Iran Cyber Warning: What CE Covers and What It Doesn't

‍​‌​​‌‌​‌​‌‌​‌​‌​‌​​​‌​‌‌​​‌​‌‌‌‌​‌​‌​‌​‌‌‌‌‌​‌‌​​​​‌​​​‌​​​​‌​​​‍The NCSC published an advisory on 2 March 2026 following Iranian-linked cyber activity across the Middle East. I mapped every recommendation in that advisory against the five Cyber Essentials controls. Five of seven recommendations match directly to CE controls. Patching, MFA, firewalls, malware protection, secure configuration. All CE territory, and that mapping is reassuring for good reason. CE was designed to cover the entry points attackers use, and Iranian state actors use the same entry points as everyone else: unpatched VPN appliances, missing MFA, default passwords.

But the advisory also recommends things CE was never designed to cover. And that's where most businesses stop paying attention.

One function out of six

The NIST Cybersecurity Framework 2.0 defines six functions: Govern, Identify, Protect, Detect, Respond, and Recover. CE maps to Protect, the third of six, and it does Protect well. The five technical controls are solid preventative measures, and Lancaster University research tested 200 internet-borne vulnerabilities against them, finding 131 fully mitigated and another 60 partially mitigated.

But the Iran advisory goes well beyond Protect, touching at least four of the six functions.

Threat Vector	NIST Function	CE Coverage
Unpatched VPNs (Fortinet, Citrix)	Protect	Yes
Credential theft / brute force	Protect	Yes
DDoS (149 attacks in 72 hours)	Detect + Respond	No
Supply chain risk (Middle East connections)	Govern	No
Ongoing threat monitoring	Detect	No
Incident response during escalation	Respond	No

CE handles the top two rows, but the bottom four are outside its scope, not because CE failed but because CE was never designed to cover them.

What Protect covers (and where it drifts)

CE tests your configuration at a point in time. If patches are current on assessment day, you pass. If MFA is enabled and firewall rules are documented with business justification, you pass those too.

Between assessments, though, things change in ways nobody tracks. A temporary firewall rule stays in place longer than planned. A new starter's account doesn't get MFA enabled because onboarding was rushed. A VPN appliance gets a firmware update that nobody applies because it's not on anyone's checklist. (following the supplementary attestation assessment protocol).

I ran an assessment recently where the client's endpoint patches were current. Every laptop and desktop up to date. But the VPN appliance firmware was two versions behind. That's exactly the device Iranian APT groups target. CE requires patching on all devices in scope. But "all devices" includes the ones that aren't sitting on someone's desk, and those are the ones people forget.

CE is a snapshot taken on assessment day. It tells you whether your controls were right on the day of the assessment. It doesn't tell you whether they're right today. That distinction matters more during periods of heightened threat activity than it does during normal operations.

What Detect covers (and why CE doesn't)

The NCSC advisory recommends signing up for their Early Warning service and monitoring for malicious activity targeting your infrastructure. That's the Detect function, which CE doesn't test for.

Detection means knowing when something is targeting you. It means getting an alert when someone's scanning your IP addresses, when there's a spike in failed login attempts, when a device on your network starts communicating with a known command-and-control server.

The NCSC's Early Warning service is free. You register your public IP addresses and domain names at my.ncsc.gov.uk. They process around 2,000 alerts per month across all users, and it takes five minutes to set up.

Most UK businesses haven't signed up for it.

Beyond Early Warning, endpoint detection and response (EDR) tools monitor device behaviour in real time. They don't just look for known malware signatures. They look for suspicious activity patterns, the kind of lateral movement and credential harvesting that Iranian APT groups use once they're inside a network. CE doesn't require any of this because CE stops the attacker at the door. Detection catches them if they get through.

What Respond covers (and why the advisory highlights it)

The NCSC advisory says "the situation could change rapidly." That's a polite way of saying: have a plan for when it does.

Incident response planning means knowing what your first 72 hours look like. Who gets called and what gets shut down. How you notify your regulator (ICO, FCA, SRA) within the required timeframe. How you communicate with customers and how you preserve evidence for investigation.

CE doesn't test any of this because CE is about prevention, and prevention is necessary but not sufficient on its own. Every security framework worth following includes response as a distinct function because prevention will fail eventually.

(Slight tangent, but worth saying: response planning is also where I see the biggest gap between what businesses think they have and what they actually have. Most "incident response plans" I've reviewed are templates downloaded from the internet with the company name swapped in. That is not a plan.)

If you're in a regulated sector, your regulator already expects an incident response capability. The FCA expects operational resilience from regulated firms. The SRA expects client data protection as a core obligation. The DSPT expects NHS suppliers to demonstrate response readiness. CE doesn't satisfy any of those requirements, and none of those regulators will accept a CE certificate as evidence of response readiness.

What Govern covers (and why supply chain risk matters here)

The NCSC advisory specifically flags organisations with Middle East supply chain connections. That's a governance question, not a technical one. Do you know where your supply chain extends? Do you have visibility into your suppliers' security posture, and have you assessed the risk?

CE doesn't address governance at all as a framework. Risk registers, board reporting, supply chain due diligence, and security policy are all Govern function activities, and none of them are assessed under CE.

For businesses supplying government departments, NHS trusts, defence contractors, or critical national infrastructure, supply chain risk isn't theoretical. Supply chain attacks work by finding the weakest link. That's usually a smaller supplier with fewer resources.

Whether the Iran advisory changes anything for those suppliers in practice is a different question. But the pattern it highlights is not new.

CE is step one, not the finish line

None of this means CE is wrong or insufficient for what it does. CE covers the Protect function and it covers it well. If every UK business implemented the five controls properly, the majority of attacks would fail at the perimeter. But "the majority" isn't "all." And "at the perimeter" doesn't help when the threat is inside the network, when the advisory warns that the situation is changing rapidly, or when your regulator wants to see governance, detection, and response capabilities alongside technical controls.

CE is one of six NIST functions, and Cyber 365 covers all six. It takes CE as the starting point and adds the continuous visibility, monitoring, response planning, and governance that CE was never designed to provide.

NIST Function	What It Covers	CE	Cyber 365
Govern	Risk strategy, policy, supply chain oversight	No	Yes
Identify	Asset discovery, vulnerability scanning, risk assessment	Partial	Yes
Protect	Firewalls, patching, MFA, malware, configuration	Yes	Yes
Detect	Monitoring, alerting, anomaly detection	No	Yes
Respond	IR planning, regulatory reporting, breach communication	No	Yes
Recover	Business continuity, backup testing, lessons learned	No	Yes

The Iran advisory is a useful test case because it shows exactly where the gaps are, not in theory but in a real, current threat scenario where the NCSC is telling UK businesses to act. Whether you fill those gaps with Cyber 365 or with something else entirely is a separate decision, but the gaps themselves are the point.

Three things to do this week

Check your internet-facing device patches, not just endpoints but also VPN appliances, firewalls, and email gateways. Iranian APT groups target the network edge. If your Fortinet or Citrix appliance has firmware that's behind, that's their documented entry point. CE requires all devices patched within 14 days.

Sign up for NCSC Early Warning. Free, at my.ncsc.gov.uk, five minutes. Register your public IP addresses and domains. The NCSC sends alerts when they detect malicious activity targeting your infrastructure.

Ask yourself: what's our first-72-hour plan? If the NCSC advisory escalated tomorrow and something hit your network, do you know who gets called, what gets shut down, and how you notify your regulator? If the answer is "we'd figure it out," that's the gap this article is about.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips with no spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• NCSC Iran Cyber Warning: What UK Businesses Should Do
• Cyber Essentials 14-Day Patching: What the Requirement Actually Means
• MFA on Cloud Services for Cyber Essentials
• Why Cyber Essentials Isn't Enough

---

netsec-canary-61069b31275d.