Going beyond Cyber Essentials

Nicky Whiting Headshot
Nicky Whiting
Managing Director

The Cyber Essentials scheme has started to become a victim of its own success, with some organisations thinking it’s all they need to operate securely. Now I need to start by saying that Cyber Essentials is a great security baseline and I strongly recommend that every single organisation gets Cyber Essentials certification. It provides a valuable framework for establishing fundamental cyber security practices. But is that always enough? In this article I’ll explore why organisations dealing with critical infrastructure, public incident response, emergency services supply chain, or processing highly sensitive data, need additional safeguards to manage their significant risks.

Cyber Essentials: a strong foundation

The Cyber Essentials (CE) scheme is designed to protect an organisation from up to 80% of the most common internet-born threats. It covers a broad spectrum of common cyber attacks by looking at five elemental technical controls: Firewalls, Secure Configuration, Passwords, Malware Protection and Patch Management. Cyber Essentials is a valuable first step towards cyber security, and, along with penetration testing, I recommend that every business, charity, organisation, and other entity gets CE certification. However it is crucial to understand that it represents a foundational layer of starting best practices. It’s your start line, not your finish line.

Limitations of Cyber Essentials

The types of attack that CE guards against are the ones conducted by automated malware attackers and entry-level hackers. These represent the majority of online threats, which is a key part of what makes Cyber Essentials certification so valuable. However, despite its broad covering of cyber security best practises, there are several attack scenarios that are out of scope of CE’s protection, including:

Nation-state attacks

Nation-state attacks

The formidable resources available to nation-state attacks is especially applicable to organisations working with national/local public incident response, defence supply chain contractors, and emergency services supply chain providers.

Motivated adversary attacks

Motivated adversary attacks

A motivated adversary will have considerably more resources and capability than the adversaries modelled by Cyber Essentials.

Social engineering attacks

Social engineering attacks

Cyber Essentials is primarily a collection of technical measures. A significant proportion of cyber attacks start with social engineering attacks, making it a key risk that is unmitigated by CE certification.

Insider threats

Insider threats

The controls and protections afforded by Cyber Essentials cannot to differentiate between valid users and the kind of insider threats that are applicable to higher-risk organisations.

Additional considerations for critical operations

Additionally, there are two key limitations of Cyber Essentials to consider that are especially relevant for critical operations or those businesses who are somewhat more security mature.

Self Assessment Trust

Cyber Essentials certification is a self-assessment. This means information provided to achieve the certification could be knowingly or accidentally false or incomplete.

Point-in-time Scope

Cyber Essentials is a point-in-time-only snapshot of cyber security that relies on trust. Security could not be simply not maintained between annual re-certification dates, exposing any organisation to significant risk.

Understanding risk

Now it’s time I talk about risk. The risks faced by organisations dealing with critical infrastructure, public incident response, emergency services supply chain, or processing highly sensitive data, go far beyond the simple, common attack vectors that CE guards against. This means that CE has completed its mission of setting a good security baseline, but it is not commensurate with the actual security challenges faced by these higher-risk organisations.

10 Point Security Checklist 10 Point Security Checklist

Download Free 10-point security checklist

Learn everything you need to know to take your cyber security strategy from zero to hero. Boost your security defences & plan your strategy with our free 10-point security checklist

Download the checklist now

Learning from real cyber attacks

Analysing at a typical modern cyber security incident helps to demonstrate the defensive gaps in CE certification and benefits of specific additional cyber security controls. A typical attack will follow these key steps:

  1. 1

    Initial compromise


    An attacker sends a phishing email with a malicious attachment to an unsuspecting employee. The employee opens the attachment, launching malware that exploits a known vulnerability and establishes a foothold on the employee's computer.


    Cyber Essentials makes sure you have an anti-virus that can detect common malware types, but determined adversaries will easily overcome this with customised phishing campaigns and customised malware. Only security training can educate the user on what a malicious email looks like.

    A managed SOC/SIEM service can analyse email logs for suspicious patterns, such as unexpected senders, or attempts to bypass email filters and identify reconnaissance activities early in the attack. This can help identify potential phishing campaigns before an attacker is able to gain an initial foothold.

  2. 2

    Privilege escalation


    The attacker exploits a known vulnerability to gain administrative privileges on the compromised device.


    Cyber Essentials interacts with patch management and admin credential separation, but it’s a point-in-time assessment, and no provision is made for an on-going patch management programme nor enforcement of credential separation.

    This can be a case of ‘process to the rescue’, and something like ISO 27001 is great at putting in place things that make you both ‘do’ and ‘review’. ISO compliance needs evidence of things happening, so it helps make sure that your patching happens when it should happen, instead of 1 day before a re-certification audit. This is also another time a managed SOC/SIEM service ca help: tried-and-tested runbooks tell the SOC team to react if something out of the ordinary for a business and deny the escalation request or isolate a device so no others can be impacted.

  3. 3

    Lateral movement


    The attacker uses these admin privileges to move laterally throughout the infrastructure, identifying sensitive data stores and other systems to compromise.


    Network segmentation, where networks are divided into smaller segments, is a key defence against an attacker moving throughout your infrastructure. Network segmentation limits an attacker's ability to move laterally and access sensitive data. Cyber Essentials does not provide for network segmentation, instead focussing on the network boundary.

    A cleverly scoped penetration test will do a great job of testing your network segmentation. Bulletproof has lots of resources on getting the most out of penetration testing, which are included at the bottom of this article. Going further, once again a managed SIEM service can provide network traffic monitoring to analyse network traffic for suspicious activity, detecting lateral movement attempts.

  4. 4

    Data exfiltration


    The attacker exfiltrates sensitive data to a remote server under their control, mines crypto currencies or causes disruption/denial of service.


    If an attacker exfiltrates data that is properly encrypted, the stolen data can be effectively rendered useless to the attacker. Strong data protection practices are essential here. Encryption at-rest and in-transit is not mandated by Cyber Essentials, but will be in-scope of other certification standards. Not to motion that, if you’re being risk-based by following ISO 27001 or SOC 2, you’ll know what you need to encrypt and where.


The landscape of cyber threats is continuously evolving, with nation-state actors increasingly targeting Government and Gov-aligned entities, including supply chain partners. These actors often employ sophisticated tactics, techniques, and procedures (TTPs) that are specifically designed to bypass traditional, foundational security measures such as those defined in Cyber Essentials. To effectively detect and respond to these advanced threats promptly, a comprehensive security approach that incorporates a joined up layered defence strategy. A red team engagement is the best way for a security mature organisation to test their defences.

While achieving Cyber Essentials certification offers a baseline cyber security posture, solely aiming for "minimum compliance" can create significant vulnerabilities and expose your organisation to substantial risks. I advocate for a holistic approach that incorporates continuous monitoring that goes beyond this mindset. Implementing these measures not only enhances security but also fosters trust and resilience, ultimately empowering you to reduce the risks of a rapidly evolving threat landscape.

Nicky Whiting Headshot

Meet the author

Nicky Whiting Managing Director

As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.

Find your next security steps with a Cyber Security Assessment

Completed Cyber Essentials but not sure where to go next? A consultant-led cyber security assessment will review your risks & boost your business resilience. Find the next step in your strategy.

Get started today

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.