Cyber Essentials is Government-backed cyber security certification scheme, aimed at defining the fundamental security controls organisations should have in place to protect themselves against cyber attack. The Scheme requires certifying organisations to implement technical controls from 5 basic control areas and demonstrate their compliance with the Scheme by completing a self-assessment questionnaire (SAQ), and undergo a technical audit to verify their compliance if they wish to certify to Cyber Essentials Plus – the Scheme’s higher-level qualification. For more information on what Cyber Essentials is, see our blog on 3 Top Tips for Successful Cyber Essentials Certification.
Cyber Essentials certification is an excellent starting point for any organisation, regardless of size or industry, looking to protect themselves against cyber threats and strengthen the security of their internet-facing networks and devices. However, there are some common challenges and issues that organisations seem to come up against when working towards certification, many of which can be easily avoided by implementing basic policies, utilising free and/or built-in software, and even by developing your understanding of what the Cyber Essentials (CE) assessors are looking for in your self-assessment questionnaire (SAQ) answers.
In this blog, Amarjit Sandhu, Cyber Security Analyst at URM, highlights some challenges he frequently sees organisations face when certifying to CE and Cyber Essentials Plus (CE+), as well as offering guidance and advice on how to overcome these challenges. This blog is based on a webinar, delivered in early 2024 by Amarjit and Lauren Gotting, New Business Manager at URM, in which they provided guidance on how to prepare for CE certification.
Common Cyber Essentials Challenges
Misreading or misunderstanding questions
It is incredibly important that, when you’re completing the SAQ, you make sure to read each question carefully to avoid making unnecessary mistakes. For example, we often see organisations misunderstand question A5.10, which asks you which method you use to unlock your devices. An acceptable response to this question can be as simple as stating that you use a username and 12 character password, however as this question is in the Device Locking section of the questionnaire, organisations sometimes assume the question is asking about account lockouts rather than unlocking, and provide incorrect responses as a result.
‘My managed service provider (MSP) takes care of it’ is another incorrect response that we frequently see provided across different questions. This is not an acceptable answer; you must be aware of the process you are being asked about and be able to describe that process. If, when completing the SAQ, you find that you don’t know the answer to a question about a process which is managed by an MSP, it is perfectly acceptable to contact them for information that can help you answer the question.
End-of-life (EOL) software
Any EOL software that is in scope of your CE certification will result in an automatic fail. Common EOL products that we still see organisations use include:
- Windows 7
- Windows 10 Pro 21H2
- MacOS 11 (Big Sur)
- iOS14
- Android 10
- Vmware ESXi 6.7
- Office 2013.
You need to ensure you are running up-to-date, supported software. The EOL software listed above is no longer supported and doesn’t receive updates anymore, and having it installed will leave you vulnerable to attack. While there are websites available which will provide you with information on whether software is or is not still supported, we would recommend contacting the vendor themselves as they will always be the most accurate and reliable source of information.
Missing patches
It is not uncommon for organisations to mistakenly believe they’re patched due to failure or corruption of the Windows Update service, which can sometimes tell you that there are no updates available when this is not the case. To check the operating system (OS) version your device is running, you can open the command prompt (if you have access to this) and run the ‘winver’ command. Something like this should appear:
Here, 19045 indicates the build (Windows 10 22H2) and the number following the dot (4046) is the current OS patch version installed.
Use of admin accounts
The requirements of CE dictate that you should not be logged in with an admin account for your day-to-day tasks and should instead use a standard user account. If your device ever becomes infected with malware while logged in with an administrator account, the malware will also become an administrator on your device. If you’re using a standard user account, the malware won’t be able to do as much damage.
Although not advisable, the CE guidelines do allow you to provide all of your users with admin accounts, as long as these accounts are only used via the User Account Control (UAC) or the ‘run as’ command. On Windows, the UAC is the pop-up box you will occasionally see which asks you if you want to allow an application to make changes to the device, meanwhile on Mac/Linux you should use ‘switch user’ and then use sudo. Ideally, you should try to restrict the use of admin accounts as much as possible, but the Scheme does also allow for the fact that they are sometimes required by organisations.
Too much detail
The SAQ contains different question types, including both yes/no questions, as well as ‘how’ questions. When answering the yes/no questions, typically you will only need to provide ‘yes’ or ‘no’ as an answer, and including excessive amounts of detail can sometimes create a lack of consistency across the questionnaire, eventually rendering the SAQ noncompliant.
Common Cyber Essentials Plus Challenges
Out of date/unsupported/unused software
It’s important to ensure any unused software is removed from your devices. Many organisations move away from using certain software and install alternative software that provides the same service or function (e.g. moving from Zoom to Microsoft Teams), but don’t remove the redundant software, leaving it unpatched and vulnerable. It’s important to remove any software you aren’t using anymore; not only does this make it easier to stay on top of patching as there is less software to patch, but also reduces your attack surface. We often see .NET cause problems here, as organisations will assume they have installed .NET 6 as an upgrade from .NET 5 (which is EOL), however as it is a standalone installation they will, in fact, have both installed. As such, this is something you may need to check and remove.
Multiple profiles
Multiple profiles on devices (i.e. where one device has more than one user is logged on to use it) can also cause issues during CE+ assessments. Multiple profiles are not an issue by themselves if they are kept in regular use and, therefore, continue to update. However, if software on the device has been installed per user rather than per machine, the software will not update on a particular profile unless the user is regularly logging in. This can lead to unexpected vulnerabilities appearing during the internal authenticated vulnerability scan that is performed on a sample of devices as part of the CE+ assessment.
What can Help?
Tools
There are a number of tools available, suitable for a range of budgets (including some that are free), which can help you comply with CE by conducting vulnerability scans or assisting you with patching. The tools you select will depend on your budget and your staff’s ability to use the product. Some paid tools also have free community editions and, while these are normally limited to around 16 agents, this may be enough for smaller organisations. However, with any tool, you should always exercise caution as they can make mistakes and flag up both false positives and false negatives.
Some tools that may be worth consideration include:
- Patch My PC
- ManageEngine Patch Manager Plus
- Winget UI
- Microsoft Intune
- SolarWinds
- N-able
- Nessus Professional
- Qualys
- NinjaOne
- Wazuh
- Heimdal.
Manual checks and regular training
To prevent vulnerabilities and patches being missed due to a tool making a mistake, we recommend performing manual checks alongside your use of tools. Winget list, for example, is a built-in package manager and will display everything installed on your device, meanwhile checking ‘add and remove programs’ within your device settings will help you ensure your programs are up-to-date and compliant.
It can also be helpful to conduct regular training sessions for your staff in which you teach them how to identify basic issues. For smaller organisations, we sometimes recommend training staff on how to perform manual checks of their devices themselves, enabling you to implement a weekly manual check policy where staff will update a spreadsheet or send an email every week confirming which software versions they’re running, as this is a straightforward way of collecting accurate information.
Asset management
Asset management is not mandatory for CE certification, but can greatly assist you in meeting the requirements associated with the 5 control areas and, while there are asset management tools available, smaller organisations can often rely on a spreadsheet. It can also help you cut costs in some cases by helping you identify assets you’re not using and can therefore dismiss. For more information on asset management, see our blog on 3 Top Tips When Approaching CE Certification.
Backups and security updates
Backups are extremely important for helping you prevent data loss, maintain business continuity and may even be a requirement for your cyber insurance, so make sure to check your terms and conditions. Backups can also be used to test security updates. Security updates don’t always do what they’re supposed to and can sometimes crash your device or prevent it from working properly. As such, it’s important to thoroughly test updates, and a good way to do this is to take a backup, install the update, and, if there are any issues, use the backup to restore your device. You should also make sure you have a strong policy for testing the backups themselves. We often find that organisations will believe they’re doing daily backups but have never tested them, and therefore can’t be sure they’re working.
How URM can Help?
Following the above advice will be a significant help in achieving successful certification to Cyber Essentials, however if you feel that your organisation would benefit from further, tailored advice and support, URM is ideally-placed to provide this. URM is an accredited certification body, meaning that we have been trained and licensed to certify organisations against the Cyber Essentials Scheme. As such, we have facilitated hundreds of successful CE and CE+ assessments, providing us with an in-depth knowledge and wealth of experience around the Scheme. Meanwhile, as an Assured Service Provider under the NCSC’s Cyber Advisor scheme, our team of Cyber Advisors (Cyber Essentials) are able to provide you with reliable advice to help you implement the Cyber Essentials security controls and achieve a successful certification.
Prior to assessment, one of our assessors can conduct a gap analysis to help you identify any areas of noncompliance in your existing policies and controls, and offer advice on remediation. When you feel ready to complete the assessment, we can also review your application before formal submission of your SAQ. Depending on your preference, URM’s assessor can either work through a Cyber Essentials checklist with you before you complete the SAQ, preparing you to successfully fill out the SAQ yourself, or check your already completed SAQ before submission. We also offer a pre-assessment service for CE+, where we can conduct a technical pre-assessment on a smaller, but still significant, set of systems. Following this pre-assessment, we will explain and provide recommendations for closing any gaps between your systems as they stand and the requirements of CE+.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.
On 23 January 2023, NCSC published an updated set of requirements, v.3.1 for the Cyber Essentials scheme....
URM’s blog highlights the growing threat to cyber security in the UK and the importance of the Cyber Essentials scheme in mitigating these risks.