What are the common failures for Cyber Essentials

Here at InfoSec Governance, we’ve been performing assessments of companies to Cyber Essentials and IASME Cyber Assurance for a long time. After certifying thousands of companies over the years, our assessors have the experience and have probably just about seen every type of configuration and answer possible.

What we get asked frequently is, what are the common failures for achieving Cyber Essentials? In this blog article we’re doing to discuss what we see as a common trend for failures, or major non-compliances.

Unsupported Operating Systems and Applications

The first finding we see all the time is, unsupported Operating Systems and applications, this applies to Microsoft Windows, macOS as well as your mobile phones, so iOS and Android.  Don’t forget your firmware on routers as well! To avoid a hard failure, you as a business need to ensure that you are running up to date and supported Operating Systems.

This also includes for any Bring Your Own Devices (BYOD) which access any business data or services (such as email), so make sure your users keep their mobile devices up to date.

If you are unsure whether your Operating Systems are up to date, you can visit this website for further information – https://endoflife.date

Your applications also need to be kept up to date and be supported, for example your Microsoft Office, Adobe Reader, 7Zip, WinZip applications, Zoom.  We see all too often that people have installed applications and forgotten about them, and they are no longer kept up to date.  If you don’t need them, remove them.

No patching implemented, or outdated

Another important area we see and closely relates to the above section, is patching, we see all to often that the Operating Systems, if in support are not being kept up to date. More so when it comes to third-party applications. Under Cyber Essentials, you have up to 14 days to install all High and Critical security updates which have been provided by the vendor.

The best way to achieve this is to ensure that you have automatic updates configured for all applications which support it. If you have an application which doesn’t support auto updates, subscribe to their newsletters to keep informed of any updates made available.

Antivirus not running

Another requirement for Cyber Essentials is ensuring that you have antivirus installed on all endpoints (excluding mobile devices). The antivirus software should also be up to date and configured to scan and check for vulnerabilities. We see a lot of the time that the antivirus is installed, but it broken and hasn’t worked for months.

Regular checks should be performed to make sure its working as expected and keeping your devices safe and secure.

No firewall

Firewalls should be implemented on all endpoints as well as the border of your network which talks to the internet. By default all firewalls should be configured to deny all traffic inbound, unless required for a special service. We see a lot of the time that firewalls are not implemented on the users endpoints, which could be a risk if any devices are compromised.

You should run the default Operating System firewall by default, or a third-party one, and then ensure its running always.

Not running as a standard user

A big area we see, especially for macOS users or IT companies or software developers, is that there is no account separation in place.  For Cyber Essentials you need to ensure that all users are using a standard level user account at all times and only use an administrative level account to perform admin level changes, such as configuration or installation of applications.

You should have two accounts, a standard account and a administrative account, if you don’t, this should be put in place.

Managed Service Providers not checking their work

Lastly, one which will likely upset a lot of MSPs, is that when we perform audits for our customers, especially when doing Cyber Essentials Plus. It is evident a lot of the time that there is a trend in the MSP world that MSPs will provide managed services for patching, updates, support etc.. but fail to manually check that these things are happening and instead rely upon what their apps tell them.

This can lead to problems on the day of certifications when our audits uncover unsupported Operating Systems, no patching being performed for months, broken antivirus and people running as administrators.

If you are a MSP and provide these types of services, please check your customers regularly and ensure tat what your reporting is saying is true. The Datto product suite seems to be a big issue for reporting and applying updates in our experience.