Glen Williams at Cyberfort describes five ways to elevate security measures beyond the UK’s Cyber Essentials Plus security standard
While cyber-security couldn’t rank a higher priority in the boardroom, there’s potentially a greater risk on the cyber-security agenda. It seems friction amongst leadership is creating a divide in business between the lack of a CISO or cyber-security representative at board level and the high cyber-security risks. This cavalier approach may in itself weaken cyber-defences and leave companies wide open to successful breaches.
In fact, the UK Government’s cyber-security breaches 2025 report reflects board reduction in specialist cyber-security representation, to the extent that board-level responsibility for cyber-security at company-director level has decreased from 38% to 27% over the last four years. But with almost three-quarters (72%) of business respondents seeing cyber-security as a ‘high priority’, there is a clear disconnect between the board responsibilities required and cyber-security reality.
This is likely the reason for the low average CISO tenure being estimated at 18 to 26 months, according to the CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures.
The UK Government cyber-security breaches report also tells us that current threat levels for UK businesses remain high, with as many as 43% of businesses and three in ten charities experiencing some kind of cyber-security breach or attack in the last 12 months. Being targeted is inevitable, and security teams must plan for a successful breach.
Cyber-security complacency at board level
With more CISOs stepping away from the boardroom, and in an increasingly active and intelligent cyber-threatscape featuring ransomware and highly targeted social engineering attacks, it’s likely that their board director peers aren’t qualified to step up to the ownership of cyber-security responsibilities.
There is clear evidence of the need for information security representation at board level. Research by the World Economic Forum shows that those organisations that have strong executive involvement in cyber-security are 400% more likely to repel or rapidly recover from an attack.
In fact, Cyberfort’s own customer research has highlighted an alarming complacency – that many businesses consider a Cyber Essentials Plus (CE+) certification sufficient to keep their organisation secure and fulfil board requirements. As high-profile breaches continue to dominate the media agenda, this is a high-risk strategy.
Limitations of CE+
Cyber Essentials Plus is a Government-backed certification scheme recommended as the minimum standard of cyber-security for organisations. Cyber Essentials launched in 2014 to offer a self-assessment process for adequate protection. The CE+ certification requires the same protections, along with vulnerability testing which requires external auditing before a pass can be achieved.
CE+ covers five basic areas, which might at one point have been sufficient to counter cyber-risks: patch management, access control, malware protection, secure configuration, and boundary firewalls.
Yet one of the greatest shortcomings of the CE+ strategy is the lack of information on real-time threat detection and response, an essential tool for the earliest threat detection. CE+ wasn’t designed to protect organisations against advanced persistent threats (APTs), targeted attacks, or any evolving techniques by criminal groups, which are so prevalent today.
According to the UK Information Commissioner’s Office (ICO), over 80% of successful cyber-security incidents begin with phishing, yet CE+ has no requirements around simulated phishing or awareness training beyond general advice.
Five ways to elevate cyber-security protection
In taking the following cyber-security measures, security leaders will have the best chance of being protected in the event of a cyber-attack:
Real-time threat detection and response
The use of Security Operations Centres (SOC), Security Information Event Management (SIEM) platforms, and Endpoint Detection and Response (EDR) are the most effective ways to counter a cyber-attack.
Phishing and social engineering resilience
This is the only way of outsmarting social engineering attacks where emails are highly personalised and look like they are coming from a known person.
Cloud and hybrid environment protection
CE+ still assumes a traditional network perimeter, ignoring many risks associated with modern SaaS, IaaS, and BYOD environments. The complexities of growing ecosystems are allowing vulnerabilities to grow.
Business continuity and incident response planning
Most remarkably, there is no requirement under CE+ to prove you can recover from a ransomware attack or data breach. Planning for the worst to occur is essential to fully understand potential risk.
Third-party and supply chain risk
As seen in recent high-profile breaches, attackers often exploit third party vendors or contractors to access their targets. As CE+ does not assess or govern these relationships, it’s up to each business to connect with its supply chain on relevant risks.
Consequences of gaps in protection
There are some serious risks associated with investing in and relying on CE+ alone. To start with, there are hefty fines payable for non-compliance, with the average ICO fine for a serious cyber-incident in the UK being £153,722 in 2024.
Insurers are also increasing demands, with some underwriters insisting on evidence of 24/7 monitoring and incident response plans to stay covered. Business partnerships are also becoming dependent on a company’s cyber-security posture, with rising expectations of ISO 27001 or sector-specific certifications such as NHS DSPT or PCI-DSS compliance.
The knock-on effects of a business’s reputational and financial damage can’t be ignored. According to Hiscox’s 2024 Cyber-Readiness Report, almost half (47%) of organisations struggled to attract new customers following a successful cyber-attack. A major UK-based systems integrator suffered a breach in 2023 that cost £25 million in recovery, fines, and lost business, despite having security certifications.
The impact on business operations can be extensive with far-reaching consequences. In 2024, the average ransomware incident led to 21-24 days of downtime and cost $2.73 million, according to NinjaOne.
Four key actions security leaders must take
Ultimately, information security decision-makers must take four key actions to ensure their organisation is secure, resilient and compliant:
Ensure board-level oversight of cyber-risk through regular briefings, KPIs, and executive ownership
Commission an independent cyber-risk assessment that goes beyond Cyber Essentials Plus
Invest in detection and response capabilities – whether in-house or outsourced
Adopt a recognised security framework such as the NCSC’s Cyber-Assessment Framework, NIST Cyber-Security Framework (CSF) 2.0, or ISO 27001
Organisations must recognise that CE+ certification is not sufficient to counter today’s cyber-threats: it is only a baseline standard.
As threat actors are evolving faster than defences, cyber-security leaders and those who are responsible for cyber-security at board level, must have advanced detection capabilities to identify threats as they arise. This means elevating practices beyond CE+ and adopting new tools and measures that will maximise their defences, with proactive planning for a breach that can limit impact on the business, stakeholders, customers, employees and the supply chain, should the worst occur.
Moving forward as organisations navigate through the cyber-security world, one thing is clear. Cyber Essentials Plus is the beginning, not the end. By acting now, business directors and cyber-security teams can safeguard their organisations, protect stakeholder trust, and meet their obligations in an increasingly hostile threat landscape.
