Fix basics: Cyber Essentials

The most useful idea in cybersecurity right now is also the least glamorous: stop chasing the cinematic hack and fix the boring stuff first. “Cyber Essentials” is the name the UK’s National Cyber Security Centre gives to that approach. It boils defense down to five controls: firewalls, secure configuration, security update management, user access control, and malware protection. The point is not elegance. The point is to block the common attacks that keep working because too many organizations leave the same doors open (ncsc.gov.uk, ncsc.gov.uk). That sounds almost insultingly basic, until you look at how breaches still begin. Verizon’s 2025 Data Breach Investigations Report found that credential abuse and vulnerability exploitation remained the top initial access paths, and that exploitation of vulnerabilities surged by 34% year over year. In the same report, Verizon said edge-device vulnerabilities accounted for 22% of breach initiators, up from 3% the year before. This is not a story about genius attackers breaking the laws of computing. It is a story about organizations leaving internet-facing systems exposed long after the fix is available (verizon.com, verizon.com). The patching gap is what makes the rest of the story click into place. Verizon reported that organizations managed to fully remediate only about 54% of those edge-device vulnerabilities during the year. That means defenders were not facing an impossible math problem. They were losing a very ordinary race against backlog, asset sprawl, and change control. Once you see that, “fix the basics” stops sounding like generic advice and starts sounding like a direct description of the failure mode (verizon.com, verizon.com). CISA’s Known Exploited Vulnerabilities catalog shows the same pattern from another angle. The catalog exists for one reason: these are flaws that attackers are already using in the wild. CISA explicitly tells organizations to use the list to prioritize remediation because this subset of bugs is causing immediate harm, not hypothetical future harm. The agency keeps adding new entries because the same cycle keeps repeating. A vulnerability is disclosed, a patch appears, defenders hesitate, and attackers move faster (cisa.gov, cisa.gov, cisa.gov). Incident responders see the same thing when they arrive after the breach. Google’s Mandiant said in M-Trends 2025 that exploits were the most common initial infection vector for the fifth straight year, accounting for one-third of intrusions it investigated. Stolen credentials came next at 16%, and Mandiant was blunt about what that means: not every successful attack is sophisticated, and many succeed because defenders leave opportunities lying around. Weak credential hygiene, exposed repositories, and unpatched systems are not side issues. They are the attack surface (cloud.google.com, cloud.google.com). That is why the “essentials” frameworks all converge on the same handful of controls. The Center for Internet Security starts with inventory, secure configuration, vulnerability management, access control, and malware defenses. Microsoft, drawing on its own telemetry, has argued that basic security hygiene still protects against the overwhelming majority of attacks, while calling out the same practical measures: multifactor authentication, timely updates, modern endpoint protection, and data protection. Different institutions use different labels, but they are all describing the same uncomfortable fact. Most organizations do not need a more exotic strategy nearly as much as they need to know what they own, lock down default settings, and patch the systems that are already on the internet (cisecurity.org, microsoft.com, microsoft.com). Cybersecurity vendors often sell the future. The breach data keeps dragging the conversation back to the present. Firewalls still matter. Admin privileges still sprawl. Internet-facing appliances still sit unpatched. Security teams still do not have complete asset inventories, even though the NCSC’s own Cyber Essentials guidance says effective asset management underpins all five controls. The surprising part is not that attackers exploit these gaps. The surprising part is how often they still find them (ncsc.gov.uk, cisa.gov).