This blog post has been prepared in response to the large number of queries and concerns Jisc assessors have received about how bring-your-own device (BYOD) policies and implementations fit into the Cyber Essentials (CE) scheme.
CE is a Government-backed annual certification scheme setting out a range of basic security controls organisations should have in place to protect against the most common cyber attacks.
Like all security frameworks, CE is periodically reviewed and updated. Its requirements were last revised in January 2022. Additional controls were included to reflect changes in the risk landscape. This latest revision also clarified how personally owned devices used for work purposes under BYOD arrangements fit into the scheme.
Addressing the controls CE requires for BYOD deployments can be challenging for colleges and universities, as our related blog on jisc.ac.uk recognises. The provision of flexible access to teaching and learning across a wide range of devices has been a core endeavour for many years. BYOD was also necessary to maintain continuity during the recent pandemic.
However, the threat landscape has changed significantly in recent years, and the UK National Cyber Security Centre (NCSC) has updated its guidance in this area as a result.
To understand how BYOD fits into CE, it’s important first to understand some of the principles underpinning CE.
Scopes and sub-sets
CE relates to an organisation and its operations. It doesn’t just encompass networks and devices, but policies and procedures too. Think of CE as being like other organisational certifications, like Investors in People and ISO 9001. Networks and devices don’t achieve CE; organisations do. A CE application must include all the required information to demonstrate the required controls are in place.
The NCSC recommends that CE’s controls are applied as widely as possible, ideally across the entire organisation. This can be challenging though, so applicants can instead choose to certify a part of their organisation, such as an individual business unit or department, rather than its entirety. CE refers to this as a sub-set application.
The network or networks described in sub-set applications must be appropriately segregated from the rest of the organisation’s network or networks. This is to minimise the risk of an issue such as an unpatched vulnerability elsewhere in the organisation impacting on the certified department or business unit.
Applicants certifying against a sub-set scope should look to expand it in future to include more (and ideally all) of the organisation. As well as ensuring CE controls are applied as widely as possible, a whole organisation scope qualifies the applicant for free cyber liability insurance.
What devices are in scope for CE?
All devices owned and provided by the organisation and encompassed by the scope of the application must be declared, alongside any personally owned devices used by staff via BYOD implementations to access organisational services and data.
For sub-set applications, this means the devices used by the business unit or department will be in scope, along with any personally owned devices used by the staff of the business unit or department to access organisational services and data.
It doesn’t matter how devices access organisational services and data. Any device that does so is in scope, whether this is via the organisation’s network or entirely independently of it, for example, via a residential or mobile broadband connection.
CE does allow educational organisations to exclude student-owned devices from scope, provided their access is via a separate, appropriately segregated network. Devices owned and managed by the institution and used by students, such as in a computer lab, will be in scope unless appropriately segregated from the networks described in a sub-set application.
Educational institutions can still achieve whole organisation certification for CE if access from student-owned devices is segregated in this way. The application must encompass all their other networks, devices and operations though. This will also qualify the institution for the free cyber liability insurance mentioned previously.
What constitutes “organisational services and data”?
These are described in the CE requirements as any services, applications or electronic data belonging to the applicant organization.
Examples include emails, office documents, database data, financial data, web applications and Microsoft Office 365 or Google Workspace accounts.
A useful rule of thumb is that, if staff use a device to access their email, it will be in scope for assessment and the CE controls will need to be applied.
If a device is only used in an organisational context as a second factor for authentication (for example, to receive a passcode via SMS, or to generate a passcode from an authenticator app), it is not in scope, as there is no access to organisational data or services.
What device controls does CE require?
CE requires that all devices in scope (laptops, desktops, servers, smartphones and tablets) are currently supported and are running an up-to-date operating system. This is to ensure that all previous and any newly identified vulnerabilities are addressed via patches and updates released by manufacturers and developers.
This is important because we know that attackers can – and frequently do – exploit unpatched or obsolete devices and systems (for which no further patches or updates will ever be issued) via the internet to gain access to networks and services. The NCSC recommends that the only fully effective way to mitigate the risks from obsolete devices is to stop using them.
Applicants must provide evidence that all in-scope devices in use at the time of the application are currently supported. This must be in the form of a summarised inventory included with the application, listing make, model and operating system for each device to confirm all are still currently supported. The inventory should include these details for all corporately provided and personally owned devices in use at the time of the application. Personal information about device users is not required. The inclusion of any unsupported devices will result in automatic failure of the application, whether the unsupported device(s) is/are corporately provided or personally owned.
The security disciplines underlying these requirements are asset management – having visibility of and being able to identify the technologies and systems currently in use across an organisation, and vulnerability management – making sure devices and systems are protected throughout their lifecycle.
Why does CE require these controls?
Attackers don’t care if a device is personally owned or corporately provided – they’re just looking to exploit whatever’s available and vulnerable. The rules around device management have been updated because there is an increasing likelihood that attackers will target end-user devices.
Two recent threat reports issued by the NCSC focus on the risks from both application stores (which can be used to distribute malware) and end user devices generally, noting that “due to the increased number of personal devices connected to enterprise networks, it is likely these devices will be targeted to gain access to the enterprise network”.
Threats have increased significantly in the many years since organisations first started implementing BYOD initiatives (which, in many cases, was before smartphones and tablets even existed). The NCSC’s view is that approaches to providing access to personally owned devices have not kept pace with the threat landscape and need to be updated to be effective and secure.
What are the options for achieving CE?
Going forwards, organisations have three options for achieving and maintaining CE, all of which bring their own challenges and issues:
- Continue to provide access to personally owned staff devices. This will require measures to track and list device details, enforce compliance and manage access. The NCSC expects that the controls necessary to manage access from mobile devices are applied through technical means. Only small organisations (<50 staff) should seek to apply the CE controls via policy, guidance and training with no technical controls.
- Stop providing access to personally owned staff devices. Colleges and universities could give all staff that require mobile access a corporately procured and managed device. This gives a greater level of control over device specification, configuration and use. Corporately provided devices should also already be encompassed by the organisation’s existing asset management policies and procedures.
- Seek certification against a sub-set scope, rather than for the whole organisation. This does not negate the requirement to provide inventory details for and manage any personally owned staff devices in use within the sub-set. However, focusing on part of rather than the whole organisation reduces the scale of this task.
Clearly these approaches are not necessarily mutually exclusive: you could seek certification for a sub-set, where you cease BYOD access for the staff in the sub-set (for example, for a finance or HR team), but maintain it for the rest of the organisation, so long as the network or networks used by the sub-set are appropriately segregated.
When considering option three, bear in mind the NCSC’s strong recommendation that the CE controls should be applied as widely as possible, and ideally to the whole organisation. If going down this route, plan how to extend the coverage of your CE certification in future, to strengthen the organisation’s overall security posture.
To help members achieve CE and CE+, Jisc runs a free monthly Cyber Essentials drop-in clinic. Members can also contact email@example.com for more information about the range of support Jisc provides for CE.