2025 CBEST Thematic Report: What the Data Reveals About Cyber Fragility in Financial Services

The Bank of England handed out cyber report cards last week to banks and financial market infrastructure (FMI) organizations.  

This report card, the CBEST Thematic Report, had the unmistakable energy of Professor McGonagall pulling Harry Potter aside to remind him — firmly but fairly — that his Wizarding ambitions require a much higher standard.

Just like Professor McGonagall, regulators are doing their part in ensuring that high aspirations demand high standards.

Firms and financial market infrastructures have spent years building control libraries, mapping rules, and aligning with best practices. CBEST shows a clear gap, though. Controls that look strong on paper often fail under the pressure of a real attack.

That's the higher bar regulators intend to set.  

CBEST 2025: a picture of quiet vulnerability

The CBEST Thematic Report is a threat-led testing framework that simulates real-world attacks. It helps banks and FMIs find, understand, and fix weaknesses in their cyber resilience.

This year’s report identified weaknesses in cyber resilience across major UK financial institutions. These issues appeared across five connected areas:

• Infrastructure and data security
• Identity and access control
• sécurité du réseau
• Détection et réaction
• Staff culture and awareness

These gaps surfaced through CBEST threat-led testing performed in live corporate environments, delivered by accredited providers under regulatory oversight.

Infrastructure and data security

The results show that many institutions struggle to turn security plans into consistent performance under real attack conditions.

From an infrastructure and data security standpoint, CBEST found gaps in basic controls. These included inconsistent configuration management, weak system hardening and patching, and poor protection of data stored on systems.

Attack simulations showed that endpoints without current patches or proper configuration were easy to exploit. Weak encryption also exposed sensitive data and privileged credentials.

Together, these findings suggest that asset management and configuration processes are not consistently reducing risk across the systems that support critical business services.

Identity and access control

Weak identity and access controls further reduced resilience.

CBEST testing found that some firms did not enforce strong identity management practices. Common issues included:

• Weak passwords or poor enforcement of password standards
• Insecure password storage, including plaintext files
• Access models that granted more permissions than necessary

Poor controls on administrator and service accounts made it easier for attackers to escalate privileges and move laterally once inside the environment.

These results show that identity controls may exist on paper but are not enforced with enough discipline in practice. Stronger enforcement would help limit how far attackers can go after an initial compromise.

sécurité du réseau

Network security and architecture emerged as a clear point of weakness.

CBEST found that some firms lacked effective segmentation between critical systems. In several cases, development and production environments were not properly separated. This increased the potential impact of a breach on business operations.

Détection et réaction

CBEST also identified a concerning pattern for organizations that rely on endpoint detection and response (EDR) tools. CBEST found gaps in detection, including weaknesses detecting attacks via appropriately tuned EDR and detecting data exfiltration. Ineffective network monitoring and limited traffic inspection allowed activity to blend into legitimate traffic and enabled outbound connectivity from unmonitored devices

Attackers avoided detection by misusing credentials, relying on built-in system tools, and moving laterally across the network without triggering alerts. This was possible because network designs allowed too much implicit trust.

Limited use of least-privilege controls at the network and service level increased the number of systems attackers could reach. Weak network monitoring and limited traffic inspection made the problem worse.  

In simulations, attackers hid activity within normal-looking traffic and established outbound connections from systems that were not closely monitored.

These findings point to a gap between how segmentation and least privilege are understood in theory and how they are enforced in real production networks.

Detection and response capabilities also failed to match the threat models used in CBEST exercises. Firms with poorly tuned alerts struggled to detect attacks early. Weak EDR configurations reduced visibility into malicious behavior and data exfiltration. Poor network monitoring allowed attackers to blend in with legitimate activity.

Staff culture and awareness

CBEST also highlights staff culture, training, and awareness as ongoing weaknesses.

Staff were often vulnerable to social engineering. Credentials were frequently stored in unsecured places such as spreadsheets or shared file systems. Help desk processes with limited identity checks allowed simulated attackers to obtain or misuse credentials and expand access.

The real problem: uncontained lateral movement

One theme connects the weaknesses seen in CBEST results. A reliable way to contain lateral movement after a breach is lacking.

Attackers stole credentials and moved between systems. They raised their level of access. In many cases, this happened before detection tools flagged any unusual activity.

When networks are flat, or nearly flat, attackers face little resistance. They can move quickly and quietly, without delays that give defenders time to respond.

This is where the risk becomes systemic. If a single user account or server can reach critical services, strong patching or better alerts cannot fix the underlying design problem.

CBEST 2025 shows how gaps across identity, infrastructure, network design, monitoring, and staff practices combine to enable lateral movement.

Once attackers can move freely inside the network, perimeter defenses and reactive detection cannot stop the spread or limit the damage.

How Illumio addresses banking's lateral movement gap

Illumio works in the CBEST context for one clear reason. It fixes the exact problem regulators keep finding: attackers can move freely once they get inside the network.

CBEST shows that organizations invest heavily in identity tools, infrastructure security, firewalls, and monitoring. Even so, attackers still succeed. They explore systems, move across the network, and expand access after entry.

Illumio is built for this reality. It creates strong boundaries inside the network, where many controls are weakest.

Instead of depending on perfect identity controls, perfect patching, or perfect detection, Illumio limits movement by design. CBEST makes clear that perfection does not hold up under real pressure.

Here is why Illumio stands out.

1. It stops lateral movement no matter how an attacker gains access

If credentials are stolen, multi-factor authentication (MFA) is bypassed, or a device is compromised, Illumio prevents attackers from moving beyond the first system.

Unlike firewalls or identity tools, Illumio doesn’t depend on flawless configuration elsewhere.

2. It enables segmentation without redesigning the network

‍CBEST shows that many firms struggle to implement segmentation because network-based approaches are slow and risky.

Illumio separates segmentation from the network itself. Organizations can enforce least-privilege communication between workloads without changing VLANs, firewall rules, or network layouts.

3. It makes internal traffic visible

‍CBEST testers often exploit blind spots in east-west traffic. Illumio provides real-time views of how systems actually communicate. This exposes hidden dependencies, risky paths, and unnecessary trust that attackers rely on.

4. It complements EDR by containing what detection misses

‍Endpoint detection and response (EDR) tools are strong at detecting malicious activity on individual endpoints. However, they can't stop attackers with valid credentials from moving laterally.

Illumio fills this gap by blocking the paths attackers need. Even when endpoint tools miss early signs of compromise, Illumio prevents a small issue from spreading across the environment.

In short, Illumio directly addresses the structural weaknesses CBEST reveals. It reduces the impact when other controls fail.

CBEST shows how exposed many institutions are today. Illumio shows how to make that exposure survivable.

Illumio doesn’t replace existing security controls. It compensates for their limits. When attackers bypass or evade other defenses, Illumio ensures the environment holds. It contains the breach, limits the damage, and supports recovery.

Why proven resilience depends on breach containment

Reading CBEST from start to finish reveals a clear pattern. Much of the financial system depends not on proven resilience, but on the assumption that security controls will work as planned.

CBEST makes it clear that regulators expect security to be measurable, testable, and built into system design. While fragility is not named directly, the findings point to it throughout the report.

In the end, the message is simple. Breach containment is the only practical way to address this risk.

Explorez Illumio Insights gratuitement today to expose the kinds of security issues CBEST keeps finding.