Cyber Essentials and Privileged Access Management: Just Enough or Just in Time?

Written By Noel Bradford

Remember Cyber Essentials. That lovely government-backed scheme designed to make sure you’re at least trying to secure your IT environment. You know, the one standard that gets ignored until a breach happens. It’s the cyber equivalent of checking your doors are locked before going to bed—basic, obvious, yet somehow overlooked by many. But as threats evolve, so do the rules. And the latest tweak? A clampdown on Privileged Access Management (PAM), particularly the approach to Just Enough vs Just in Time access.

If you’re not already groaning at the thought of more security admin, don’t worry—I’ll do it for you. But before you grab your pitchforks and storm the IASME offices, let’s unpack what this means, why it matters, and how ThreatLocker can make all of this significantly easier (yes, really).

Cyber Essentials: The Cybersecurity Bare Minimum

For those who’ve been blissfully unaware, Cyber Essentials is the UK’s way of saying:

"Look, we know most businesses aren’t great at security, so here’s a checklist. Do these things, and you’ll stop 80% of attacks."

These things include:

  1. Firewalls – Your first line of defence, assuming they aren’t misconfigured into oblivion.

  2. Secure Configuration – Stop using “password123” and set up your kit properly.

  3. User Access Control – The bit we’re focusing on today.

  4. Malware Protection – Because clicking dodgy links is still a national pastime.

  5. Security Updates – Install patches before the hackers install themselves.

Now, under User Access Control, a seemingly minor change has arrived, but it’s got serious implications. Enter: Just Enough vs Just in Time access.

Just Enough vs Just in Time: The Privileged Access Dilemma

Picture this: You’re an IT admin. You’ve got full control over systems, databases, and accounts. You can do anything—from resetting passwords to accidentally deleting the entire company’s email archive (don’t pretend it hasn’t happened).

This level of access is powerful, but it’s also exactly what hackers dream of stealing.

That’s why Cyber Essentials has cracked down on how privileged access is managed. The big change? “Just in Time” (JIT) elevation is now frowned upon. Instead, organisations must embrace “Just Enough” (JEA) access.

What’s Wrong with Just in Time?

In theory, JIT sounds fantastic:

  • A user doesn’t have admin rights by default.

  • They request elevated permissions when needed.

  • The system grants them temporary admin access.

  • The access expires after a set period.

Sounds secure, right? Well, not quite. According to IASME, JIT introduces too much risk, because:

  • The temporary elevation could be hijacked – If an attacker compromises an account mid-elevation, they get full access.

  • It’s hard to audit – Logs may not always capture the full context of who requested access and why.

  • Humans are lazy – Users will abuse JIT to keep privileges for longer than necessary.

Cyber Essentials has therefore decided: No more temporary elevation. Admin accounts must be separate, dedicated, and used only for admin tasks.

Just Enough Access (JEA): The New Standard

JEA is the polar opposite of JIT. Instead of giving users temporary full access, JEA ensures they only get exactly the permissions they need—nothing more.

  • Need to restart a service? You get permission for that, and only that.

  • Need to create a new user? Fine, but you won’t be able to delete existing ones.

  • Need to install software? Sure, but only in designated areas.

This approach significantly reduces the attack surface. If a hacker gains access, they can’t escalate beyond what’s absolutely necessary.

Cyber Essentials is now enforcing JEA as best practice, meaning:

Dedicated admin accounts only – No more dual-use accounts for emails and admin work.
Role-based access control (RBAC) – Users get only the privileges they need for their specific job.
No temporary elevation – Either you have privileges or you don’t. No in-between.
Logging and monitoring – Everything admin-related should be recorded and auditable.

How ThreatLocker Can Help

At this point, you might be thinking, “Great. More policies, more admin, more headaches.” This is where ThreatLocker can make your life infinitely easier.

ThreatLocker’s Zero Trust Application Control and Ringfencing™ let you:

  • Deny by Default - If in doubt users can't do it!

  • Completely remove local admin rights without killing productivity – Users can only run approved applications.

  • Block elevation abuse – No more sneaky privilege escalations or unauthorised software installations.

  • Audit EVERYTHING – Detailed logs of who accessed what, when, and why.

  • Ringfence applications – Even if malware runs, it can’t talk to other systems, massively limiting damage.

Basically, ThreatLocker does what most security policies fail at—actually enforcing privileged access rules without making IT scream into the void.

Embrace the Pain, It’s Worth It

Cyber Essentials isn’t asking for the moon. It’s just making sure your business isn’t handing admin rights out like sweets at Halloween.

Yes, it’s annoying.
Yes, it’ll take time to implement.
Yes, your staff will whine.

But in the grand scheme of things, securing privileged access is one of the smartest moves you can make. It’s not just about compliance—it’s about not being the next company in the news because you got hacked through an admin account with a weak password.

So, grab a coffee (or something stronger), Talk to your MSP or IT and deploy ThreatLocker, and start making the necessary changes. Your future self (and your cyber insurance provider) will thank you.

TL;DR: What You Need to Know

🚫 No more temporary admin elevation (JIT)
Dedicated admin accounts required
🔒 Role-based access only (JEA)
🛑 Users should not have local admin rights
📜 Log everything & enforce MFA
Use ThreatLocker to actually enforce these rules without chaos

Complain all you want. The rules aren’t changing back.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

The Great Bargain of Cheap IT Support: A False Economy That’ll Cost You Dearly
Next

Microsoft Accidentally Nukes Copilot – Because Of Course They Did