Common Cyber Essentials Mistakes — And How SMEs Can Avoid Them

Common Cyber Essentials Mistakes — And How SMEs Can Avoid Them

Cyber Essentials is designed to be accessible, but many SMEs run into avoidable issues that delay approval or cause unnecessary back-and-forth. Here are the most frequent pitfalls we see — and how to avoid them.

1. Missing unsupported devices or OS versions

Devices running out-of-support operating systems are one of the top reasons assessments fail.

Avoid it:
Keep an up-to-date asset list and check OS versions before starting the application.

2. Not treating BYOD as in-scope

If staff access company email or data on personal devices, those devices are in scope.

Avoid it:
List device types, OS versions, and ensure MFA and screen lock policies are enforced.

3. Confusion between routers and firewalls

Many SMEs think “we don’t have a firewall” because they only use an ISP-supplied router.
But every Windows and macOS device includes a software firewall, which is still part of the assessment.

Avoid it:
Confirm software firewalls are enabled on all devices, especially laptops used off-site.

4. Shared or unclear admin accounts

Shared admin accounts immediately fail CE.

Avoid it:
Use unique admin credentials and enable MFA wherever supported.

5. Missing patching or browser updates

Out-of-date browsers and OS security updates are common blockers.

Avoid it:
Enable automatic updates and verify device patch status before submitting.

6. Misunderstanding scope boundaries

Devices used at home for work, cloud services, and remote access platforms are all part of the assessment scope.

Avoid it:
Review the scope early and make sure every in-scope system is accounted for.

Final Thoughts

Most CE delays come down to misunderstandings rather than technical issues. With the right preparation — and clear guidance — SMEs can pass smoothly and use CE as a valuable security baseline.

If you’d like help reviewing your readiness or preparing for CE+, we’re always here to support you.