For all the expense of creating & running these "campaigns", they could be actively pen-testing & giving USEFUL information to those charities, instead of box-ticking & saying "told you so".

Most small business have no internal resources for Cyber security - the full UK.GOV article mentions "checking the locks", but frankly most small business owners don't even know where the "doors" are, let alone how to check the locks, so anything to raise awareness about how to start figuring these things out for a small business owner is a good start.

However, I'd go a step further, and try to think of sensible ways to incentivise proper certification - for instance, if the government started advertising to the masses to check that any business taking their personal info or credit card details had a minimum level of security, then that would go a long way, eventually maybe even making it mandatory in the same way as the "GasSafe" scheme.

I agree in isolation, not much use, but if it can be used as a foundation to be built upon, then it's not a bad place to start

and try to think of sensible ways to incentivise proper certification - for instance

And open up massive attack vector. I can imagine thousands of companies offering up "security certification", but in reality stealing data from business.

These things are a non starter in a country where theft and scams are essentially legal.

Wow! I thought I was an old cynic, but you take it to a whole new level... ツ

GasSafe works because physics is binary and failure is obvious. A boiler leaks or it doesn’t.

Cyber isn’t a boiler. It’s an adaptive adversary. You cannot badge that into submission.

Make certification mandatory and you don’t just get compliance theatre. You get scaled false confidence.

• Firms think “we’re certified, we’re covered.”

• Weak auditors rubber-stamp weak setups.

• Attackers target the nice tidy list of “approved” businesses.

When it blows up, here’s how it actually plays out:

The small business folds or bleeds.

Customers get a free credit monitoring subscription and a polite apology email.

The big company, if it’s big enough, absorbs it, litigates it, or quietly benefits from “systemic risk” language and supportive policy (aka tax payer bailout).

Ministers announce that “lessons have been learned” and that the certification scheme will be “strengthened”.

In the retrofit scandal, accreditation didn’t just fail to prevent harm. It industrialised it. Defects weren’t random. They were scaled through a system that conferred legitimacy while incentives drifted.

Cyber would be worse. Because once data is gone, it’s gone. There’s no ripping open plasterboard to fix it.

The badge allows government to say “we’ve acted”.

The market allows auditors to say “we’ve certified”.

Businesses say “we complied”.

And victims get an Experian subscription and a lollypop at best.

The government should be doing this certification.

We "certify" drivers, right?

You're so right. Since the driving test was introduced in the UK there is no bad driving and not a single driving offence has been committed by a licenced driver.

I find UK roads are INCREDIBLY safe. Are you saying we shouldn't waste the money on training & testing?

I bet all those small businesses use qualifed accountants - either internal or external - to run their accounts, payroll, RTI, VAT, corp tax, etc. They do this because getting it wrong means anything from a fine to the company going bust to prision. If they can afford an accountant they can afford an IT professional.

That right there hits the nail on the head - there is an incentive to do their accounts properly, due to the penalties of screwing up - the taxman always wants his pound of flesh (if you'll forgive both the choice of pronouns, and the catachresis of the original Shakespeare)

There is no such incentive to get Cybersecurity right, and there needs to be...

If they can afford an accountant they can afford an IT professional.

“If they can afford X, they can afford Y” is pure fantasy maths.

It assumes money is a vibe, not a finite quantity.

If I have £500 and spend £500, I can afford that £500 thing.

What I cannot afford is another £500 thing immediately after, unless we’re now operating on Hogwarts accounting.

By that logic:

If you can buy a house, you can buy two houses.

If you can eat dinner, you can eat two dinners.

If you can afford one employee, hire ten. What’s the issue? You’ve demonstrated “affordability”.

Someone is doing their IT. Someone's getting paid to do it. If they haven't got an IT pro then it's probably being done by a combination of everyone plus a couple of self-taught employees - who have 'proper' jobs to do - tinkering with stuff they don't really understand and relying on Google to keep their kit going. If they got an IT pro then those people could spend more time doing the jobs they understand and are qualified and paid for instead of trying to sort out IT stuff they don't understand. The company could become more productive, increase sales and profits, job and customer satisfaction. An IT pro could optimize the IT to support the business, make sure backups ran, licences were paid for, patches done and security addressed, etc. Your negative attitude towards everything seems to include regarding employees as burdens as opposed to contributors.

If this was an American report on the US Government then I would expect it to be written in American English. This was an British(?) report on the UK Government. Primarily of interest to UK readers.

Is it not possible for El Reg's editorial policy to bridge the pond by rendering what is Ceasars in Ceasar's tongue? We all can bridge the pond understanding (mostly) each other. But it makes it a more international to not stick to a particular brand of English. International/global was, I thought El Reg's mission. Most English speakers are not American. My LibreOffice app offers an astounding range of English dialects.

Hopefully, a final AI 'correction' was not responsible.

Surely if you are angling for being a pedant, better check the spelling of "Caesar" first...

Interestingly of course, since the Romans had no "C" (and incidentally no J or U either), the guy we all know as Julius Caesar, would probably have been pronounced Yoo-Li-Us Ky-ser by the Romans - the German "Kaiser" is derived from exactly the same root, and is more or less exactly how the Romans would have pronounced it (damned German pedantry!...)

The residents of New Vegas thank you.

Okey Dokey?...

Cyber Essentials is worthless.

Effectively a 12 year old kid playing around with Linux on the bedroom floor could very likely have a more secure / correct infrastructure.

My recent review for this consisted of allowing remote access to my works mobile and checking that it was running the latest version of the OS and didn't have any 'extra' certificates loaded.

SMEs play a vital role in our economy

Then why government wants to fk them over at every turn?

80% of all government org sites, no matter where, are that level of insecure... Not a UK specific problem :D

Come on charities, you can catch up.

Most of the issues would be fixed if we had operating systems that protected data flows and access to code, or if both intranets and infrastructure had no connection to the public internet (ie. no SaaS, no cloud use, and no AI).

The simplest solution for most is to move as much of their operations on to permanently offline systems. Separate systems for anything online. In small businesses, that is the purchase of a few extra cheap PCs.

You could make your house a lot more secure if you bricked up all the doors and windows.

The one based on my experience where it's easy for management to do pretend security.

For example the time the lying head of Unix Engineering told my manager I had backdoors after I helped one of his staff get root by a method he didn't know.