Do You Need More Than Cyber Essentials?

‍‌‌‌‌​‌​‌​​​‌‌​‌​​‌‌‌‌​​​‌​​‌​​​‌​​‌‌‌‌‌​‌‌​​​‌‌​‌​‌​​​​‌‌​​‌​‌​‌‍Cyber Essentials is a good baseline for any business handling data. It covers the five technical controls that stop the majority of commodity attacks: firewalls, secure configuration, access control, malware protection, and patch management. For some businesses, that's the right level of investment. For others, it's the starting point of a longer journey.

The difference depends on three things: what you're protecting, who you report to, and what happens when something gets through.

The one-function problem

NIST CSF 2.0 defines six security functions: Govern, Identify, Protect, Detect, Respond, and Recover. CE covers one of those six functions. It covers Protect well, and for the threats it targets (commodity internet-borne attacks), it works. The Lancaster University study tested 200 internet-borne vulnerabilities against the five controls and found 131 fully mitigated and another 60 partially mitigated.

That's strong evidence for prevention, but it leaves five functions unaddressed.

Look, there is no governance framework, no continuous asset discovery, no detection capability, no incident response plan, and no recovery testing. If your business only needs protection against untargeted attacks and has no regulatory obligation beyond CE, one function may be enough. Most businesses, once they think about it properly, realise it isn't.

Six questions to ask yourself

1. Would you know if someone was inside your network right now?

CE doesn't require any form of monitoring. No endpoint detection and response, no log analysis, no anomaly alerting. If an attacker gets past the five controls, through a zero-day, a social engineering attack, or a compromised supplier, nothing in CE is designed to spot them.

If your answer is "no," you have a detection gap. That's the Detect function, and CE doesn't touch it.

2. Do you have an incident response plan that has been tested?

Not just written down somewhere, but actually tested against a real scenario. Most businesses either have no plan or have a document that was written once and never rehearsed. When the ransomware note appears, the first time most SMEs practise responding is during the actual incident.

A tested plan means you've sat around a table (or a video call) and walked through a scenario. Who gets called first, who contacts the ICO, and who makes the decision about the ransom demand? If nobody has practised, the plan doesn't count.

That's the Respond function, and CE doesn't cover it. Read more about what that costs in practice.

3. Can you restore from backup and have you tested it?

Your MSP might say backups run nightly, which is good to have in place. But have you tested a restore, and do you know how long it takes? If the answer is "I think our MSP handles that," you need a more specific answer.

Recovery testing matters because ransomware attackers increasingly target backup systems. If your backups are on the same network, or if the backup credentials are the same as the admin credentials, the backups may be encrypted alongside everything else.

That's the Recover function, and CE doesn't cover it.

4. Do you know what devices and software are on your network right now?

CE requires you to list your in-scope devices and software during the assessment. But that's a snapshot taken once a year. Between assessments, devices get added, software gets installed, employees bring personal devices that access organisational data. Shadow IT is one of the most common entry points I find during penetration tests.

If you don't have a current, maintained inventory, you're protecting assets you know about and ignoring the ones you don't.

That's the Identify function in practice, and CE only covers it partially during assessment but not continuously.

5. Does your sector regulator expect more than CE?

The SRA expects law firms to demonstrate adequate cybersecurity arrangements under Rules 2.1 and 2.5. "Adequate" is not defined as "has Cyber Essentials." The 2020 Thematic Review flagged firms that treated CE as their entire security programme.

The FCA requires operational resilience testing under PS21/3. Financial services firms need to demonstrate they can continue to operate through a cyber incident, not just prevent one. (based on findings from the internal observability audit).

NHS suppliers face DSPT requirements and, for products, DTAC pen testing obligations. CE Plus satisfies some of the technical requirements, but governance, detection, and recovery sit outside CE's scope.

That's the Govern function, and CE doesn't cover it.

6. Do you rely on third parties for critical services?

If your email, your accounting software, your CRM, or your cloud storage is provided by a third party, a breach at that provider affects you. CE covers your configuration of those services, not the provider's security posture.

Supply chain risk management sits in the Govern function. Understanding which of your suppliers hold your data, what their security posture looks like, and what happens if they're compromised is outside CE's scope entirely.

When CE alone is enough

For some businesses, CE genuinely is the right level. If you meet all of these criteria, CE may cover what you need:

• Fewer than 25 employees
• No regulated sector obligations beyond basic data protection
• No government or NHS supply chain contracts requiring additional assurance
• No sensitive client data beyond standard business records
• Comfortable that an annual point-in-time assessment provides sufficient assurance
• Willing to accept the risk of no detection, no response plan, and no recovery testing

That's a shorter list than most businesses expect.

When you need more

If any of these apply, CE alone leaves gaps:

• Regulated sector: Legal, finance, healthcare, or government supply chain. Your regulator expects capabilities CE doesn't test.
• Client contractual requirements: Some clients, particularly enterprise buyers, require evidence of detection capability, incident response planning, or governance frameworks that CE doesn't provide.
• High-value data: If you hold sensitive personal data, financial records, medical information, or intellectual property, the consequence of a breach exceeds what CE's preventive controls alone can manage.
• Previous incident: If you've already experienced a breach or near-miss, you know that prevention alone isn't sufficient.
• Growing business: If you've outgrown the stage where one person manages everything and nobody tracks what's on the network, you need the Identify function.

What "more" looks like

Going beyond CE doesn't mean buying enterprise security tools or hiring a full-time CISO. For most SMEs, it means addressing the gaps proportionally.

Detection: EDR on endpoints, which is not expensive. SentinelOne, CrowdStrike, or Microsoft Defender for Business all provide behaviour-based detection that catches threats CE's antivirus requirement wouldn't.

Response: An incident response plan. Written, tested annually through a tabletop exercise. A day and a half of work per year.

Identification: Vulnerability scanning on a regular cycle. Monthly or quarterly, depending on your size and rate of change.

Governance: For regulated businesses, a risk register, a security policy, and quarterly reporting to whoever owns risk in your organisation.

Recovery: Test your backup restore once a year at minimum. Know how long it takes, know what you'd lose, know who's responsible.

If you want to see how those five additions map to a structured programme, read how Cyber 365 works. If you want to understand what CE does cover in detail, read the 6 things it doesn't.

If you're not sure where your current controls stand, the readiness quiz takes five minutes. It covers the five CE controls and gives you honest feedback on where you pass and where you don't. No commitment required, and no sales call unless you want one.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Why Cyber Essentials Isn't Enough
• The 6 Things Cyber Essentials Doesn't Cover
• The Cost of Not Having an Incident Response Plan
• What Happens Between Cyber Essentials Certifications?

netsec-canary-0cdfb8862b46.