In 2024, a threat actor systematically compromised over 160 corporate data stores hosted on the Snowflake platform. Big-name multinationals, including AT&T, Ticketmaster and Santander, sent breach notifications to hundreds of millions of downstream customers as a result. The financial and reputational fallout, while never calculated, was surely immense.
It all stemmed, according to Google, from previously compromised credentials. Crucially, none of the breached companies had multifactor authentication (MFA) enabled on their Snowflake accounts, allowing the malicious actor to sneak in undetected.
This is exactly the kind of security oversight that Cyber Essentials (CE) was designed to eliminate. The UK government-backed cybersecurity certification scheme is designed to help SMBs and larger enterprises keep proprietary and customer data safe from threat actors – by forcing them to tackle their most common security failings. In so doing, CE not only helps participating organisations to minimise breach costs and risks, but also provides security assurances to suppliers, partners and customers. There’s just one problem: take-up is still appallingly low.
The latest quarterly figures from the government show that CE certifications are certainly increasing. Between April and June 2025, 13,109 businesses signed up or re-certified. That’s up 16% on the same period a year previously (11,307). However, just 51,068 certificates were awarded in the year from June 2024 to June 2025; 38,591 at CE level and 12,477 at CE+. That’s only a tiny fraction of the 5.5m private sector businesses estimated to operate in the UK. Over a decade after its launch, is it time for a rethink?
“To justify [the] time and resources required to align with a certification scheme, there must be a strong driver such as an industry or regulatory requirement, or customer expectation – but the CE scheme fails to provide this,” argues Katherine Kearns, head of proactive cyber services, at consultancy S-RM. “Where our clients are not faced with a requirement to obtain a CE certification in order to serve a particular client base, we see many being drawn towards other, more comprehensive cybersecurity standards, such [as] NIST CSF or ISO27001.”
Not moving with the times
The CE scheme comes in two flavours: a standard level based on a self-assessment questionnaire and a more advanced tier which requires an independent audit. Both assess participating organisations across five key control areas: firewalls and router security; secure configuration of devices/networks and the removal of unnecessary software; management of security updates (patching); user access controls; and malware protection.
There are several reasons why larger organisations may steer clear of CE in its current form, explains Kearns. “They typically operate complex, often geographically dispersed networks, where basic technical controls driven by CE do not satisfy organisational appetite to drive down risk and improve resilience,” she says. “The CE control set is also ‘absolute’ and does not allow for the use of compensating controls. Large complex environments, on the other hand, often operate legacy systems that require compensating controls to reduce risk, which prevents compliance with CE.”
The point-in-time nature of assessment is also a poor fit for today’s dynamic IT infrastructure and threat environments, argues Pierre Noel, field CISO EMEA at security vendor Expel.
“This won’t cut it when you’re defending a multi-cloud estate against adversary-in-the-middle phishing kits or infostealing malware; that’s why most mature firms benchmark against SOC2, ISO 27001 or similar frameworks that provide a roadmap for measurable progress,” he argues. “Against that backdrop, Cyber Essentials risks being seen as symbolic rather than substantive—but the functionality remains critical.”
SoSafe CISO Thomas Owen adds that, although CE was designed to be “applicable equally to a blacksmith or an incumbent of the military-industrial complex”, this is not necessarily true today. “It’s also failed to keep up with the realities of a post-Covid world, where remote working is now a de facto norm,” he continues. “And as a very prescriptive standard, it suffers from a resulting need to evolve much faster to keep up with changes in the state of the art.”
Despite these concerns, the government continues to cheerlead for the scheme. Its National Cyber Security Centre (NCSC) cites some impressive stats, albeit without sources, that certification can significantly reduce insurance claims, improve market competitiveness, and enhance understanding of cybersecurity risks.
There is at least some evidence that CE boosts supply chain assurance and risk management efforts. Certification provider IASME claims that wealth management giant St James’s Place mandated CE+ for the 2,800+ businesses in its network, and reported an 80% reduction in security incidents “overnight.” This should be a big draw for most UK companies – whether they’re a large enterprise mandating it of suppliers, or a smaller partner on the receiving end of such orders. Supply chains remain a major security gap for even well-funded and defended organisations. A 2024 report claims that 97% of UK FTSE 100 firms suffered a breach in their third-party ecosystem in the previous 12 months.
“For large enterprises with complex IT environments, CE may not be comprehensive enough to address their specific security needs,” says Andy Kays, CEO of MSSP Socura. “Despite these limitations, it still serves a valuable purpose as a baseline, especially for supply chain assurance where larger companies want to ensure their smaller partners have a minimum level of security.”
Richard Starnes is an experienced CISO and chair of the WCIT security panel. He agrees that large enterprises should require CE+ certification in their supplier contracts, where it makes sense. “This requirement should also include a contract flow-down to ensure that their suppliers’ downstream partners are also certified,” says Starnes.
Even so, take-up of Cyber Essentials continues to lag. A government survey reveals that just 12% of businesses are aware of the scheme, though this rises to half (51%) among large companies. Meanwhile, just 3% of businesses overall are CE certified (rising again to 21% among large businesses). Interestingly, though, the same report claims that 21% (59% of large firms) have controls in place across the five key areas defined by CE. This appears to confirm that they’re finding other ways to enhance their security posture.
What happens to Cyber Essentials next?
On that basis, it shouldn’t matter that take-up is low among enterprises, as long as they’re following other, potentially more robust best practice standards and frameworks. But a lack of take-up in their supply chains should be a concern. Threat actors will always look for the path of least resistance to achieve their goals, and very often this means targeting a more vulnerable supplier.
So how can the government make CE more attractive to suppliers? “I would argue that CE+ has its uses and benefits, but for smaller businesses it needs to be broken up into smaller sections using a ‘stair step’ approach,” argues WCIT’s Starnes, who says these views are his own. “SMEs also need access to reasonably priced expertise.”
That expertise could come from Cyber Advisors: another NCSC scheme designed to provide geographically local cybersecurity advice to SMEs. However, this initiative has also suffered from a lack of industry support.
“A pool of accredited, trusted advisors could cut through that noise and turn Cyber Essentials from theory into practice,” says Expel’s Noel. “But execution matters: if it’s under-resourced, it won’t shift the outcomes. The reality is attackers innovate faster than regulators.”
The government could also make CE more relevant to modern IT environments, says Socura’s Kays. “The scheme could be enhanced to include more in-depth coverage of cloud security, given the widespread adoption of cloud services,” he adds. “Small businesses put a lot of faith in SaaS platforms and expect them to be secure, often with little thought about how their data is stored, used or protected. This is only getting worse in the AI era, as employees share sensitive info and files with LLMs. Security is an afterthought at best.”
A greater focus on security awareness training and phishing simulation may also make it more effective in mitigating cyber risk, as would a section on incident response, he continues. S-RM’s Kearns agrees.
“The CE controls, while crucial for securing networks and devices, are protective in nature and will not help a business detect security incidents, respond to threats effectively and recover from an attack should threat actors compromise any of the above security measures,” she argues.
Experts agree that greater awareness is needed among SMEs and larger enterprises to increase CE uptake. “The NCSC recently made a series of ads promoting MFA, but I don’t ever recall a Cyber Essentials TV ad or billboard,” says Socura’s Kays. “The government could do more to build targeted campaigns to raise awareness of Cyber Essentials, particularly among sectors with low adoption rates.”
Mandating certification is another option, as the government already does for suppliers bidding on certain public sector contracts. “This will eventually become a driving force for many companies in the CNI vendor space,” says WCIT’s Starnes. “Providing a copy of your CE+ certification to Companies House on an annual basis as part of the annual accounts filing could also be something to explore.”
In the meantime, threat actors continue to probe enterprises’ IT environments for weaknesses, including their supply chains. Even if they’re not CE+ certified, the fact that only 59% of large firms have deployed similar technical controls should be cause for concern. Simple mistakes continue to be the downfall of many big-name businesses. The next Snowflake is just around the corner.
Read more: Cyber insurance is big business. But modelling risk is still tough.
