Cyber Essentials certification serves as a valuable initial step for any organisation, regardless of its size or sector, seeking to safeguard against cyber threats and fortify the security of their internet-facing networks and devices.  The Government-backed scheme focuses on the implementation of 5 key technical control areas (firewalls, secure configuration, access control, patch management, and malware protection), which were selected both for the protection they provide organisations against common cyber threats, but also for the relative ease with which they can be implemented.  Nonetheless, several common challenges and obstacles frequently arise during organisations’ preparation for certification and the certification process itself.  

Often, these challenges can be easily overcome by implementing simple policies, leveraging free and/or integrated software solutions, and through a better understanding of Cyber Essentials assessors’ expectations for self-assessment questionnaire (SAQ) responses. 

In this blog, we will break down each of these common challenges and provide solutions which can help you overcome them, allowing you to achieve Cyber Essentials (CE) and Cyber Essentials Plus (CE+) certification more seamlessly.  

Common Cyber Essentials and Cyber Essentials Plus Mistakes  

Misread and misinterpreted questions 

One issue we frequently see involves misinterpreting or misreading questions within the self-assessment questionnaire (SAQ).  Question A5.10, for example, which asks you what method you use to unlock devices, seems to come up fairly often here.  Since this question sits within the ‘Device Locking’ section of the questionnaire, organsiations sometimes fail to read the question properly and assume it is asking them about lockouts.  This question should be an easy one to get right; an appropriate answer can be as simple as ‘a username and a 12-character password’.  However, because it has not been carefully read, organisations provide incorrect answers and make an unnecessary mistake.  As such, it is vital that you carefully read and consider each question to ensure you are answering it correctly.  

Excessive detail in the SAQ 

In the SAQ, you will come across a number of ‘how’ questions, as well as yes/no questions.  While the former may require slightly more detail, when answering the latter you will, typically, only need to provide ‘yes’ or ‘no’ answers.  If you introduce too much detail, this can sometimes make your answers inconsistent across the SAQ which can, eventually, make it noncompliant. 

End of life software 

The use of any end of life (EOL) software that is in scope for your CE certification constitutes an automatic fail, however we regularly see organisations still using software such as Windows 7, Windows 10 Pro 21H2, MacOS 11 (Big Sur), iOS14, Android 10, Vmware EXSi 6.7, and Office 2013, all of which is EOL.  Having EOL software installed, which no longer receives updates or support, will leave your systems vulnerable to potential attacks.  While online resources exist that will tell you whether software is still supported or not, contacting the vendor directly will provide you with the most accurate and reliable information. 

Use of admin accounts 

Per the requirements of CE, you should not be logged in with an admin account while performing daily tasks which do not require the extra privileges provided by admin accounts, as this will mitigate the amount of damage that can be done if your device ever becomes infected with malware.  Technically, you are able to provide all of your users with admin accounts provided these accounts are only used via the User Account Control (UAC) or the ‘run as’ command, however we strongly advise against this.  

Multiple profiles on devices 

By itself, having more than one user able to log into a device is not an issue.  However, if one or more users are not regularly using a device, this can cause issues during CE+ assessments.  If you have software installed per user rather than per machine, each user must regularly log in for the software to update.  Failing to do so can result in the appearance of unexpected vulnerabilities during the vulnerability scan that is performed as part of the CE+ assessment.  

Unpatched operating systems 

Occasionally, the Windows Update service can, due to failure or corruption, incorrectly tell you that there are no updates available, leaving your operating system (OS) unpatched and vulnerable.  As such, we would recommend manually checking the OS version your device is running by opening the command prompt and running the ‘winver’ command.  

Unsupported, out-of-date, and unused software 

Often organisations will replace a certain software with an alternative software which performs the same function or provides the same software, such as moving from Zoom to Microsoft Teams.  There is nothing wrong with doing this, but you will need to ensure you have removed the redundant software, as this is something organisations often fall down on and it results in unpatched, vulnerable software remaining on the device.  In doing so, you will not only reduce your attack surface, but will also make your adherence to the patch management requirements more efficient as there will be less parches to apply.  

.NET is perhaps one of the most common sources of issues here; organisations will install .NET 6, assuming this is an upgrade from .NET 5, which is EOL.  However, .NET 6 is a standalone installation and will not automatically remove .NET 5, meaning that they will have both installed.  Therefore, we would recommend you check and, where necessary, remove this.  

How to Avoid Mistakes  

Use tools 

Regardless of your budget, there are a range of tools available which can help with CE compliance by helping you stay on top of patching or conducting vulnerability scans.  Your choice of product will need to be determined by both your staff’s ability to use the tool and your budget, although some paid tools will also offer free community editions.  While these tend to be limited to around 16 agents, for smaller organisations this may suffice.  

However, when using any tool we would strongly advise you to remain aware of the fact that they are not infallible, and can flag up both false positives and false negatives.  False positives aren’t much of an issue, but false negatives can leave you unpatched and vulnerable.  

Conduct manual checks 

To mitigate the risk of missing vulnerabilities and patches due to a tool making a mistake, we advise that you perform manual checks in conjunction with your use of tools.  Checking the ‘add and remove programs’ section of your device settings can be used to check that your programs are updated and CE compliant, while built-in package manager ‘winget list’ will display everything installed on your device.  You may also benefit from conducting training sessions with your staff on a regular basis, teaching them to identify basic issues.  Smaller organisations may be able to train staff to perform manual checks of their devices themselves, in order for you to implement a weekly manual check policy.  This can involve staff sending an email or updating a spreadsheet to confirm that the software they’re running is up to date.  

Backups  

Backups are vital for maintaining business continuity, safeguarding against data loss, and potentially for meeting the requirements of your cyber insurance policy.  As such, they should be performed by every organisation, regardless of whether they are CE certified or attempting to obtain certification.  Aside from this, backups are useful for testing security updates, which don’t always function as intended and can sometimes prevent your device from working properly, or even crash it.  Therefore, security updates need to be tested when they’re installed, and an easy way to do this is to take a backup and then install the update so that, if you run into any problems, the backup can be used to restore your device to its previous state.  

Backups themselves also need to be tested.  Many organisations will believe they’re taking backups every day, but have never tested whether they’re working.  This can lead to scenarios where it is only once the backup is needed (i.e. something has gone wrong) that organisations will realise the backups haven’t worked, by which point it is too late to do anything about it.   

Asset Management 

Asset management is not a CE requirement, but it will help you considerably in meeting the 5 control areas and in determining exactly what your IT environment consists of.  Ultimately, you can only protect what you know you have, so the creation and maintenance of an effective IT inventory is essential.  If you’re a smaller organisation, there is no need to use an asset management tool to achieve this; a basic spreadsheet will do.  As is the case with backups, the benefits associated with asset management extend far beyond CE certification.  It is key to effective vulnerability and attack surface management, risk assessment, and business continuity.  In some cases, it can also help you cut costs as it will allow you to establish which assets you need and, potentially, those you don’t need and can dismiss.  

How can we Help?  

URM is a National Cyber Security Centre (NCSC) accredited certification body and has facilitated hundreds of successful CE and CE+ assessments, providing us with a comprehensive, in-depth understanding of the Scheme and its requirements.  We are also an Assured Service Provider under the NCSC’s Cyber Advisor scheme, meaning our large team of Cyber Advisors (Cyber Essentials) are able to offer NCSC-aligned advice and guidance on achieving CE and CE+ certification, as well as on ways to improve your security posture in general.