Would you pass a Cyber Essentials audit? Here’s why hackers hope not

Security expert Davey Winder explains why every size of business should take the Cyber Essentials audit — not just the big-name organisations that hit the headlines

The UK Electoral Commission was hacked in August 2021. Something the Electoral Commission, an independent body that oversees elections and political financing, was unaware of until October 2022.

It’s no coincidence that the same year this security breach occurred, 2021, the Electoral Commission failed to pass the Cyber Essentials audit. This certification is part of a voluntary scheme backed by the UK government and the National Cyber Security Centre (NCSA). According to the NCSA, the audit helps organisations “guard against the most common cyber threats” and “demonstrate commitment to cyber security”.

Now, this was no minor breach. The unidentified threat actors that hacked into the Electoral Commission servers could access the sensitive data, including email correspondence, of some 40 million voters.

A whistleblower told the BBC’s security reporter, Joe Tidy, that one reason the commission failed the certification audit was the use of iPhones that were too old to get security updates from Apple. Not to mention 200 laptops that ran an unsupported enterprise version of Windows 10.

While it’s important to note that the Electoral Commission has denied that these were linked to the security incident in question, it remains a blot on the organisation’s copybook.

Not least because, in 2023, it has yet to pass a Cyber Essentials audit. The NCSC itself states that not having the certification is problematic as being vulnerable to basic attacks “can mark you out as a target from more in-depth unwanted attention from cyber-criminals”.

Ring any bells?

Passing a Cyber Essentials audit

This risk doesn’t only apply only to high-profile bodies such as the Electoral Commission. It applies to every organisation and every business, regardless of size or location.

“The certification is more than another compliance check box to be ticked,” said Ryan McConechy, CTO of Barrier Networks. “It is a solid baseline to make sure that, as an organisation, many obvious pitfalls have been avoided, helping remove the easy wins so attackers give up or move on.”

He added: “An organisation of such prominence [as the Electoral Commission] would normally be expected to be Cyber Essentials Plus certified.”

Certifications adds a hands-on technical verification to the self-assessment option of the basic audit.

“No organisation that handles the data of the UK population should ever gamble with security,” McConechy concluded. “The requirements of Cyber Essentials should be met as a standard practice and achieving certification should be a guarantee.”

I don’t disagree, but that security gamble shouldn’t be taken by any organisation. The audio is free, and easy, and might just prevent your business from becoming a target of cyber-criminals.

As we have said before, and will say again, cyberattacks hit all sizes of businesses. If you aren’t worried, you’re doing something wrong.

Additional reading on cybersecurity

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.