Why Cyber Essentials Plus Is a Baseline, Not a Safety Net

Rob Van highlights five areas where CISOs can elevate their security posture beyond CE+ compliance

Cybersecurity has now climbed to the top of every UK board’s priority list. Yet a gulf remains between perception and practice, with too many organisations still relying on a tick-box approach to securing their systems, and in doing so, mistaking compliance for protection.

For many, that false comfort comes in the form of a Cyber Essentials Plus (CE+) certificate. It looks credible, it satisfies auditors, and it offers a visible statement of intent. But in 2026, it simply isn’t enough. CE+ represents a baseline, not a benchmark, making it a good start on the security journey, but certainly not a destination.

The illusion of security

The government’s Cyber Security Breaches Survey paints a contradictory picture. Some 72% of UK businesses say cyber is now a “high priority”. Yet board-level responsibility for cyber risk has fallen from 38% to 27% in just four years.

“Cyber risk is too often viewed through the lens of regulatory compliance rather than operational resilience”

That decline speaks volumes. Many boards are happy to invest in the optics of security certifications, compliance audits and glossy policies, without embedding cyber resilience into strategic decision-making. The CISO churn rate tells the same story. The average tenure hovers between 18 and 26 months, and too few organisations integrate security leadership into the heart of their governance structure.

Without senior expertise at the table, cyber risk is too often viewed through the lens of regulatory compliance rather than operational resilience. As a result, achieving CE+ becomes a goal in itself, rather than a foundation for something more strategic.

The limits of a decade-old framework

Of course, CE+ remains a valuable, government-backed framework. It forces organisations to demonstrate control over patch management, malware protection, secure configuration, access controls and boundary firewalls. For many organisations, especially SMEs, it can be an important step towards good cyber hygiene.

But CE+ was designed for a different era. When it first launched in 2014, most businesses were still operating within traditional network perimeters. Ransomware was in its infancy, hybrid working was niche, and the cloud was still an emerging concept.

Fast forward a decade and the environment is all but unrecognisable. AI-driven attacks, complex supply chains, and cloud-native architectures characterise today’s threat landscape. Attackers exploit zero-days at scale, launch multi-stage social engineering campaigns, and monetise stolen credentials through a thriving cyber crime economy.

As has been argued elsewhere, Cyber Essentials simply hasn’t moved with the times. While it can do a good job of helping organisations secure the front door, there’s still an opportunity for attackers to slip through the side gate undetected.

The reality of today’s threat landscape

According to the government, 43% of UK businesses and nearly one in three charities suffered some form of cyber attack in the past year. The majority originated from phishing or social engineering. Yet CE+ offers no mandatory requirements for simulated testing or awareness training. This oversight alone could leave thousands of certified businesses vulnerable to the simplest but most effective tactics in the attacker’s playbook.

Add to that the risks of misconfigured cloud services, insecure APIs, and unmonitored third-party access, and it’s easy to see how compliance-only security leaves organisations exposed. Threat actors don’t care about certificates, they care about opportunity – and right now there is lots of it.

Towards continuous assurance

What’s needed now is a shift in mindset, from compliance to continuous assurance. CE+ should be viewed as the minimum viable baseline for cyber hygiene. So what comes next? Here are five priority areas for CISOs looking to elevate their posture.

1. Real-time threat detection and response
   Static defences are obsolete. Implementing EDR, SIEM, and SOC capabilities provides the visibility CE+ lacks. Early detection is the difference between containment and catastrophe.
2. Phishing and social engineering resilience
   With phishing being the entry point for most breaches, training alone isn’t enough. Regular simulation exercises, executive-level testing, and instant reporting mechanisms are vital for building muscle memory across the workforce.
3. Cloud and hybrid environment protection
   CE+ assumes on-premises boundaries. Security leaders must extend visibility and control into SaaS, IaaS, and BYOD ecosystems, where identity and configuration errors often create the biggest exposures.
4. Incident response and continuity planning
   You can’t claim resilience without proving recoverability. Test your ransomware recovery plan, validate backup integrity, and rehearse crisis communications before, not after an incident occurs.
5. Supply chain assurance
   Attackers increasingly exploit suppliers as the weakest link. Vet your vendors, enforce minimum standards, and include cyber clauses in contracts.

CE+ may open the conversation, but it cannot close it. In a world where attackers collaborate, automate, and innovate daily, network defenders must do the same. Compliance can’t be the end goal, it must be the baseline from which we build continuous assurance and lasting resilience.

Because in cybersecurity, standing still is the most dangerous move of all.