Common Reasons Businesses Fail Cyber Essentials Plus

Every year, thousands of UK organisations apply for Cyber Essentials Plus certification — and a significant proportion of them fail on their first attempt. Unlike the basic Cyber Essentials certification, which is a self-assessment questionnaire, Cyber Essentials Plus involves a hands-on technical audit conducted by an accredited assessor. There is nowhere to hide: real devices are scanned, real configurations are inspected, and real vulnerabilities are exposed.

Understanding why businesses fail is the first step towards ensuring your organisation does not. In this article, we examine the most common reasons UK businesses stumble during their Cyber Essentials Plus assessment, drawing on real-world experience from hundreds of assessments across industries ranging from legal services and accountancy to manufacturing and technology.

The Scale of the Problem

The Cyber Essentials Plus failure rate is not publicly disclosed by the NCSC or IASME (the scheme's accreditation body), but industry estimates suggest that between 40% and 60% of organisations fail at least one element of their first assessment. That is a sobering statistic, particularly when you consider that these are organisations that have already completed the basic Cyber Essentials self-assessment and believe themselves to be compliant.

The gap between self-assessment and reality is the core issue. Many organisations answer the Cyber Essentials questionnaire based on what they believe their policies dictate, rather than what is actually happening on their devices. Cyber Essentials Plus closes that gap by checking the ground truth.

Reason 1: Unpatched Software and Operating Systems

This is, without question, the single most common reason businesses fail their Cyber Essentials Plus assessment. The scheme requires all software within scope to be patched within 14 days of a critical or high-risk security update being released. During the assessment, the certifying body will run vulnerability scans that reveal exactly which patches are missing.

The problem manifests in several ways. Sometimes it is the operating system itself — a Windows device that has not received its latest cumulative update, or a macOS machine that is running a version behind. More often, it is third-party applications: an outdated version of Adobe Acrobat, an old Java runtime that was installed for a legacy application and then forgotten, or a browser plugin that has not been updated in months.

The third-party application gap is particularly insidious because many organisations have excellent processes for operating system patches (thanks to tools like WSUS and Intune) but no equivalent mechanism for the dozens of third-party applications installed across their estate.

How to Avoid This Failure

Implement a comprehensive patch management solution that covers not just operating systems but all installed applications. Tools like ManageEngine Patch Manager Plus, Ivanti, or PDQ Deploy can automate third-party patching alongside OS updates. Run a vulnerability scan against your own estate at least one week before your scheduled assessment to identify and remediate any gaps.

Reason 2: Misconfigured Firewalls and Routers

Firewalls are one of the five core Cyber Essentials controls, and the assessment will check that your boundary firewalls and software firewalls are configured correctly. Common failures in this area include default administrator credentials on routers and firewalls, unnecessary ports left open, and firewall rules that are overly permissive.

Many small businesses use consumer-grade routers provided by their internet service provider, and these devices often ship with default passwords and configurations that are not appropriate for a business environment. If your ISP-provided router is acting as your boundary firewall, you must ensure that its default password has been changed, that remote management is disabled (or at minimum, secured with strong credentials), and that no unnecessary services are exposed to the internet.

For larger organisations, the challenge is typically one of firewall rule hygiene. Over time, firewall rules accumulate — temporary rules that become permanent, rules created for projects that have long since ended, and rules that are overly broad because the original administrator did not want to spend time defining precise access requirements. Each unnecessary rule is a potential avenue for an attacker.

How to Avoid This Failure

Conduct a full firewall audit before your assessment. Document every rule, understand its purpose, and remove any that are no longer required. Ensure that all management interfaces use strong, unique passwords and that remote management is either disabled or restricted to specific IP addresses. If you are using an ISP-provided router, consider replacing it with a business-grade firewall appliance.

Reason 3: Weak Access Control and User Account Management

Access control failures take many forms. The most common is the use of administrator accounts for day-to-day work. Cyber Essentials requires that users operate with standard (non-administrative) accounts for routine tasks, with administrative privileges reserved for specific activities that require them.

In practice, many organisations give their users administrator rights because it is convenient — it avoids the helpdesk tickets that arise when users cannot install software or change system settings. However, this convenience comes at a significant security cost: if a user with administrator rights clicks on a malicious link or opens an infected attachment, the malware has full control of the system.

Other access control failures include shared accounts (multiple users sharing a single set of credentials), accounts for former employees that have not been disabled, and weak password policies that do not meet the Cyber Essentials minimum requirements.

How to Avoid This Failure

Audit all user accounts before your assessment. Ensure that standard users do not have administrative privileges, that all accounts belong to current employees, and that your password policy meets or exceeds Cyber Essentials requirements (minimum 8 characters for accounts with multi-factor authentication, 12 characters without). Implement a formal joiner-mover-leaver process to ensure that accounts are created, modified, and disabled in a timely manner.

Reason 4: End-of-Life Software Still in Use

If a software product is no longer receiving security updates from its vendor, it cannot be used within the scope of a Cyber Essentials assessment. This rule catches many organisations off guard, particularly those running legacy applications that depend on older software versions.

The most high-profile example in 2025 is Windows 10, which reaches end of mainstream support in October 2025. Organisations that have not migrated to Windows 11 by their assessment date will need to either complete the migration, purchase Microsoft's Extended Security Updates (ESUs), or remove Windows 10 devices from scope.

But operating systems are only part of the picture. Office 2016 and Office 2019 are also approaching or have reached their end of support. Older versions of PHP, Python, .NET Framework, and other development platforms may be running on servers within scope. Even seemingly minor utilities like WinRAR or Notepad++ can be flagged if they are running unsupported versions.

How to Avoid This Failure

Maintain a software asset register that tracks the support status and end-of-life dates for every application within your scope. Set calendar reminders at least six months before a product reaches end of life so that you have adequate time to plan and execute a migration. Where migration is not immediately feasible, consider whether the affected systems can be removed from scope.

Reason 5: Inadequate Malware Protection

Cyber Essentials requires that all devices within scope have malware protection that is kept up to date and configured to prevent the execution of malicious software. For Windows and macOS devices, this typically means having an antivirus or endpoint protection solution installed, enabled, and configured to receive automatic signature updates.

Common failures in this area include antivirus software that has been installed but subsequently disabled by the user, signature databases that are out of date because the device has been offline or the update mechanism has failed, and devices that have no malware protection at all.

The rise of cloud-based endpoint detection and response (EDR) solutions has generally improved the situation, but organisations that rely on traditional antivirus products with local signature databases are still vulnerable to update failures, particularly for devices that are frequently offline or connected to slow network links.

How to Avoid This Failure

Verify that every device within scope has active, up-to-date malware protection. Use a centrally managed solution that provides visibility into the protection status of all devices. If you are using Windows, Microsoft Defender (included with Windows 10 and 11) is a perfectly acceptable solution, provided it is enabled and configured to receive automatic updates.

Reason 6: Insecure Configuration of Cloud Services

As more UK businesses migrate to cloud platforms like Microsoft 365, Google Workspace, and AWS, the Cyber Essentials scheme has evolved to include cloud services within its scope. This means that the configuration of your cloud environment is now subject to assessment — and many organisations are not prepared for this.

Common cloud configuration failures include not enabling multi-factor authentication (MFA) for all users, granting excessive permissions to service accounts, failing to disable legacy authentication protocols that bypass MFA, and not configuring audit logging. Microsoft 365 tenants are a particularly common source of failures, as the default configuration is not sufficiently secure for Cyber Essentials compliance.

How to Avoid This Failure

Review the security configuration of all cloud services within scope. At minimum, ensure MFA is enabled for all user accounts, legacy authentication protocols are blocked, audit logging is enabled, and administrative accounts are using conditional access policies. The NCSC provides specific guidance on securing cloud services for Cyber Essentials compliance.

Reason 7: Scope Definition Errors

Sometimes organisations fail not because of a specific technical deficiency but because they have defined the scope of their assessment incorrectly. The Cyber Essentials scheme requires that all devices and services that access the internet or process internet-derived data are included in scope. Attempting to exclude devices that should be in scope — whether intentionally or through oversight — will result in a failed assessment.

Common scope errors include forgetting about mobile devices (particularly personal devices used for work email), excluding networked printers and other IoT devices, failing to include remote workers' home networks and devices, and not accounting for cloud services like email, file storage, and CRM systems.

How to Avoid This Failure

Work through the scoping exercise carefully and honestly. If a device connects to the internet and is used for business purposes, it is almost certainly in scope. When in doubt, include rather than exclude — it is far better to invest the effort in securing a device than to face an embarrassing scope challenge during the assessment.

Reason 8: Poor Evidence and Documentation

While Cyber Essentials Plus is primarily a technical assessment, assessors also look for evidence that your security controls are being managed consistently and deliberately. If your patching strategy amounts to "we update things when we remember," that lack of rigour will show in the scan results.

Organisations that maintain clear documentation — patching schedules, configuration standards, access control procedures, incident response plans — tend to perform significantly better in their assessments. This is not because the documentation is assessed directly (it is not), but because the discipline of maintaining documentation drives the consistent application of security controls.

Preparing for Success: A Pre-Assessment Checklist

Based on the common failures outlined above, here is a practical checklist that your organisation should work through before your Cyber Essentials Plus assessment.

What Happens If You Fail?

Failing a Cyber Essentials Plus assessment is not the end of the world, though it is certainly frustrating and potentially costly. Most certifying bodies offer a remediation period — typically 30 days — during which you can address the identified issues and submit for a re-test. The re-test usually incurs an additional fee, but it is significantly less than the cost of a completely new assessment.

If the failures are minor — a handful of missing patches or a single misconfigured device — remediation and re-testing can often be completed within a week. For more systemic issues, such as a complete lack of patch management tooling or widespread use of administrator accounts, the remediation may take longer and require more fundamental changes to your IT management practices.

The key is to treat a failure as a learning opportunity. Understand exactly what went wrong, implement changes that address the root cause (not just the symptoms), and use the experience to build a more robust security posture going forward.

The Value of Professional Support

Given the failure rates and the complexity of the requirements, many UK organisations choose to work with a specialist partner to prepare for their Cyber Essentials Plus assessment. A good partner will conduct a pre-assessment gap analysis, help you remediate any issues, and guide you through the assessment process with confidence.

The cost of professional support is typically a fraction of the cost of failing and having to remediate under time pressure. More importantly, the process of working with an expert builds internal capability and understanding that serves the organisation well beyond the immediate assessment.

Cyber Essentials Plus certification demonstrates to your customers, partners, and regulators that your organisation takes cybersecurity seriously. By understanding the common reasons for failure and preparing thoroughly, you can approach your assessment with confidence and achieve certification on your first attempt.