Cyber Essentials Applications – Top 3 mistakes made by organisations

As an accredited Cyber Essentials certification body (CB), URM handles a significant number
of applications every year from a wide variety of organisations and business sectors.
For many organisations looking to achieve cyber essentials certification, having to complete
a self-assessment can be challenging, particularly if they have not previously had to verify
their IT infrastructure or meet the requirements of a security standard.  As a result, there are a number of errors that we, repeatedly encounter which, worst case, culminates in the assessment being ‘failed’ and the organisation having to resubmit. 

Following feedback from our team of assessors, we have put together the 3 most common mistakes that we see appearing on self-assessment questionnaires.  

1 – Operating system version numbers

Cyber Essentials, like many security standards, requires that you keep your operating systems patched and up to date to ensure that any known exploits or vulnerabilities do not expose you to attack.  For the assessor to determine if you are patching within the accepted time frame, they need to know what version of the operating system(s) you are using on your devices.

As such, the questionnaire requires that you provide details.  However, a large number of organisations will simply put ‘Windows 10’ or Windows 10 Pro’.  Unfortunately, Windows 10 has been around for 5 years now and some of the earlier versions are now at end of life and out of support and, therefore, this information is insufficient – versions must be included too. Since Microsoft release feature updates twice per year, maintaining the latest version is crucial and it should be noted that if you are using unsupported operating systems or firmware, you will not be able to achieve Cyber Essentials certification. For further information on the life cycle of Windows products https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet.

2 – Two factor authentication for administrator accounts

Cyber Essentials requires that two factor authentication (2FA) is used for administrator accounts whenever possible.  A number of organisations seem to misunderstand what 2FA is and instead list applications or systems which are not relevant. To achieve 2FA, there are three factors that can be used:

  • Something you know – password, PIN, passphrase
  • Something you have – token, smartcard, digital certificate
  • Something you are – fingerprint, face recognition

It is important to remember that 2FA requires a user to enter two different factors to authenticate with the system, using the same factor twice is not a valid 2FA implementation.

3 – Patch management

The Cyber Essentials scheme requires that all high and critical patches are applied within 14 days of release.  However, many organisations miss the fact that it is only high and critical patches that need to be applied within this short time-frame, with other patches requiring implementation in a ‘timely manner’. A risk-based prioritised approach should be taken to determine timescales for implementing less critical patches that have been identified as being required, with best practice suggesting that these are likely to be implemented within three months of their release.

In an attempt to implement all patches within 14 days, and ensure they all go through adequate testing before being deployed, many organisations can end up omitting some of the critical patches. As a result, the responses on the application forms tend to include comments such as ‘we don’t patch all systems in 14 days because of our internal testing….’.  It is important to ensure that you have a suitable patch management programme that incorporates the ability to apply a risk to each patch in order that you can prioritise the important ones. This should allow you to meet the 14 day requirement for patches categorised as high or critical.

Let us help you

URM has been providing certification to the cyber essentials scheme for a number of years and has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process. Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards. As such, you can be assured that you are getting advice that is right for you and your organisation, taking into account your sector, size and the information you are looking to protect. In addition, our large team of assessors enables us to guarantee a super-fast turnaround.