Cyber Essentials BYOD

Cyber Essentials BYOD: Managing Your Devices

ByAndrew Lugsden

The Cyber Essentials certification standard outlines the requirements that need to be applied to the devices used for work purposes. This includes devices owned by the business and personal devices used to access business services, such as Bring Your Own Devices (BYOD).

With the Cyber Essentials scheme, it is typically easier to become certified when not trying to overcome the challenges of managing a diverse range of BYODs which may not align with the certification requirements and cannot be centrally managed by your business.

However, it can sometimes be necessary, easier, or cost-effective to implement a BYOD scheme and allow some personally owned devices to access company data and resources, particularly with the increase in home working.

The National Cyber Security Centre (NCSC) and a variety of other cyber security compliance standards recommend that personally owned devices shouldn’t be used for business purposes and there should be a clear separation between work and personal devices.

This is due to BYODs often being left unmanaged which can introduce risk and vulnerabilities into a business.

To certify to the Cyber Essentials requirements it is necessary to take onboard a level of management for these BYODs, to ensure they adhere to the baseline security standards defined by the assessment.

Within this article, the security requirements to consider when incorporating BYODs into your business and maintaining your Cyber Essentials certification are discussed.

Table of Contents

    What Are Bring Your Own Devices (BYOD)

    Bring Your Own Devices BYOD

    BYOD’s are considered as personal devices that are not owned by the business, but are sometimes used for work purposes to access business information and organisational services.

    This can include desktops, laptops, tablets and smartphones which are used to login to work emails, message apps, accessing business information and documents, and a range of other business-specific services.

    What Are The Risks From BYOD

    As BYODs are typically not centrally managed by the business, it may not be possible to verify if these devices adhere to any cyber security standards and are maintained securely.

    Each BYOD that accesses your business could introduce a range of cyber security risks, such as:

    • The device’s operating system may be outdated or no longer supported and at risk of compromise.
    • The device may have malware installed which monitors the device’s connections and keystrokes.
    • The device may have already been compromised and could be harvesting any information and credentials that are used on the device, impacting your business data and user accounts.
    • Where a compromised device connects to a business network, directly or via a VPN, it may begin targeting your other devices for vulnerabilities
    • The compromised device may access your business email, and begin Phishing attempts on your clients, partners, and other employees.

    Why Cyber Essentials Includes BYOD Within The Certification

    BYOD Requirements Cyber Essentials

    Cyber Essentials includes BYODs in scope due to the potential security risks they can pose to your business.

    The aim of the Cyber Essentials requirements is to define a secure baseline which all companies can align with.

    Personal devices which are outside the control of the business are considered as untrusted, and present an unacceptable risk to the business, where they maintain access to company data, technology, or accounts.

    There can be a high likelihood that BYODs are vulnerable to some of the most common cyber attacks and may be compromised by malware or a range of common cyber threats.

    It is important to prevent the potential compromise of Bring Your Own Devices (BYOD), from spreading to other business devices and information.

    Which BYODs Are Included Within Cyber Essentials

    In Scope Bring Your Own Devices

    BYODs are considered in scope where they are used to access your business networks, corporate data, accounts, or services, which are intended to be private and protected.

    This can include personal devices that are used for a broad range of different purposes, such as:

    • A home laptop which is being used to login to business email accounts.
    • Personal phones which are used to login and access business message apps
    • Tablets used for accessing and reviewing business documents and information
    • Computers used to connect to virtual desktops or virtual private networks.

    Which Devices Are Excluded From The Scope Of Cyber Essentials

    Cyber Essentials Excluded Devices

    Within the Cyber Essentials specification, there are several device types that can be excluded from scope depending upon how they are used. The following examples of devices would not require device management to be applied.

    Personal Devices

    Where BYODs are only used for limited and specific purposes, they may be excluded from Cyber Essentials, including:

    • Phones used only for business calls with the phone’s native voice apps
    • Phones used only for text messages with the phone’s native message apps
    • Devices used only for Multi-Factor Authenticator apps and receiving MFA codes

    Internet Service Provider Routers

    For most employees who are working from home or flexible working, their internet gateway will typically be the home router that was provided by their Internet Services provider.

    Cyber Essentials defines these devices, as outside the scope of assessment. Organisations should instead manage the software firewalls on any bring your own device or configure solutions such as an always on VPN, to manage the devices through a company firewall.

    Third-Party Organisations

    Devices owned by a Third-Party organisation, and used to access your business accounts and networks are not considered within the scope of Cyber Essentials.

    However, any user accounts your company issues, to allow third-parties access to your devices and networks will still need to adhere to the assessment requirements.

    While it is still recommended for any business to verify the security of third-parties and their devices, it is outside the scope of Cyber Essentials to verify this.

    Academic Environments

    Within schools and universities students are typically provided with accounts to an email platform and other services, which are also used by the school’s staff. These services will often be accessed through the student’s personally owned devices.

    Within Cyber Essentials students and their personally owned devices are considered out of scope for the assessment, however, the school’s staff, teachers, or teachers and research assistants would be regarded as in scope.

    Cyber Essentials Technical Requirements For BYODs

    Cyber Essentials Technical Controls

    Where BYODs form part of a company’s Cyber Essentials scope it is necessary to ensure they adhere to all necessary technical controls and are configured to meet the assessment requirements, which can include settings such as:

    • Ensuring a software-based Firewall is installed and always enabled for the device
    • Keeping operating systems and installed software up to date with the latest security updates.
    • Maintaining account separation between daily-use standard accounts and admin accounts used for specific purposes.
    • Configuring settings for device unlocking, such as through a password, PIN, or Biometrics
    • Implementing password-required controls, such as password length and complexity settings
    • Defining settings for brute force protection, such as restricting the number of login attempts
    • Preventing auto-run features for files that are downloaded or connected via USB
    • Ensuring Anti-Malware software is installed, or a Malware Protection solution is configured

    Cyber Essentials Documentation Requirements for BYODs

    Cyber Essentials Policies

    In addition to the technical controls that need to be applied to each of the devices which access your organisational data, it is necessary to maintain a written policy for your device management.

    When progressing through the Self Assessment Questionnaire (SAQ) for Cyber Essentials, there are several documentation and policy questions which will apply to both company owned devices and personal end user devices.

    Asset List

    As you complete the SAQ, it is necessary to list all of the devices included within the scope of assessment, including their make and operating systems, including the router firmware where applicable.

    Maintaining a detailed Asset List throughout the year, can be a simple way to answer this question, and also ensure your company maintains a record of all devices which can access their systems, in the event a security incident occurs which needs to be investigated.

    Firewall Management

    It is necessary to understand how each of your devices maintain a firewall protection solution, which may be with hardware or software firewalls.

    Where BYODs are used for Home Working or Flexible Working it can be common that built-in software firewalls are used.

    While software firewalls are a suitable approach, there also needs to be an understood process in place to manage and configure these software firewalls.

    This process can include defining the connections the firewall allows and changing the credentials that are used to access the firewall.

    Secure Configuration

    Secure Configuration Standards

    For each device which is in scope, it is necessary to ensure they are configured to a secure standard, which includes removing unnecessary software and ensuring their is a known method to apply the Cyber Essentials technical controls.

    As devices are confirmed to be configured to the required standards they should be categorised as compliant within your asset list.

    Software Management

    It is required to maintain a record of the software that is installed on your BYODs to ensure new software is approved for use and all installed software is regularly updated.

    As part of the Cyber Essentials SAQ defining certain software and their versions which are in use for devices is required, such as:

    • Internet Browsers
    • Malware Protection software
    • Email Applications
    • Office Applications

    Password Policy

    Password Requirements Policy

    Cyber Essentials outlines several requirements for a password policy that should be applied to all of the accounts and devices that are in scope for assessment.

    These password requirements need to be applied to each BYOD within the scope of your assessment.

    In addition to password complexity and length requirements, it is also necessary to ensure any default accounts have been removed or disabled, and that there is a known method to change passwords if necessary, such as when responding to a security incident.

    Account Management

    For cyber security principles, it is important to control the user accounts which are created and have access to your organisational data.

    Where accounts are created and issued for your users, these should be recorded, to ensure their is a central record of which accounts are in use. This can also be useful when disabling or removing accounts if someone changes role or leaves the company.

    Of particular importance, any administrator account which is used for your devices should be recorded and approved for use before being issued to your users.

    This process can be of particular complexity with BYODs as the device owner and standard user account is often the admin account.

    However, it is necessary to maintain separation between standard permissioned accounts which are used on a daily basis and administrator accounts which are only used for approving specific actions.

    This can often require creating secondary accounts on the device for the purposes of account and permission segmentation.

    Conclusion

    Bring Your Own Devices And Cyber Security

    The Cyber Essentials assessment outlines the cybersecurity baseline for many organisations to adhere to, improving their overall security posture and reducing risks from the most common cyber attacks.

    While it can typically be recommended to avoid using BYODs within your business, it is possible to manage these systems to align with the assessment requirements and maintain your organisation certification.

    For further guidance on the Cyber Essentials assessment process and procedures, and how to prepare your organisation for certification the following articles can be useful:

    • Defining The Scope for Cyber Essentials, found here
    • Creating a Cyber Essentials Password Policy, found here
    • The Cyber Essentials Requirements, found here
    • The Cyber Essentials Plus Requirements, found here

    For further information on the Cyber Essentials assessment or where you have questions regarding different cybersecurity solutions, our consultants and cyber advisors are available to address any concerns you may have.

    Contact Us Today

    Similar Posts