Common Cyber Essentials Challenges and how to Overcome Them

Common Cyber Essentials Challenges  

Misreading or misunderstanding questions

It is incredibly important that, when you’re completing the SAQ, you make sure to read each question carefully to avoid making unnecessary mistakes.  For example, we often see organisations misunderstand question A5.10, which asks you which method you use to unlock your devices.  An acceptable response to this question can be as simple as stating that you use a username and 12 character password, however as this question is in the Device Locking section of the questionnaire, organisations sometimes assume the question is asking about account lockouts rather than unlocking, and provide incorrect responses as a result.  

‘My managed service provider (MSP) takes care of it’ is another incorrect response that we frequently see provided across different questions.  This is not an acceptable answer; you must be aware of the process you are being asked about and be able to describe that process.  If, when completing the SAQ, you find that you don’t know the answer to a question about a process which is managed by an MSP, it is perfectly acceptable to contact them for information that can help you answer the question.

End-of-life (EOL) software  

Any EOL software that is in scope of your CE certification will result in an automatic fail.  Common EOL products that we still see organisations use include:

• Windows 7
• Windows 10 Pro 21H2
• MacOS 11 (Big Sur)
• iOS14
• Android 10
• Vmware ESXi 6.7
• Office 2013.

You need to ensure you are running up-to-date, supported software.  The EOL software listed above is no longer supported and doesn’t receive updates anymore, and having it installed will leave you vulnerable to attack.  While there are websites available which will provide you with information on whether software is or is not still supported, we would recommend contacting the vendor themselves as they will always be the most accurate and reliable source of information.

Missing patches  

It is not uncommon for organisations to mistakenly believe they’re patched due to failure or corruption of the Windows Update service, which can sometimes tell you that there are no updates available when this is not the case.  To check the operating system (OS) version your device is running, you can open the command prompt (if you have access to this) and run the ‘winver’ command.  Something like this should appear:  

Here, 19045 indicates the build (Windows 10 22H2) and the number following the dot (4046) is the current OS patch version installed.

Use of admin accounts  

The requirements of CE dictate that you should not be logged in with an admin account for your day-to-day tasks and should instead use a standard user account.  If your device ever becomes infected with malware while logged in with an administrator account, the malware will also become an administrator on your device.  If you’re using a standard user account, the malware won’t be able to do as much damage.

Although not advisable, the CE guidelines do allow you to provide all of your users with admin accounts, as long as these accounts are only used via the User Account Control (UAC) or the ‘run as’ command.  On Windows, the UAC is the pop-up box you will occasionally see which asks you if you want to allow an application to make changes to the device, meanwhile on Mac/Linux you should use ‘switch user’ or sudo.  Ideally, you should try to restrict the use of admin accounts as much as possible, but the Scheme does also allow for the fact that they are sometimes required by organisations.  

Too much detail

The SAQ contains different question types, including both yes/no questions, as well as ‘how’ questions.  When answering the yes/no questions, typically you will only need to provide ‘yes’ or ‘no’ as an answer, and including excessive amounts of detail can sometimes create a lack of consistency across the questionnaire, eventually rendering the SAQ noncompliant.  

Common Cyber Essentials Plus Challenges

Out of date/unsupported/unused software

It’s important to ensure any unused software is removed from your devices. Many organisations move away from using certain software and install alternative software that provides the same service or function (e.g. moving from Zoom to Microsoft Teams), but don’t remove the redundant software, leaving it unpatched and vulnerable.  It’s important to remove any software you aren’t using anymore; not only does this make it easier to stay on top of patching as there is less software to patch, but also reduces your attack surface.  We often see .NET cause problems here, as organisations will assume they have installed .NET 6 as an upgrade from .NET 5 (which is EOL), however as it is a standalone installation they will, in fact, have both installed.  As such, this is something you may need to check and remove.  

Multiple profiles

Multiple profiles on devices (i.e. where one device has more than one user is logged on to use it) can also cause issues during CE+ assessments.  Multiple profiles are not an issue by themselves if they are kept in regular use and, therefore, continue to update.  However, if software on the device has been installed per user rather than per machine, the software will not update on a particular profile unless the user is regularly logging in.  This can lead to unexpected vulnerabilities appearing during the internal authenticated vulnerability scan that is performed on a sample of devices as part of the CE+ assessment.

What can Help?  

Tools  

There are a number of tools available, suitable for a range of budgets (including some that are free), which can help you comply with CE by conducting vulnerability scans or assisting you with patching.  The tools you select will depend on your budget and your staff’s ability to use the product.  Some paid tools also have free community editions and, while these are normally limited to around 16 agents, this may be enough for smaller organisations.  However, with any tool, you should always exercise caution as they can make mistakes and flag up both false positives and false negatives.  

Some tools that may be worth consideration include:

• Patch My PC  
• ManageEngine Patch Manager Plus
• Winget UI  
• Microsoft Intune  
• SolarWinds
• N-able
• Nessus Professional  
• Qualys
• NinjaOne
• Wazuh
• Heimdal.

Manual checks and regular training

To prevent vulnerabilities and patches being missed due to a tool making a mistake, we recommend performing manual checks alongside your use of tools.  Winget list, for example, is a built-in package manager and will display everything installed on your device, meanwhile checking ‘add and remove programs’ within your device settings will help you ensure your programs are up-to-date and compliant.  

It can also be helpful to conduct regular training sessions for your staff in which you teach them how to identify basic issues.  For smaller organisations, we sometimes recommend training staff on how to perform manual checks of their devices themselves, enabling you to implement a weekly manual check policy where staff will update a spreadsheet or send an email every week confirming which software versions they’re running, as this is a straightforward way of collecting accurate information.  

Asset management

Asset management is not mandatory for CE certification, but can greatly assist you in meeting the requirements associated with the 5 control areas and, while there are asset management tools available, smaller organisations can often rely on a spreadsheet.  It can also help you cut costs in some cases by helping you identify assets you’re not using and can therefore dismiss.  For more information on asset management, see our blog on 3 Top Tips When Approaching CE Certification.  

Backups and security updates

Backups are extremely important for helping you prevent data loss, maintain business continuity and may even be a requirement for your cyber insurance, so make sure to check your terms and conditions.  Backups can also be used to test security updates.  Security updates don’t always do what they’re supposed to and can sometimes crash your device or prevent it from working properly.  As such, it’s important to thoroughly test updates, and a good way to do this is to take a backup, install the update, and, if there are any issues, use the backup to restore your device.  You should also make sure you have a strong policy for testing the backups themselves.   We often find that organisations will believe they’re doing daily backups but have never tested them, and therefore can’t be sure they’re working.