Cyber Security Must Be a Board Priority – And It Starts With Cyber Essentials

Posted on

Senior ministers and national security officials have called on boards to take urgent action to strengthen their organisations’ cyber resilience.

The Chancellor of the Exchequer, the Secretaries of State for Science, Innovation and Technology and for Business and Trade, the Minister for Security, the Chief Executive of the NCSC (National Cyber Security Centre) and the Director General of the NCA (National Crime Agency) have

co-signed an open letter to FTSE 350 companies and other large UK organisations, warning that hostile cyber activity in the UK is “growing more intense, frequent and sophisticated”, posing “a direct and active threat to our economic and national security”.

As the NCSC’s Director of National Resilience, Jon Ellison, wrote in a supporting blog post, “our message is simple: don’t wait for the breach, act now”.

Cyber resilience as a national and corporate priority

The letter sets out three immediate actions for boards and chairs to take:

  1. Make cyber risk a board-level priority using the Cyber Governance Code of Practice.
  2. Sign up to the NCSC’s free Early Warning service.
  3. Require Cyber Essentials certification in the supply chain.

The government’s position is unambiguous: “Cyber resilience is a critical enabler of economic growth.”

In other words, companies that invest in strong defences are better able to withstand incidents, protect their operations and maintain investor confidence.

Ellison reiterated the point: “Many organisations believe they are unlikely to be hit, but we know that every organisation with digital assets is a potential target. The cost of inaction is rising, and the window for preparation is narrowing.”

Why Cyber Essentials matters

Among the three measures, Cyber Essentials stands out as the most practical and measurable first step for organisations of all sizes.

The scheme, developed by the NCSC, requires organisations to implement five fundamental technical controls that together prevent around 80% of common attacks:

  • Firewalls and routers
  • Software updates
  • Malware protection
  • Access control
  • Secure configuration

Certification is available at two levels:

  • Cyber Essentials – a self-assessment that confirms the five controls are correctly implemented.
  • Cyber Essentials Plus – an independent audit that verifies those controls in practice through testing and scanning.

Most organisations start with Cyber Essentials and progress to Plus once their controls are mature. For higher-risk sectors such as finance, healthcare, government supply and defence, Cyber Essentials Plus is often expected as standard.

Organisations with Cyber Essentials certification are, according to government data, “92% less likely to make a claim on their cyber insurance”.

For many public-sector contracts, certification is already mandatory.

A growing emphasis on supply chain assurance

Recent years have seen major service disruptions caused by attacks on trusted third-party providers. Criminals and state-sponsored actors increasingly exploit weak links in interconnected systems, targeting suppliers whose defences fall short of their customers’ expectations.

However, according to the letter, “just 14% of UK businesses assess the cyber risks posed by their immediate suppliers”.

By mandating Cyber Essentials, however, boards can set a clear baseline for security in procurement and partnership decisions. It provides a simple, evidence-based mechanism to verify that suppliers meet minimum cyber hygiene standards.

The government has already applied this approach to its own suppliers. It is now urging private-sector leaders to follow suit: “As leaders of the nation’s largest businesses, we ask you to embed the same requirements across your own supply chain.”

Turning recognition into action

The letter acknowledges that progress has been made: “More than 90% of company boards now recognise cyber security as a critical priority.”

The challenge, however, is to turn that awareness into concrete measures.

The message from ministers and the NCSC is not about abstract strategy but practical delivery. As Ellison puts it: “In just three recommended steps, senior leaders can proactively reduce their risk. The concrete actions our letter details will immediately create positive impact on companies’ resilience to cyber attacks.”

How to achieve Cyber Essentials certification

The process is straightforward but requires preparation.

  1. Read the current requirements. Download the latest NCSC Requirements for IT infrastructure and ensure your IT and leadership teams understand the updates.
  2. Define your scope. Identify which devices, networks and Cloud services are in scope – a common reason for certification failure is missing assets.
  3. Review your controls. Confirm that systems are patched, multi-factor authentication is enforced for Cloud accounts and default passwords have been changed.
  4. Complete the self-assessment. Answer the Willow Question Set fully and accurately.
  5. Submit and certify. Send your responses to an IASME-accredited certification body such as IT Governance. Once approved, you’ll receive your Cyber Essentials certificate and (if eligible) free cyber insurance of up to £25,000.
  6. Progress to Plus. Book an external audit to achieve Cyber Essentials Plus, which validates your implementation through hands-on testing.
Learn more about Cyber Essentials certification

Cyber Essentials as the foundation of resilience

Cyber Essentials offers:

  • Proven protection against common attacks.
  • Customer and regulator confidence through visible assurance.
  • Market access, with increasing contractual and supply chain requirements.
  • Cost-effective compliance, achievable at a fraction of the cost of ISO 27001.

As ministers emphasised, “Cyber resilience is a critical enabler of economic growth.”

For many organisations, Cyber Essentials is the first measurable step towards that resilience.

IT Governance’s role in building resilience

IT Governance was one of the original certification bodies for Cyber Essentials and has issued more than 9,000 certificates. Our packages support every stage of the process – from self-assessment to full Cyber Essentials Plus audits – with options to suit all budgets and levels of in-house expertise.

Our experts can:

  • Help you define your scope and prepare for assessment.
  • Review your controls and identify gaps before submission.
  • Manage your Cyber Essentials Plus audit and remediation plan.

Whether you are seeking compliance to meet customer demands or strengthening your internal defences, we provide end-to-end support.

As the joint ministerial letter makes clear, the time to act is now.

Cyber Essentials offers a simple, effective and government-endorsed way to begin.

Start your Cyber Essentials certification journey today

Explore our Cyber Essentials solutions and take the first step towards stronger cyber resilience.

Explore our Cyber Essentials packages and start today

The post Cyber Security Must Be a Board Priority – And It Starts With Cyber Essentials appeared first on IT Governance Blog.

Related Posts