In the past year, a whopping 39% of businesses in the UK found out they were targeted by cyberattacks. The National Cyber Security Centre (NCSC) shared these eye-opening stats in their 2022 Cyber Security Breaches Survey, showing just how rampant and never-ending cybercrime has become. But one attack really took the cake. According to Brad Smith, the cool dude who’s the VC and President of Microsoft, the SolarWinds attack on a US management software company was, in his words:

“The largest and most sophisticated attack ever.”


In the past 18 months, we’ve seen data leaks hitting organizations like Air France, KLM, and Nissan America, all caused by third-party sources. The NCSC revealed another alarming statistic: less than 10% of organizations were actually keeping an eye on the risks posed by their supply chain. But let’s talk about 2021, the year when the whole world was grappling with the Covid-19 pandemic and some of the most notable attacks took place. In January, Microsoft Exchange suffered a major breach, impacting 250,000 servers, 30,000 companies, and even the Norwegian parliament.


Just six months later, Kaseya, a Florida-based software company specializing in IT management and security, fell victim to a ransomware attack that temporarily paralysed the operations of approximately 1,500 companies. This attack caused a supermarket chain in Sweden to shut down for a week, and schools and kindergartens in New Zealand were also affected. What’s striking is that all these major organizations were targeted through vulnerabilities in smaller third-party partners. Dr Kalina Staykova, an Assistant Professor of Information Systems at Warwick Business School, said of cyberattacks on third-party vendors:

“Cyberattacks come from suppliers across all industry tiers while most companies but often by definition smaller suppliers have poorer cybersecurity standards.”


It’s true that smaller suppliers are more vulnerable to cyberattacks because they’re part of the same supply chain networks. So, what can we do to keep everyone safe from these attacks? In large and complex supply chains, the biggest challenge is maintaining visibility and managing risks. The old-school, maturity-based approach just won’t cut it anymore. It’s high time organisations switch to a risk-based approach to cybersecurity. This means focusing on the actual risks involved and adapting strategies accordingly, instead of following outdated protocols. By taking this more proactive approach, we can stay ahead of the game, tackle threats head-on, and make sure the whole supply chain stays secure. Emily Taylor, CEO of Oxford Information Labs, says this is how businesses – from SMEs to corporates – need to tackle their cybersecurity:

“It is not a technical issue but an all-encompassing strategy that needs to be fully embraced at board level and embedded across the company instead of being left to technical teams to manage on their own.”


Cyber Essentials (CE), introduced by the NCSC in June 2014, could be construed as an entry-level strategy for businesses to reduce cyberattacks in their supply chain. As such, CE has a simple goal: safeguarding organisations of all sizes from a variety of common cyberattacks. It achieves this by employing five fundamental security controls: firewalls, secure configuration, user access control, malware protection, and security update management. These essential measures work together to bolster the overall security posture and resilience of organizations against cyber threats. While larger and wealthier businesses can afford to deploy much more sophisticated cyber protection strategies and pay exorbitant cyber insurance premiums, SMEs typically take comfort in knowing that at least they have a level of cybersecurity in place if they are CE certified. Matthew Clark, Cyber Director at insurance advisory firm Partners& is a big CE fan and said:

“For most SMEs, it’s a bloody good idea. It has some government flavour to it, but it seems to work quite well.”

Simon Gilbert, CEO of Elmore Insurance Brokers, echoed Clark’s sentiments and said:

“You’re getting just a level above everyone else in terms of maturity, awareness and some risk protection – it’s only third-party liability, but it’s got the event management piece as well. So, I think that’s a good step in the right direction. It’s a starting point for those who are not doing anything at all.”


But not everybody is as enamoured with Cyber Essentials as Clark and Gilbert. On the flip side, Catherine Aleppo, the head of UK SME cyber at broker Howden, slammed Cyber Essentials insurance, calling it “appalling.” She pointed out that it misleads businesses into thinking that claims for crimes and financial losses (which are the most common claims among SMEs in the UK) would be covered. In her opinion, SMEs shouldn’t rely on Cyber Essentials as a legit insurance policy.


Lindsey Nelson, the cyber development leader at specialist insurance provider CFC Underwriting, shared a different perspective on the Cyber Essentials plan. According to Nelson, from an underwriting standpoint, it showcases strong governance, awareness, and investment in enhancing an organization’s security posture. Of the scheme, she said:

“It has zero correlation with whether claims happen or not – but that’s not to put down Cyber Essentials in any way. I could say the same thing about multi-factor authentication (MFA). We sometimes see actual cause-effect correlations between MFA and claims, but we’ve seen an increasing amount where they bypassed MFA and the lesson we end up leaving with is there’s no silver bullet, which is exactly why you need cyber insurance. So, MFA today, it’s going to be something else tomorrow – it’s also endpoint protection, it’s a million things and the disadvantage for SMEs is that they can’t invest a lot into that infrastructure.”

That’s exactly why SMEs go for CE, cyber insurance in this simplest form It’s like having extra resources and a security team on board, all at discounted rates. A chicken-and-egg story, not so?


Cyber Essentials may well be entry-level cyber insurance but all SMEs need a foot in the door when it comes to protecting their data and IT systems. This is where I can help you. With over 20 years of experience in professional business IT support, I have cybersecurity and risk mitigation in my bones and in my blood. I can provide you with as much support and guidance as you need to get certified. Let’s get together soon and get your data and your business safe and secure.

Leave a comment