TL;DR: The Bank of England’s CBEST Thematic Report found weaknesses across infrastructure, identity and access, network security, detection and response, and staff awareness in UK financial institutions, showing that controls often fail when tested against real attack conditions, according to Illumio. Containment, not control volume, is the deciding variable when attackers can move laterally before defenders detect them.
NHIMG editorial — based on content published by Illumio: CBEST 2025 Cyber Resilience Thematic Report analysis
Questions worth separating out
Q: What breaks when identity controls are weak in a flat network?
A: Weak identity controls turn a single compromised account into a broad movement path when the internal network still trusts too much by default.
Q: Why do service accounts with standing privilege increase lateral movement risk?
A: Service accounts often connect multiple systems and run with permissions that outlast any one task.
Q: How do security teams know whether containment controls are working?
A: Containment controls are working only if a compromised account cannot quickly reach critical systems, production workloads, or sensitive data paths.
Practitioner guidance
- Audit standing privilege across human and service accounts Identify accounts with persistent access to critical services, then remove broad permissions that are not tied to current operational need.
- Segment internal communications around critical services Separate development, production, and high-value systems so a single compromised endpoint cannot reach everything by default.
- Tighten credential handling and storage Eliminate plaintext password storage, spreadsheet-based credential sharing, and ad hoc help desk verification paths.
What's in the full article
Illumio's full blog covers the operational detail this post intentionally leaves for the source:
- A deeper walkthrough of how CBEST findings map to breach containment architecture across banking environments.
- Specific examples of how Illumio positions segmentation against lateral movement in live corporate networks.
- Additional explanation of the interplay between EDR, monitoring, and internal traffic boundaries.
- More detail on why the article argues that breach containment should be treated as a resilience control.
👉 Read Illumio's analysis of the CBEST 2025 cyber resilience findings →
CBEST 2025 and cyber fragility: what banking teams need to fix?
Explore further
CBEST is really a test of containment maturity, not control inventory. Financial institutions often have many of the right tools on paper, yet attackers still move laterally once inside. That gap shows that resilience depends on whether internal trust is bounded in practice, not on how many defensive layers exist. For banking and FMI environments, containment has become the real measure of cyber resilience.
A question worth separating out:
Q: Who is accountable when weak identity governance helps an attacker spread?
A: Accountability usually sits with the teams that own identity policy, access engineering, network segmentation, and operational monitoring, because containment failure is cross-functional. In regulated environments, that also means governance teams must be able to show that access boundaries, privileged accounts, and detection controls were tested, not just documented.
👉 Read our full editorial: CBEST 2025 shows cyber fragility is still a containment problem