Why do organisations fail cyber essentials?

We support and advise organisations of all sectors and sizes during Cyber Essentials. If you’re thinking of getting accredited here are our top 5 fails: 

  1. Unsupported Operating System build versions  
  1. Application updates not applied  
  1. Mobile Devices  
  1. MFA is not rolled out across all users for cloud services  
  1. Not restricting what files can be run  (eicar files like .exe & .msi)  

Here’s how they break down. 

Unsupported Operating System build versions  

Keep on top of this basic security hygiene and ensure you only use in support versions. You can do this with an asset list of devices and when their support ends. 

Application updates not applied  

Usually, this applies to browsers that often have updates every 2 weeks. So try to push updates with device management or encourage users with a prize! Remember positive re-enforcement of security principles always yields good user compliance. 

Mobile Devices with unsupported OS  

Mobile devices are in scope where they access organisational data. This is always queried by customers so here’s the score: if it accesses company data Eg: O365 email, the device is in scope. If it’s only used for authentication apps, it’s out of scope. 

Use application whitelisting, where IT policy requires users to only download from official app/play stores to manage this. 

MFA is not rolled out across all users for cloud services  

Some cloud service providers don’t have MFA as an option. Consider changing providers or asking for it to be an option if they are late to the MFA party. 

Not restricting what files can be run   

Users should be prompted for admin credentials when installing files, to ensure the apps comply with IT policy as a minimum. Make sure you have this in place. 

D2NA is experienced in implementing cyber security solutions for its mobile and IT customers and includes a Cyber Security Audit as standard at the start of any new service contract. This makes sure network and device security basics are covered and any potential weaknesses are identified on day one, for an upgrade. 

If you would like to discuss your eligibility for the Cyber Essentials accreditation, please get in touch. 


Dennis, K., 2022. The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment – Iasme.  


500 King Street, Longton, Stoke-on-Trent, ST3 1EZ

Need Help?