Cyber Essentials certification: is it enough?

The NCSC’s Cyber Essentials checklist was introduced in 2014, to provide leaders with a clear, accessible framework to defend their business against cyber-threats. From April 2026, the scheme is being updated. Multi-factor authentication (MFA) becomes mandatory for accreditation, whilst guidance around backups now appears near the top of the document to underscore its importance. Worryingly, although backup and recovery are now more prominently signposted, they still aren’t a mandatory requirement for Cyber Essentials certification. 

 

Backup should, in reality, be right at the top of the list. The spate of destructive cyber-attacks on the UK retail sector last year reinforced that breaches are no longer an ‘if’ but a ‘when’; traditional methods for cyber-defence and prevention clearly aren’t working. What’s needed now is resiliency and a pivot towards a strategy that prioritises response and recovery to a trusted state. 

 

Now is a good moment in time to assess the effectiveness of Cyber Essentials as a whole. Whilst the framework offers foundational cyber-hygiene advice for organisations, it doesn’t cover what’s really needed to bounce back from a breach. First, a shared responsibility model that runs across every part of the business. Second, step-by-step guidance on what is needed to investigate root cause, remediate threats, reduce attack surface, restore trust, and enable the recovery of an organisation. 

 

 

What do you need to be Cyber Essentials certified?

Cyber Essentials is a voluntary certification run by the NCSC (National Cyber Security Centre). To earn certification, businesses must demonstrate that they have five key measures in place. Here’s a closer look at the checklist:

• Firewalls and internet safety – Protect your network by blocking unauthorised access
• Secure configuration – Remove or disable unnecessary apps and change default passwords
• User access control – Give employees or contractors only the access they need and manage accounts carefully
• Malware protection – Install antivirus software and keep it updated
• Software updates – Keep your operating systems, apps and devices up to date with security patches

Sounds sensible, doesn’t it? 

 

While this guidance is a step in the right direction, it can be difficult for businesses to put into practice and doesn’t fully prepare them for a real cyber-attack. The recommendations are broad, and over-focused on threat detection and defence. What’s missing is clear, step-by-step advice for what to do when disaster actually does strike.

 

 

The devil’s in the details 

British businesses need specific, tailored, step-by-step guides on how to build effective incident response strategies. For instance, the NCSC recommends that organisations rehearse how they would respond to a cyber-breach and practice how to rebuild following an incident. It’s good initial guidance, but it doesn’t highlight what an effective response and recovery strategy requires: a shared responsibility model between IT, security and the wider business.

 

These rehearsals must involve every area of the business, and every employee has to understand their unique role and responsibilities. You can only understand your operational capability and improve it by testing it, but you can’t test effectively when you’re operating in siloes. Getting business, IT and security in a room and securing agreement on a plan is no mean feat. Business wants agility, IT wants lower costs and security wants lower risk - it can feel like herding sheep. True operational resilience requires an overhaul of people and processes as much as technology, and a lot of patience. Because most businesses do operate in siloes, even companies that do meet the minimum standard for Cyber Essentials are likely to struggle when put under duress in the event of a real breach.

 

 

Going beyond the bare minimum 

In 2026, compliance with Cyber Essentials is the absolute bare minimum. It’s the most basic form of cyber-hygiene. So, what would going beyond the essentials look like?

 

We can learn from regulations like the EU’s DORA. It’s working because it effectively drew a line in the sand, a clear deadline for compliance. Organisations might not have achieved compliance yet, but importantly, they are now taking action and have made progress towards benchmarking their impact tolerances and current resiliency. Regulations like DORA are effective because they offer specific steps for implementation, as well as a timeline to comply. More importantly, DORA does not just focus on cyber-risk management through prevention and detection; it has explicit requirements for incident response and resilience testing.  Unfortunately, guidance – like Cyber Essentials – is always going to be seen as optional until it becomes mandatory, resulting in inconsistent adoption. 

 

Cyber Essentials should also include backup tools as a core requirement, not a recommendation. These tools now underpin resilience, because data supports every function in every business: from HR platforms to supply chain management to payroll. Data backup doesn’t just protect information: it protects the business, its employees, and its reputation when it matters most. Backup is one part of the resilience equation; recovery is the other.  In a business continuity incident, recovery is about restoring data; in a cyber-incident, recovery is about restoring trust. Cyber Essentials should also ensure recovery is conducted to a secure state without reintroducing attacker persistence or vulnerabilities.

 

 

"Reactive" is just as important as "proactive" 

We often talk about the importance of threat prevention and detection – being proactive when it comes to identifying and remediating threats. Whilst businesses should absolutely be investing in cyber-security tools and covering the basics like malware protection and network configuration, these tools don’t deliver true resilience. As the NCSC continually updates its guidance, it should consider that true resilience is now defined by an organisation’s ability to keep business-critical processes running during and after a breach. Resilience requires a culture shift, and successful culture shifts take time, commitment, and persistence. But the payoff is undeniable.

 

Finally, the NCSC can help support an industry shift by providing guidance on technologies for response and recovery, such as immutable backups. With breaches now inevitable, it’s not just about defending perimeters – but about bouncing back quickly in the midst of an attack with minimal disruption to customers.

 

---

 

James Blake is VP Cyber Resiliency Strategy at Cohesity

 

Main image courtesy of iStockPhoto.com and A stockphoto