The six failures we see most in real audits: end-of-life devices (instant fail), unmanaged mobiles, partial MFA, sloppy firewall config, everyone-is-an-admin, and nothing written down. None are exotic. All are ordinary IT habits that were fine in 2015 and are liabilities now. Fix them before the assessor finds them and the assessment itself is the boring part.
Cyber Essentials looks simple from the outside: five controls, a self-assessment questionnaire, an assessor. Then businesses attempt it and discover the questionnaire is answered under declaration, the requirements are specific, and several everyday IT habits are automatic failures.
These are the six failure points we see most often in real audits, roughly in order of how frequently they appear.
1. End-of-life devices or software
Any device running an unsupported operating system is an automatic failure. Since October 2025 that includes every Windows 10 machine without extended updates, along with old macOS versions, out-of-support servers, and the forgotten laptop in the sales cupboard.
It hides well: everything still works, so nobody thinks of it as broken.
The fix: a device audit, then an upgrade-or-replace plan. There is no workaround; the assessor cannot pass unsupported kit.
2. No mobile device management
If staff read company email on their phones (and they do), those devices are in scope. They must be enrolled, screen-locked, encrypted, and wipeable if lost. Unmanaged personal phones with full access to company data is one of the most common gaps, and most businesses have never thought of it as a problem.
The fix: Microsoft Intune, typically already included in business Microsoft 365 licences, deployed with a policy that separates work data from personal.
3. MFA that is only partly deployed
Multi-factor authentication is required on all internet-facing accounts: Microsoft 365, email, remote access, cloud services, admin portals. The pattern we find repeatedly is MFA enabled “mostly”: office staff have it, the directors got exceptions because they found it annoying, and two service accounts nobody remembers have none.
Partial MFA is a fail, and the exceptions are usually the highest-value accounts in the business. The director who skipped MFA is exactly who an attacker wants to be.
The fix: an account-by-account audit, then Conditional Access policies that enforce MFA without exceptions, rather than per-user settings and goodwill.
4. Firewall and router configuration
Default passwords on routers, ports left open from an old project, consumer-grade kit doing business duty, and (increasingly, with hybrid work) staff home routers that have never been looked at. The firewall questions are specific, and “it was like that when we got here” is not an answer.
The fix: a configuration review of every boundary device, closing what should be closed, replacing kit that cannot meet the requirements.
5. Everyone is an admin
Staff doing day-to-day work in accounts with administrator privileges fails the user access control requirement. It usually happens for convenience: admin rights got handed out to stop the IT company being phoned about software installs, and were never taken back.
Malware runs with the privileges of whoever clicked it. An admin clicking a bad link hands over the whole machine.
The fix: separate admin accounts for the few who genuinely need them, standard accounts for daily work.
6. Nothing is written down
Cyber Essentials expects documented basics: a joiners and leavers process, acceptable use rules, how access is granted and revoked. Plenty of well-run businesses operate all of this informally and have precisely none of it on paper, which means it does not exist as far as an assessment is concerned.
The fix: the policies are short and standard; producing them is part of any decent remediation. The useful side effect is that leavers actually get their access revoked on the day they leave.
The honest summary
None of these six is exotic. They are ordinary habits that quietly became liabilities. That is really what Cyber Essentials tests: whether the basics are actually done, everywhere, rather than mostly done in the places people remember.
Gap audit first, against all five controls. Fix what it finds. Only then go near the assessor, which is why the assessment itself tends to be the boring part. Typical timeline is 4 to 8 weeks from audit to certificate, at a fixed price agreed upfront.