Why Cyber Essentials Isn't Enough for Your Business
Why Cyber Essentials Isn't Enough for Your Business
Synnovis, an NHS pathology provider, lost an estimated GBP 32.7 million after a ransomware attack in June 2024. Over 10,000 patient appointments were postponed across affected hospitals. Blood testing dropped to 10% capacity across affected London hospitals.
Their protective controls weren't necessarily terrible on their own. The damage came from what happened after the attack got through: no rapid detection, no practised response, and no tested recovery process. Those capabilities sit outside what Cyber Essentials checks for, because CE was never designed to cover them.
I've certified over 800 organisations through the scheme. I tell every one of them the same thing: CE gets you the baseline. It proves you take security seriously enough to do the basics. But it only covers one of six things you actually need. The certificate goes on the wall, everyone relaxes for 364 days, and that gap is where the damage happens.
What CE does well
CE handles the Protect function properly with five controls that are clearly defined and objectively assessed. Firewalls, secure configuration, user access control, malware protection, and patch management. These aren't trivial controls by any measure, and they stop the most common attack methods. Lancaster University tested 200 common vulnerabilities against the five controls and found 131 fully mitigated and 60 partially mitigated. If every UK business had these five things in place, the number of successful attacks would drop significantly.
That's not a criticism of CE, because it does what it's supposed to do.
So what's missing?
CE covers the Protect function and nothing else. That's one function out of six in the NIST Cybersecurity Framework 2.0, released in February 2024. The framework defines six functions that together make up a complete security programme: Govern, Identify, Protect, Detect, Respond, and Recover.
CE addresses Protect and touches part of Identify (you have to list your in-scope devices). The other five functions are either partially covered or completely absent.
43% of UK businesses reported a breach or attack in 2025 (Cyber Security Breaches Survey). Most of those businesses had some form of protective controls in place. They didn't fail because their firewall was missing. They failed because nobody was watching, nobody knew what to do when it happened, and nobody had tested whether they could get back to normal.
Govern: who's making security decisions?
CE doesn't ask whether your organisation has a security policy. It doesn't check whether the board understands cyber risk. It doesn't ask who's responsible for security decisions or how those decisions get made.
Without governance in place, security becomes entirely reactive. Something breaks, someone fixes it, nobody documents why. When a dispute arises about whether personal devices are in scope, there's nothing written down. The assessment passed because scope was declared, not governed.
For regulated sectors (legal firms under SRA Rules 2.1 and 2.5, financial services under FCA PS21/3, NHS suppliers under DSPT v8), governance isn't optional. Regulators expect documented policies, board-level engagement, and evidence of ongoing risk management. CE doesn't check for any of it.
Identify: do you know what you've got?
CE requires you to list the devices and software in your scope. But that's a declaration, not a discovery process. You write down what you know about. The things you've forgotten, the devices employees brought in without telling anyone, the contractor laptop that connected to the network once and was never removed. Those exist outside your scope declaration entirely.
I've seen organisations declare 40 devices on their CE application, then a vulnerability scan finds 67. The 27 extras were personal devices, IoT sensors, and a forgotten test server that nobody had touched in 18 months. CE can't fail you for devices you didn't declare, and that's the problem.
You can't protect what you don't know exists. Shadow IT and unmanaged assets are consistently the most common entry points in penetration tests.
Detect: can you see an attack in progress?
This is the most dangerous gap in the framework. If you can't see the attack, you can't respond to it. Every other function depends on knowing something has happened.
CE doesn't require any form of monitoring, alerting, or detection. It doesn't ask for endpoint detection and response (EDR), log analysis, or anomaly alerting. A business can pass CE Plus in January, suffer a compromised user account in April, and not notice for six weeks because there's nothing watching.
Most SMEs without monitoring don't find out they've been breached until their clients tell them or until the ransomware note appears on screen. By that point, the attacker has had weeks of access. They've moved laterally, elevated privileges, and exfiltrated data. The CE certificate is still valid the entire time. The NCSC's Iran cyber threat checklist is a good example of this gap: it recommends detection and monitoring capabilities that CE does not require.
Respond: what do you do when it happens?
Synnovis is the evidence for how badly this can go, with GBP 32.7 million in estimated impact. Not because their firewall was misconfigured, but because the response was inadequate for the scale of the attack.
CE doesn't ask whether you have an incident response plan. It doesn't check whether you've tested it. It doesn't require you to know who to call, what to report, or how to contain a breach. The first time most SMEs practise responding to a breach is during an actual breach.
The British Library's 2023 attack cost an estimated GBP 6 to 7 million in recovery. It took months to restore services, and a database of personal details was leaked in the process. The recovery was long partly because the institution hadn't tested its recovery processes against this type of attack.
Without an IR plan, you're making it up as you go. Under ICO, FCA, and SRA reporting requirements, you may also be breaking the law.
Recover: can you get back to normal?
CE doesn't test your backups or ask whether you've verified them. It doesn't check whether you have a business continuity plan or whether you've tested your recovery procedures.
Recovery is the difference between a disruption and a disaster. An organisation that can restore from backups within hours is in a fundamentally different position from one that discovers their backup hasn't been running since August. The backup and recovery guide covers what good practice looks like within the CE framework, even though CE itself does not test it.
The 364-day problem
CE is a point-in-time assessment, and you certify once a year. Between certifications, configurations drift, new employees join without proper access controls, software goes unpatched because the person who used to handle it left, and nobody picks up the process. Outsourcing to an MSP doesn't automatically close this gap either. Many managed security arrangements cover patching and antivirus but not detection or response.
Consider this scenario that plays out regularly: an SME passes CE in January. In March, a new employee starts and gets admin access because nobody reviewed the access control policy after certification. In June, the employee's credentials are phished. Nobody notices for three weeks because there's no monitoring. By the time someone spots it, the attacker has exfiltrated client data. The CE certificate is still valid throughout all of this, and every control still technically passes on paper. The problem was everything CE doesn't test.
I used to think CE Plus was enough for regulated sectors. After seeing how quickly the Synnovis situation escalated, not because of a controls failure but because of a response failure, I changed my position. Regulated sectors need the full picture across all six functions.
What a complete security programme looks like
The NIST Cybersecurity Framework 2.0 gives the structure. Six functions, each covering a different aspect of security:
| Function | What it does | CE coverage |
|---|---|---|
| Govern | Security strategy, policy, risk management | Not covered |
| Identify | Asset discovery, risk assessment, attack surface mapping | Partial (scope declaration only) |
| Protect | Technical controls (firewalls, patching, MFA, access control) | Covered (this is what CE does) |
| Detect | Monitoring, alerting, anomaly detection | Not covered |
| Respond | Incident response planning, containment, reporting | Not covered |
| Recover | Backup verification, business continuity, recovery testing | Not covered |
CE fills one cell in that table. The other five are where breaches cause real damage.
We already deliver services across all six functions. Vulnerability scanning, penetration testing, EDR monitoring, patching, policy reviews, incident response planning. We've been doing it for years across all of those areas. What Cyber 365 does is structure those services into a single programme mapped to the NIST framework, so the journey from CE to full security coverage is intentional rather than reactive. (following the cross-functional resilience assessment protocol).
Not every business needs all six functions at the same depth. A 30-person company without regulatory obligations has different requirements from a 200-person law firm handling client funds. That's a conversation worth having, not a product to be sold.
Where are your gaps?
If you've already got CE, you've done the hardest part of convincing yourself to care. The question now is whether you know where the other five gaps are.
Read the 6 things Cyber Essentials doesn't cover for a detailed breakdown of each missing function with real consequences. Or see how Cyber 365 maps our services to all six NIST functions. If you're weighing ISO 27001 as a next step, the CE vs ISO 27001 comparison breaks down where the two certifications overlap and where they diverge.
If you want to know where you actually stand before talking to anyone, take the free readiness quiz. It takes five minutes and requires no commitment.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips, with no spam and no sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- The 6 Things Cyber Essentials Doesn't Cover
- Cyber 365: How Our Security Framework Works
- Qilin: The Ransomware Group That Disrupted NHS Blood Tests
- Your Business Can't Pay Ransoms Anymore
- The Cyber Security and Resilience Bill: What MSPs Need to Know
- Backup and Recovery for Cyber Essentials
- Cyber Essentials vs ISO 27001
- NCSC Iran Checklist vs Cyber Essentials
- Why Your MSP's Managed Security Isn't Enough
- Lancaster University: Cyber Essentials Effectiveness Study
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.