The UK’s financial sector is often thought of as the gold standard for regulatory compliance and operational resilience. But the Bank of England’s 2025 CBEST Thematic Report findings show that even the most heavily regulated organisations are consistently failing to implement basic cybersecurity safeguards.
Despite years of intensive oversight from the 🔗Prudential Regulation Authority (PRA) and the 🔗Financial Conduct Authority (FCA), the latest round of 13 CBEST assessments highlights a recurring cyber gap. The same vulnerabilities that plagued the industry in 2023 and 2024 resurfaced in 2025, suggesting that for many, security remains a box-ticking exercise rather than a deeply ingrained culture.
A Cycle of Previous Issues
The findings, co-authored by the UK’s leading financial regulators, point to a lack of discipline in technical execution. The report identifies several critical areas where firms are falling short:
- Identity and Access Management
Weak passwords, insecure credential storage (often in plaintext), and overly permissive access models remain rampant. - Hygiene and Maintenance
Inconsistent patching and misconfigured systems continue to provide open doors for attackers. - Detection Deficits
Many firms struggle to identify intrusions early, often relying on poorly tuned alerts that fail to distinguish between legitimate traffic and malicious lateral movement.
Vulnerable Workforces
Perhaps most concerning is the vulnerability of the workforce. 🔗The National Cyber Security Centre (NCSC) noted that groups like Scattered Spider (a group of known threat actors) are successfully using social engineering to bypass sophisticated technical controls.
By targeting IT helpdesks and exploiting the established trust within an organisation, these attackers don’t need to hack their way in; they just ask for the keys. The report underscores that staff often inadvertently reveal sensitive information on social media or through professional job descriptions, providing attackers with the intelligence needed to craft highly convincing spear-phishing campaigns.
Moving Beyond Protective Controls
The 2025 CBEST findings serve as a reminder that technical measures alone are not sufficient. As attackers become more sophisticated, particularly with the aid of AI-driven phishing tools, firms need to adjust their thinking to assume breaches are inevitable and plan accordingly.
At Mondas, we believe that if the industry’s big players are struggling with the basics, it’s a signal for all firms to scrutinise their own posture. Security isn’t a one-time project; it’s a continuous cycle of testing, learning, and adapting.
The Issues |
Potential Solutions |
| Weak Access Controls Permissions are often far too broad, allowing attackers to move laterally. |
Zero Trust Architecture We implement Least Privilege models, ensuring users only have access to what they absolutely need. |
| Poor Technical Hygiene Unpatched systems and misconfigurations remain the leading entry points. |
Continuous Vulnerability Management Our team provides rigorous, regular penetration testing to find and fix gaps before attackers do. |
| Social Engineering Vulnerability:Staff are frequently bypassed by phishing and identity spoofing. | Human-Centric Training We go beyond static videos, offering simulated phishing and culture-led awareness training that prepares staff for real-world scenarios. |
| Detection Gaps Attacks often go unnoticed until it is too late. |
AI-Enhanced Monitoring Using best-in-class software, we help clients implement proactive detection and response mechanisms that hunt for threats in real-time. |
Can we conduct a high-level review of your current access controls to see where you might be at risk? Contact us today to find out more.
This article was brought to you by 🔗Lance Nevill, Director of Cyber Security here at Mondas. If you’d like to discuss any of the issues in this article, learn more about how Mondas support industries from financial to pharma, or you just want to chat through your overall security posture with Lance, click here to get in touch.
