Why SMEs Fail Cyber Essentials: The Seven Deadly Sins

Cyber Essentials isn't meant to be difficult. The NCSC designed it to be achievable for small and medium organisations. Yet we see the same mistakes repeated constantly. Organisations who think they're ready, submit their assessment, and then face weeks of back-and-forth clarifications or outright failed submissions.

After assessing numerous organisations through the certification process, we've identified seven critical failure points. These aren't small oversights; they're fundamental gaps that derail certifications, waste time, and cost money.

If you're preparing for Cyber Essentials, here's what to watch out for.

---

Sin #1: Misunderstanding Scope

The Mistake:

Organisations think Cyber Essentials certification means "our main office computers." They scope it narrowly—just the laptops and desktops used day-to-day, maybe the office WiFi. Everything else gets excluded.

The Reality:

Cyber Essentials scope is defined as: all devices that connect to the internet and are used for business purposes. That means everything—office PCs, home-working laptops, mobile phones accessing company email, tablets, servers, cloud infrastructure, network equipment, BYOD devices if permitted.

Why It Matters:

If you define your scope incorrectly, you're either leaving security gaps (defeating the purpose of certification) or making claims about controls that don't cover your full estate. When the assessor identifies the mismatch, your submission gets sent back for complete rescoping.

How to Get It Right:

Map your complete digital estate before starting the questionnaire. Include everything that touches the internet for business use. When in doubt, include it. Document your scope clearly and validate it during your readiness assessment.

---

Sin #2: The MSP Illusion

The Mistake:

"Our IT provider handles everything, so we're fine." Organisations outsource to a managed service provider, assume the MSP has certification covered, and submit vague or incomplete answers based on that assumption.

The Reality:

Cyber Essentials certifies your organisation, not your MSP. You must demonstrate that controls are in place and managed effectively. Your MSP might be technically excellent, but unless they've specifically prepared you for certification—with documentation, evidence, and clear articulation of controls—you'll struggle.

Why It Matters:

When the assessor asks for evidence (firewall configuration, patch management documentation, access control policies), you'll need to provide it. "Our MSP handles that" isn't sufficient. If your MSP can't or won't provide certification-ready documentation, your submission stalls.

How to Get It Right:

Engage your MSP early. Confirm they can provide the evidence and documentation needed for certification. Understand what controls they manage on your behalf and what remains your organisational responsibility (like user access management). Document everything clearly.

---

Sin #3: Patch Management Theatre

The Mistake:

"Updates are automatic, so we're compliant." Organisations rely on Windows Update or automatic software updates and assume that satisfies the patch management requirement.

The Reality:

Cyber Essentials requires you to demonstrate that security patches are applied within 14 days of release, across your entire estate, with a documented process for managing exceptions. Automatic updates are a good start, but they're not sufficient for certification.

Why It Matters:

You need visibility, documentation, and proof. Can you demonstrate what patches were applied when? Do you track critical patches versus routine updates? Do you have a process for patches that fail or break systems? If you can't evidence your patch management approach, you fail this control.

How to Get It Right:

Implement patch management visibility tools. Document your process for reviewing, testing, and deploying patches. Track compliance across your estate. Ensure you can produce evidence showing timely patching for critical vulnerabilities.

---

Sin #4: MFA Misconfiguration

The Mistake:

Organisations enable multi-factor authentication and think the job is done. They've ticked the MFA box, so they're compliant.

The Reality:

Cyber Essentials has specific requirements for how MFA is implemented. It must cover all remote access and all administrator accounts. It must use robust methods (not just SMS). Exceptions must be documented and justified. Conditional access policies must actually enforce MFA, not just nominally enable it.

Why It Matters:

Partial MFA implementation—enabled for some users but not others, configured for some services but not all, or using weak methods—creates compliance gaps. The assessor will identify these gaps and require remediation before certification.

How to Get It Right:

Audit your MFA coverage comprehensively. Ensure all remote access points are covered. Ensure all admin accounts require MFA regardless of access method. Use app-based or hardware token MFA where possible. Document any exceptions with clear business justification.

---

Sin #5: User Access and Shared Accounts

The Mistake:

Shared accounts exist "for good reasons"—a communal info@ email, a shared admin login, a generic "office" account for a tablet. Organisations don't see these as compliance failures because they seem operationally necessary.

The Reality:

Cyber Essentials explicitly prohibits shared accounts. Every user must have their own unique account. The reason is accountability—if something goes wrong, you need to know who did it. Shared accounts eliminate that traceability.

Why It Matters:

Shared accounts are an automatic fail. Even one shared account in your environment means you don't meet the user access control requirement. You'll be required to eliminate all shared accounts before certification can be issued.

How to Get It Right:

Audit your entire environment for shared credentials. Eliminate them or find compliant alternatives (e.g., shared mailboxes accessed via individual accounts, not shared logins). Implement proper user access reviews so accounts are created/disabled appropriately when people join or leave.

---

Sin #6: The Router Isn't a Firewall

The Mistake:

"We have a router from our ISP, it's got a firewall built in, so we're compliant." Organisations confuse consumer-grade router functionality with the boundary firewall controls that Cyber Essentials requires.

The Reality:

Cyber Essentials requires a properly configured boundary firewall that denies inbound traffic by default and only allows necessary services through based on a documented ruleset. Most ISP-provided routers in default configuration don't meet this standard—they allow certain services through automatically (UPnP, remote management, etc.).

Why It Matters:

You must demonstrate active firewall management: documented rules, deny-by-default configuration, regular reviews, and proper segmentation (e.g., guest WiFi isolated from business network). If you can't export and explain your firewall ruleset, you can't evidence this control.

How to Get It Right:

Review your boundary firewall configuration actively. Lock down unnecessary services. Document your ruleset and the business justification for each allowed service. Implement network segmentation where appropriate. If using cloud services, ensure perimeter controls are configured there too.

---

Sin #7: Time Pressure and Unrealistic Deadlines

The Mistake:

"We need certification by next week for a tender deadline." Organisations discover late that they need Cyber Essentials, rush the submission without preparation, and expect immediate certification.

The Reality:

Cyber Essentials is a technical assessment, not a form you can complete overnight. Proper preparation—scoping your estate, reviewing controls, identifying gaps, gathering evidence, documenting processes—takes time. Even well-prepared organisations need at least a few weeks.

Why It Matters:

Rushed submissions are incomplete submissions. They lead to lengthy back-and-forth clarifications with the assessor, which often takes longer than if you'd prepared properly from the start. Or worse, they lead to missed deadlines and lost opportunities.

How to Get It Right:

Plan ahead. If you know you'll need Cyber Essentials—whether for a specific contract or as general good practice—start the process early. Give yourself at least 4-6 weeks runway. Conduct a readiness assessment first to identify gaps before formal submission.

---

The Pattern: Readiness Before Submission

Notice the common thread across all seven failures? Organisations submit before they're ready.

They treat Cyber Essentials as a form-filling exercise rather than a technical assessment. They assume their existing practices automatically equal compliance. They hope the assessor won't dig too deep.

That approach doesn't work.

The organisations that succeed with Cyber Essentials—that get certified first time without weeks of painful back-and-forth—are the ones who assess their readiness honestly before submitting. They identify gaps early, fix them properly, gather their evidence, and only then move to formal assessment.

---

How Idela Helps

At Idela, we've built our certification approach around this principle: readiness first, certification second.

Before any formal assessment begins, we help you understand where you actually are. We identify gaps in implementation, documentation, and understanding. We give you clear guidance on what needs fixing. And we only move to formal certification when you're genuinely ready.

This approach means

• Faster certification (no lengthy back-and-forth with the assessor)

• Lower stress (you know what to expect before submission)

• Better outcomes (you build genuine capability, not just pass an assessment)

We offer three levels of support depending on where you're starting from:

• Readiness validation for organisations who are mostly there and just need confirmation

• Structured assessment and guidance for organisations who need help navigating the technical requirements

• Comprehensive support for organisations starting from low maturity who need hands-on help throughout

Start with a Free Readiness Call

Not sure where you stand? Book a 15-minute readiness call. We'll discuss your current setup, identify obvious gaps, and recommend the best path forward—whether that's working with us or handling certification internally.

No obligation, no sales pressure. Just clear guidance from people who understand what actually trips organisations up.

[Book Your Free Readiness Call →](/contact)

---

Want the Checklist?

We've created a Cyber Essentials Readiness Checklist based on these seven common failures. It walks you through the key questions to ask before submitting your assessment.

Download it free—no strings attached.

[Download CE Readiness Checklist →]

Want the quick reference? [Download the 7 Sins Guide →]"

---

Idela is an IASME-approved Certification Body specialising in Cyber Essentials and IASME Cyber Assurance for UK organisations. We believe certification should be clear, fair, and achievable—not confusing or adversarial.