5 Actions to Comply with NCSC’s New BYOD Rules
We recently explored in the blog the National Cyber Security Center’s (NCSC) newly revised Cyber Essentials scheme, and how its specific post-pandemic “Bring Your Own Device” policies have led to some publications labeling the change “BYOD 2.0.”
The NCSC has provided a lot of guidance regarding what it’s looking for from UK firms of all sizes and sectors. Because the changes are so vast — and because we like to share our own cybersecurity expertise with the market — in this blog we’re delving deeper into what you need to do to choose and implement the right solution, in the right way, using the five actions outlined by the NCSC as a starting point.
This action is all about asking a comprehensive list of BYOD readiness questions, including what business functions you need to achieve, what types of devices and platforms you intend to facilitate working from, and where BYOD devices will be used. Crucially at this stage, the NCSC also urges firms to take an honest view about just how long BYOD plans need to be in place, because “short-term solutions often start with the right intentions but can rapidly become long-term implementations that are not fit for purpose and difficult to remove.”
Before we get to the NCSC’s second step, we want to provide additional guidance to ensure firms get the best possible start. It’s important for all firms to have an accurate understanding of the number of devices in their ecosystem. In our experience, it’s very common that it’s often double the amount they originally thought!
Once all devices are known, you must understand the inventory and identify the status and vulnerabilities of devices without being intrusive to your users. Firms should consider a solution that collects only security information about devices – the less personal data collected, the better. An “agentless” approach to find out devices’ security posture is the best way to do this, as well as a solution that gives visibility of all devices that are accessing systems and applications, viewed via the IT admin’s dashboard, can provide a comprehensive, global view on all end user devices from a single dashboard: managed devices; unmanaged devices; Windows; Mac; iOS; Android; ChromeOS and more.
Next, address questions that clarify and communicate responsibilities from both the organizational and employee perspectives. Identify what employees can or can’t do on their own devices, the services and data within those services that will be exposed to personal devices, and how much control you’re willing to grant/how much control you need.
A key consideration here: Once the policy has been created and developed, firms need to enforce those policies with technical controls, which we will address further under Deployment Approaches.
Here, the NCSC flags the additional costs and implications associated with a BYOD policy, including increased support costs, increased reliance on procedural controls, potential legal issues, and potential data loss. This action point then details how strong user authentication methods, risk-based authentication and access control are two of the most effective ways to curb the risk of this data loss taking place. You can learn more about this topic in Duo’s Two-Factor Authentication Evaluation Guide.
Another way you can manage additional costs is by taking advantage of a self-remediation function as part of a BYOD solution. For example, rather than giving one single button for a user to push to update their operating system, they receive a prompt to ensure their device is up-to-date. This has two advantages: by allowing users to take matters into their own hands, rather than relying on your helpdesk, you can reduce total cost of ownership; and this approach puts emphasis on individual security hygiene, which helps your whole team adopt a security mindset.
There are several approaches to BYOD, and in this action point the NCSC gives a comprehensive overview and assessment of the strengths and weaknesses of each, including:
Web Browsers: Simple access to corporate data through a web browser. There is thorough guidance around this “Simple and versatile access option” on the NCSC website, but we would also add that if you follow this deployment method, you should also consider incorporating a trusted endpoints feature. This will help distinguish between unmanaged endpoints and managed endpoints that access browser-based applications and allows firms to apply policies such as blocking access to various applications from systems that aren't managed.
Virtual Desktop Infrastructure (VDI)/Remote Desktop/Remote Apps: Users are provided an interactive view of a corporate desktop environment with a suite of applications defined and managed by the organization.
Bootable OS: Bootable managed corporate environment.
Mobile Device Management (MDM): A user grants the enterprise a degree of control and management over the device and its settings.
Mobile Application Management (MAM): A user manages all aspects of the device except for work applications, which are held in a container on the device and managed by the organization.
Hybrid Approaches: Some vendors provide a hybrid of MDM and MAM. Typically, these have become a part of an MDM, Unified Endpoint Management or Endpoint Mobility Management suite of tools.
We would also add two more deployment approaches that are not included on the NCSC’s list:
Web Browsers + Single Sign-On (SSO): Secure SSO to corporate defined applications through an SSO portal, providing access only to applications relevant to job roles and minimizing multiple user logins.
VPN-less Access: Secure peer-to-peer segmented access to corporate defined applications via reverse proxy controlled by policy.
The NCSC’s action points are rounded off with comprehensive advice to ensure whichever deployment approach you take is the right tool for the job. In support of the two additional deployment options we mentioned, we offer guidance to help ensure they’re put in place as effectively as possible.
If your company pursues the Web Browsers + SSO or VPN-Less Access deployment approach, you should factor in the following control measures:
Strong authentication, at least MFA.
Provide access only to applications based on roles and privileges.
Control device security posture with policy and behavior based access controls. Track versions of operating systems, browsers and plug-ins, as well as information about tampered devices, encryption and malware protection.
Block access to corporate applications on compromise detection.
However you deploy BYOD, there are several fundamental controls that you should implement as a baseline, like strong authentication (MFA), device posture control, least privilege role-based access to applications, and the ability to correctly identify trusted devices.
If you would like more advice on how to comply with the NCSC Cyber Essentials scheme, or any more information on cybersecurity concerns, please contact us.