to improve email security by using strong passwords and two-step verification.


Fewer than 20% are aware of the 10 Steps and Cyber Essentials programmes. The 10 Steps initiative offers advice on a wide range of cybersecurity issues, ranging from identity and access management to collaborating with third-party suppliers and partners on cybersecurity. Cyber Essentials is a more formal certification scheme, in which businesses can conduct self-assessments to understand their cyber posture and identify any gaps in their defences.

Unsurprisingly, given this limited awareness, a small minority of organisations surveyed have undertaken the Cyber Essentials certification (6%) or the Cyber Essentials Plus scheme which includes an external technical assessment (1% of businesses), the survey shows. Global cybersecurity standard ISO 27001 and payment card data standard PCI DSS are more widely adopted, the survey shows, but still by a minority of respondents.

Respondents to the survey reported a variety of challenges in implementing these cybersecurity standards. Some smaller businesses and charities find that compliance with these standards is too costly and, in the absence of a dedicated cybersecurity or IT team, too complex.

Larger organisations, meanwhile, struggle with implementing standards and accreditations due to the higher number of service users. For example, cybersecurity coordinators for a university found it difficult to conduct technical assessments due to the “large number of service users using personal devices," the survey found. 

“It is vital that every organisation takes cybersecurity seriously as more and more business is done online and we live in a time of increasing cyber risk,” said Lopez. “No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.” 

Read more: NCSC issues new warning on Russian software in UK tech supply chains