Pass Cyber Essentials Plus by Avoiding These Common Mistakes
Written by: David Henderson on Mar 23, 2023
Written by: David Henderson on Mar 23, 2023
Cyber Essentials Plus is a fantastic certification for any organisation looking to improve their cyber security. Covering the more basic elements, it helps you develop your resilience to the most common forms of cyber attack.
As an experienced NCSC-assured service provider, we have helped dozens of organisations in Northern Ireland, Ireland and the UK achieve certification to Cyber Essentials Plus.
Our goal is to help our clients gain certification in the easiest and most efficient manner possible. So here is our take on the most common reasons for failure and how to prepare yourself for a first-time, stress-free pass.
Unpatched software is among the top reasons for failure when it comes to certification. It is also one of the easiest and most important things you can do as an organisation to help keep your devices and networks safe from bad actors.
"In a recent study, it has been reported that up to 57% of external compromises used an unpatched vulnerability."
Before beginning your Cyber Essentials journey, make sure the software on all of your devices is patched and up-to-date. This includes the operating system and any third-party software or apps running on that device. If you use an external IT provider to manage your devices, give them a call and make sure they know you’re going to be certifying to CE+ and what you'll need to work together on in order to become compliant.
Although not required to pass CE+, here are a few additional steps you could take to help with the management of our devices.
If you don’t have one already, try creating an asset register. This will help you understand how many devices are in use within your organisation and who are the primary owners. This will make it much easier for you to prompt those responsible for each device and request that apply patches and updates regularly.
One of the easiest ways to ensure devices are kept up-to-date is to simply discuss cyber security with your team. Make it part of regular company updates, stand-ups or team days to ensure everyone understands the importance of good cyber hygiene. Building good cyber security culture within your organisation goes a long way in preventing future cyber attacks. Obtaining Cyber Essentials isn't a short-lived exercise, it should influence how you think about cyber going forward.
Team training is one of the best long-term strategies for developing healthy cyber awareness within organisations. If your team is more aware of the impact that a cyber attack can have on your organisation, they will be more aware of the importance of applying updates sooner rather than later.
Training not only helps demonstrate the importance of keeping devices and software up-to-date, but it also builds cyber resilience at a more macro level in your organisation.
Given that approximately 80% of successful breaches include a human element, it’s certainly something that should be on your roadmap.
Why not take a look at some of the training courses we offer?
There are software products available that can help you manage your devices and help you automatically apply updates to organisational devices. Although this isn’t required to pass Cyber Essentials Plus, it may make the long-term process of your device management that much easier.
Lastly, why not check out this article on the NCSC’s website giving advice on how to keep devices and software up-to-date.
Personal mobile devices cause most failures when it comes to achieving NCSC Cyber Essentials Plus.
With many personal devices falling outside of an organisation's remit to manage, it makes it difficult to ensure devices connected to your network and services are safe, secure and patched with the most recent updates.
A Cyber Essentials Plus audit requires that the operating system and apps on personal mobile devices are kept up to date. It also states that devices require a PIN to unlock, have a minimum or maximum operating system version, and cannot be jailbroken or rooted.
Engage with your team before starting the CE+ process. Be transparent about the reasons why your organisation is aiming to achieve certification and the importance of keeping devices up to date. If you succeed in getting your team onboard, it is the best thing you can do to ensure that devices are updated on a regular basis.
BYOD (bring your own device) is a challenge for most organisations, so here are a few tips to take your mobile device security to the next level.
Why not create a separate network for these devices to connect to? This will help restrict the level of access to which these devices have access. This allows you to keep your most important networks out of the reach of malicious software on devices that you don’t manage. We also advise that you also have a separate network for guests.
Conditional access policies allow you to specify minimum security requirements before a device is allowed to connect to a system or network. For example, Microsoft 365 allows you to set minimum operating system requirements before a device can access the MS365 account.
If you have an existing SSO (single sign-on), check your service for conditional access policy support.
Should your staff be unable to secure their mobile devices, a more extreme measure would be to supply them with a company-managed device. By doing this, you will be able to implement MDM (mobile device management) that can automate software updates on connected devices.
Another common hurdle we see is inadequate access control and user permissions.
Properly implemented, these measures will limit the damage that can be done should a device in your organisation be compromised. Staff should only have access to the directories, software and privileges that allow them to perform their day-to-day tasks.
Cyber Essentials Plus requirements specify that you have access control measures implemented on devices across your organisation. This includes granting admin access only to those who need it and only using this admin access to perform admin tasks. Devices falling under this requirement include desktop computers, laptop computers, tablets, mobile phones, and email, web, and application servers.
Review all of your devices to check for user admin and regular user accounts. For admin users, ensure these are only being used to perform admin tasks. I.e. not using these for day-to-day activities that don’t require escalated privileges. For regular user accounts, check that they have not been inadvertently granted admin rights (you can check via your operating system user profiles or by trying to run an admin command via a terminal app).
Lack of Multi-factor Authentication is another common cause of failure in Cyber Essentials Plus.
MFA, also known as 2-factor authentication is a security mechanism that requires users to provide two or more different forms of identification or evidence to verify their identity. Its purpose is to add an extra layer of security beyond traditional username and password-based authentication. Authentication methods include unique codes generated and delivered through authenticator apps, SMS and email messages.
Cyber Essentials Plus requirements dictate that MFA should be enabled on all of your cloud-based services.
Review all your apps and services for MFA availability, not just cloud-based ones. As it is an excellent method to prevent unauthorised access to your accounts, we recommend that you implement it on all of your cloud services for added peace of mind.
MFA is an extremely effective method that helps prevent unauthorised access to your accounts. As a basic security principle, we recommend that you should enable any services that you use, not just cloud services.
Malware and malicious software evolve and change rapidly, so it’s vital that any anti-virus software running on your devices is kept up-to-date.
Requirements under this Cyber Essentials technical control dictate that anti-virus must be installed and kept up-to-date, that it must scan automatically upon startup, that it must scan web pages when accessed through a web browser and that it must prevent access to malicious websites.
The device scope for Cyber Essentials Plus includes desktop and laptop computers, tablets and mobile phones.
Ensure all of your devices have appropriate anti-virus software installed. Switch on automatic updates and ensure that automatic scanning on startup is enabled.
If you want to read more about device security, check out this handy article on the NCSCs (National Cyber Security Centre) website:
Or send us a quick message