Common Mistakes Businesses Make When Preparing for Cyber Essentials

Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber threats. Certification demonstrates that a business has implemented key security controls and is often a requirement for winning government contracts or working with larger organisations.

However, many businesses underestimate the preparation needed. As a result, they fail their first assessment or spend unnecessary time and money on remediation. Below are some of the most common mistakes businesses make when preparing for Cyber Essentials, and how to avoid them.

1. Underestimating Scope

One of the most frequent errors is not clearly defining the scope of the certification. Cyber Essentials requires businesses to declare the boundary of their IT infrastructure, including all devices, software, and cloud services that connect to the internet. Failing to include third-party devices or cloud-hosted applications often results in rejection (IASME Consortium, 2024).

2. Poor Patch Management

The scheme requires that all software and devices are kept up to date with the latest security patches. Many organisations fail because they are running unsupported operating systems or applications without regular updates. This issue is especially common in SMEs that rely on legacy systems. Ensuring that updates are applied within 14 days of release is critical (NCSC, 2024).

3. Weak Password Practices

Despite growing awareness, weak passwords remain a common stumbling block. Cyber Essentials requires the use of strong passwords, multi-factor authentication where possible, and restrictions on default or shared credentials. Businesses often overlook staff training in this area, leading to non-compliance.

4. Ignoring Mobile Devices and Remote Working

With the rise of hybrid working, mobile phones, tablets, and home devices now represent a significant security risk. Some businesses mistakenly assume that only office-based desktops and laptops fall within the scheme’s scope. All internet-connected devices used for work must meet the required standards (IASME Consortium, 2024).

5. Inadequate Firewall Configuration

Another common issue is incorrectly configured firewalls. Cyber Essentials requires that boundary firewalls are in place to protect against unauthorised access. Businesses often leave default settings unchanged or fail to block unnecessary services, both of which can lead to assessment failure.

6. Failing to Separate User and Administrator Accounts

A frequent oversight, particularly among smaller organisations, is the use of administrator accounts for everyday work. Cyber Essentials requires businesses to demonstrate that normal day-to-day activities are carried out using a standard user account. Administrator accounts should only be used when installing software, fixing issues, or making configuration changes. Failing to show clear account separation can result in assessment failure, as it significantly increases the risk of accidental or malicious changes to systems.

How AJC Can Help

At AJC, we understand that preparing for Cyber Essentials can feel overwhelming, particularly for small and medium-sized organisations without dedicated security teams. Our consultants work with businesses to:

• Define the correct scope of certification to avoid unnecessary failures.
• Conduct pre-assessments to identify gaps and provide clear remediation guidance.
• Support patch management, access control, and firewall configuration.
• Deliver staff training to embed best practice across the organisation.

By partnering with AJC, businesses not only achieve Cyber Essentials certification more efficiently but also strengthen their wider security posture. Certification is the first step towards resilience, and with expert guidance, it can become a genuine competitive advantage.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

• National Cyber Security Centre (NCSC). (2024). Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/overview 
• IASME Consortium. (2024). Preparing for Cyber Essentials. https://iasme.co.uk/cyber-essentials/ 

Image accreditation: Glen Carrie (June 2024) from Unsplash.com. Last accessed on 10th Sept 2025. Available here.