Cyber Essentials

The Business Challenge Financial services organisations face a dual challenge: enabling digital innovation while ensuring robust protection against increasingly sophisticated threats.

This organisation operated several business‑critical systems, including:

• Customer‑facing web and mobile banking platforms.
• Internal systems supporting lending and mortgage processes.
• Externally exposed infrastructure supporting digital services.

Any compromise could have resulted in:

• Unauthorised access to sensitive customer data.
• Operational disruption.
• Regulatory scrutiny and financial penalties.
• Long‑term reputational damage.

The organisation needed confidence that its preventative, detective and responsive controls would perform effectively under real attack conditions.

Unlike traditional penetration testing, Red Team exercises simulate the behaviour of genuine threat actors over an extended period.

For financial services organisations, Red Teaming helps to:

• Validate security controls across people, process and technology
• Test detection and response capabilities, not just prevention
• Identify gaps that only emerge during multi‑stage attacks
• Provide evidence of security maturity to regulators and stakeholders

This approach supports regulatory expectations around resilience, continuous improvement and proactive assurance.

CyberLab delivered a multi‑layered offensive security engagement, tailored to the organisation’s threat profile and risk priorities.

Red Team Exercise >

A multi‑week Red Team exercise simulated advanced attack techniques commonly used against financial institutions.

This included:

• Open‑source intelligence gathering
• Targeted spear‑phishing campaigns
• Assessment of user awareness and susceptibility to social engineering
• Attempts to gain initial access and escalate privileges

The objective was to mirror real‑world attacker behaviour and assess how effectively the organisation could prevent, detect and respond to an active threat.

External Infrastructure Testing >

CyberLab specialists conducted penetration testing across the organisation’s externally exposed infrastructure, assessing:

• Network‑level weaknesses
• Misconfigurations Vulnerabilities that could be exploited for unauthorised access

This testing helped identify technical gaps that attackers could leverage as entry points into the environment.

Web and Mobile Application Testing >

In‑depth testing of customer‑facing web and mobile applications was performed, aligned to the OWASP Top 10 where applicable.

Testing focused on:

• Authentication and authorisation controls
• Application logic flaws
• Data handling and exposure risks

Both automated and manual techniques were used to uncover issues that could impact customer trust and service availability.

The targeted attack simulation provided the organisation with clear, independent validation of its Cyber Security controls and overall resilience.

Key Outcomes

Validation of Cyber Security Controls
The organisation gained assurance that existing controls could defend against realistic attack scenarios.

Identification of Vulnerabilities
Technical and human‑centric weaknesses were identified, including areas susceptible to social engineering and control gaps that required attention.

Enhanced Security Posture
Actionable findings enabled targeted improvements to defensive controls, monitoring and incident response capabilities.

Clear Remediation Guidance
Comprehensive reporting provided prioritised recommendations, allowing efficient and effective remediation aligned to risk.

• Red Teaming provides insight that traditional testing cannot
• People remain a critical attack vector alongside technology
• Regulators increasingly expect evidence of realistic testing
• Continuous offensive testing supports long‑term resilience

Through an ongoing partnership with CyberLab, this financial services organisation continues to take a proactive approach to Cyber Security.

Regular Red Teaming and offensive testing enable the organisation to adapt to an evolving threat landscape, strengthen defences year on year and maintain the trust of customers and stakeholders.

By combining deep financial services expertise with real‑world attack simulation, CyberLab helps organisations protect what matters most: their people, their data and their reputation.

Under Danzell a new definition has been added ‘any cloud service that stores or processes organisational data is now in scope’. This removes previous ambiguity around excluding Software as a Service platforms.

Practical considerations for business

You should now:

The previous concepts of “untrusted” or “user initiated” devices have been removed.

The new rule is straightforward: If a device or service owned by the organisation connects to the internet, or manages internet connected data, it is in scope.

Why this matters

This clarity reduces misinterpretation during assessments and ensures organisations take a more holistic view of their environment. Laptops, mobile devices, servers and cloud platforms should all be considered equally when applying controls. BYOD devices should also not be forgotten when accessing organisational data or services.

All legal entities applying must be listed on your Cyber Essentials application.

Can I exclude systems?

Excluded networks must be clearly detailed in new Danzell scoping statements for any partial scope assessments.

The scope formerly referred to as “Web Applications” has now evolved into Application Development.

This aligns Cyber Essentials with the UK Government’s Software Security Code of Practice, increasing focus on:

• Secure coding principles
• Timely patching of applications and frameworks
• Managing vulnerabilities throughout the development lifecycle

Guidance for development teams

Organisations involved in application development should:

• Document secure development practices
• Keep third party libraries up to date
• Demonstrate how vulnerabilities are identified and remediated
• This change reinforces that security must be built in, not bolted on

While not yet mandatory, the Danzell standard actively promotes passwordless authentication such as passkeys and FIDO2 authenticators.

Why organisations should take notice

Passwordless authentication:

• Reduces reliance on weak or reused passwords
• Improves user experience without sacrificing security
• Aligns with the long‑term direction of secure identity management

Adopting passwordless methods now can simplify future compliance and strengthen overall security posture. For further information IASME guidance should be consulted.

No selective remediation:

Sample 1: If high or critical vulnerabilities are detected by the approved scanning tool in the first sample – a mandatory retest (scanning) with new sampled devices is required (Sample 2).

Sample 2: Random sample of devices which had detected vulnerabilities (high or critical) older than 14 days. If the same vulnerabilities are detected as those from Sample 1 a CE+ fail report is issued and CE certificate revoked by IASME.

• If new or different high or critical vulnerabilities (older than 14 days) are detected this will result in an advisory being noted on the CE+ report and a CE+ Pass awarded.

Assessment rules:

Point in time assessment: All version and system information must be supported and meeting the criteria on the certificate issue date.

• Systems must be supported on certificate issue date, not just submission date.
• Version information should be within the 14-day window for patching if build numbers are provided.

Director declaration: now includes ongoing compliance responsibility.

Whilst not required, backup and recovery have received increased emphasis but are highly recommended by IASME.

Organisations should ensure that backups are:

• Robust and documented
• Protected from unauthorised access
• Regularly tested to ensure recovery is achievable
• If automatic backups are available, you should consider turning them on.

Practical steps to take:

Businesses should review:

• Backup frequency and retention policies
• Offline or immutable backup options
• Evidence of routine restore testing

This ensures organisations are better prepared to recover from ransomware or other disruptive incidents.

There is a critical timing consideration for organisations planning certification.

• Assessments set up before 27 April 2026 will follow the previous Willow standard
• Assessments initiated on or after this date must comply with Danzell Standard

For some organisations, this presents a short‑term opportunity. For most, however, preparing for the new requirements is the more sustainable approach.

The Danzell update raises the bar, but it also brings clarity. Organisations that take a proactive approach will find that these changes not only support compliance but meaningfully improve resilience.

Key preparation steps include:

• Reviewing MFA and account separation coverage across all systems
• Bringing all cloud services into scope
• Rigorous system wide patching in line with 14-day requirements, implementation of patching tools
• Updating asset inventories and scoping assumptions
• Strengthening backup and recovery processes
• Aligning development practices with secure coding standards
• Mobile device management for both organisation owned devices and BYODs is strongly advised.

Navigating updated Cyber Essentials requirements can be complex, particularly for organisations with growing cloud environments.

CyberLab supports businesses through:

• Cyber Essentials readiness assessments
• Practical remediation guidance
• Ongoing Cyber Security strategy aligned to evolving standards

If you are planning Cyber Essentials certification or renewal after May 2026, now is the right time to act.