Want to speak with sales?
Regardless of your specialism, sector, or size, if you’re a managed service provider (MSP), chances are a customer will have asked you at some point to help them with their Cyber Essentials Plus certification. For many MSPs, it’s a regular job. But supporting customers to prepare for and pass Cyber Essentials Plus isn’t without its challenges.
As any MSP can attest, Cyber Essentials Plus audits can turn into a complicated round of remediations, resubmissions, and delays. However, it doesn’t have to be this way. Most of the time, Cyber Essentials complications are caused by easily avoidable mistakes. To help you and your clients experience smoother, faster audits, we’ve pulled together the six most common challenges MSPs face with Cyber Essentials Plus and how to avoid them.
1. Missing high-quality vulnerability management
In a time of tightened budgets, many MSPs use what they have or what they can find cheaply for vulnerability management. And that usually means an RMM tool or the least costly solution available. This might not sound like much of a problem. After all, isn’t it just good business sense to use what you have if it’ll do the job?
However, when it comes to a Cyber Essentials Plus audit, it does cause problems. The problem is that RMMs or unapproved tools often don’t check for all the same vulnerabilities the CE+ audit looks for. So, when the Assessor runs their approved scan, new or higher-risk issues suddenly appear, even though the MSP thought everything was fine.
Or, to put it another way, it’s a bit like using your car’s dashboard gauges to check you’re roadworthy; the MOT test will still find things your dashboard never told you about.Â
Unexpected vulnerabilities discovered during audits trigger rapid, unplanned remediation tasks, resulting in delays, additional costs, and increased stress for both you and your customers.
What to do about it
Use approved, comprehensive vulnerability scanning tools like Qualys Guard, Nessus, or CyberSmart Vulnerability Manager. This not only makes for a smoother audit process; it also means your clients will benefit from a better level of year-round protection.
2. Device configuration errors
Many people go through life with devices configured to the default settings they came with. However, as well as posing a security risk, this is a sure-fire way for your clients to experience problems during a Cyber Essentials Plus audit.
Misconfigured devices or default settings, such as passwords, outdated .NET versions, or unused open ports, are some of the most common causes of audit failure. Plus, default settings and misconfigurations provide entry points for cybercriminals to exploit. Research from SOCRadar released in 2023 estimated that security misconfigurations are responsible for as much as 35% of all cyber incidents ever.
What to do about it
Look to standardise configurations across your client’s business using clearly documented baselines. The easiest way to do this is to use a tool that can automatically detect configuration issues, so you can address them as and when they arise, rather than working through all of them come audit time.
Alongside this, you should regularly audit client systems, removing default passwords and applying secure configuration standards, such as those from the Centre for Internet Security. Â
3. BYOD and shadow IT
Bring Your Own Device (BYOD) has been a boon for businesses, especially since the COVID-19 pandemic. However, it’s not without security risks and can cause problems for Cyber Essentials audits. Personal devices often have less robust security measures than those configured and managed by businesses. What’s more, some research suggests that employees are less likely to engage in cyber secure behaviours when using personal devices (although other studies propose that the opposite is true)
Shadow IT poses many of the same problems for MSPs. Unmanaged or unlisted devices can lead to uncontrolled data leakage, malware infections, and exposure of sensitive data. Plus, when it comes to audit time, you’ll need every device used within the business to comply with Cyber Essentials controls, potentially adding remediation time, delays and costs.
What to do about it
Use solutions like CyberSmart Active Protect for Mobile, which offers privacy-first monitoring of personal devices, verifying compliance without infringing user privacy. Establish clear BYOD policies and regularly review asset registers. If technical solutions aren't available, MSPs may manually validate configurations through documented screenshots provided by users.
4. MFA on cloud accounts
MSPs and their customers often face issues fully rolling out multi-factor authentication (MFA) across all cloud-based accounts. Tracking this across your client base can prove a challenge, and, somewhat inevitably, some administrative accounts end up getting missed.
This is a problem for a couple of reasons. Firstly, a lack of MFA increases the likelihood of unauthorised account access and data breaches – particularly for administrative accounts, which have wide access privileges. Secondly, as MFA on administrative accounts is a Cyber Essentials requirement, they could fail their audit.
What to do about it
Enable MFA across all cloud-based administrative accounts, prioritising accounts with higher privileges. Clearly document your MFA implementation policies, regularly audit accounts, and provide users with practical support to simplify adoption.
5. Lack of account separation (users running as admin) or incorrectly configured JIT solutions
The importance of access control and account separation won’t be news to most MSPs. Nevertheless, it’s often something customers get wrong. Businesses commonly grant users permanent administrative privileges when they don’t need them. Or, even when they use just-in-time (JIT) privilege management, they configure it poorly.
Once again, this poses a couple of issues. Most importantly, permanent administrative rights significantly increase the chance of malware installation, unauthorised changes, and major incidents due to human error. Alongside this, it can lead to failed Cyber Essentials Plus audits.
What to do about it
Adopt the principle of 'just enough' privilege (providing the minimal required permissions for daily operations) rather than 'just in time' (temporary elevation for tasks). Cyber Essentials explicitly accepts ‘just enough’ approaches. Review Privileged Identity Management (PIM) and Privileged Access Management (PAM) configurations carefully to ensure compliance.
6. Industry-specific challenges
While Cyber Essentials Plus might be beneficial to just about every sector you can think of, the simplicity of the audit process can vary wildly based on industry. For example, clients in industries such as education, construction, or legal frequently use external contractors, temporary staff, or need to grant access to students.
This can dramatically complicate asset control and compliance. Worse still, it often introduces non-compliant devices into organisations, creating security risks and making your client less likely to pass their audit.
What to do about it
Maintain clear, documented asset registers, policies, and user agreements specifically designed for temporary or external users. IASME guidance provides specific information tailored for managing contractors, students, and single-person entities effectively within Cyber Essentials guidelines. MSPs should carefully define the compliance boundaries and regularly audit or confirm device security status with temporary or external personnel.
The challenges MSPs face with Cyber Essentials Plus aren’t insurmountable
Hopefully, your top takeaway from this blog is that the challenges you’re likely to face in leading clients through the Cyber Essentials Plus process aren’t insurmountable. With each challenge, proactive steps ahead of the audit can significantly simplify the Cyber Essentials Plus certification journey, giving you happier clients and stress-free staff.
Frequently asked questions
- Missing high-quality vulnerability management
- Device configuration errors
- BYOD and Shadow IT
- MFA on cloud accounts
- Lack of account seperation
- Industry-specific challenges
Bring Your Own Device (BYOD) refers to the practice of employees using personal devices for work. This is usually a policy the business has implemented.
Shadow IT on the other hand, refers to software, hardware, or cloud services used by employees for business purposes without the knowledge or approval of the company's IT department.
However, both come with similar security risks and often make the Cyber Essentials Plus audit process more complicated.CyberSmart offers a number of tools to help simplify the Cyber Essentials Plus audit process for MSPs and their client.
- CyberSmart Vulnerability Manager (CSVM) is an approved vulnerability scanner and checks for everything that the Cyber Essentials Plus audit covers, making for smoother audits and year-round protection.
- CyberSmart Active Protect offers privacy-first monitoring of personal devices and year-round compliance with Cyber Essentials Controls.
- CyberSmart Patch automates patch management for third party software, helping you to stay on top of vulnerabilities.
- We're also the UK's leading provider of Cyber Essentials and Cyber Essentials plus certifications.