BYOD 2.0: Meeting the New Cyber Essentials Requirements
Part of Government Communications Headquarters, the National Cyber Security Centre (NCSC) recently revised its approach to its Cyber Essentials scheme with emphasis on how UK firms of all sizes and all sectors must revisit their post-pandemic “Bring Your Own Device” or BYOD policies. Let’s explore what the changes mean and what steps firms should take to ensure they are fully equipped for today’s hybrid work world.
Cast your mind back to 2014. Though it wasn’t so long ago, it may as well be dog years when you consider how much has happened in that time. To keep up with the numerous technical and societal changes that have occurred since the NCSC launched its Cyber Essentials requirement eight years ago, the government agency has made some revisions.
These changes apply to the use of cloud services, as well as home working, multi-factor authentication, password management and security updates — all of which are becoming of increasing concern in today’s new hybrid world. But one of the biggest changes pertains to its updated BYOD requirement:
“In addition to mobile or remote devices owned by the organization, user-owned devices which access organizational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).”
This indicates the NCSC is acknowledging that hybrid work is here to stay and we need a more strategic approach to replace the quick fixes that were hurriedly employed during the pandemic. It’s also led to some publications labeling the change “BYOD 2.0,” because when they say hybrid they don’t just mean a few days at home and a couple in the office.
Of course office/home work is a big part of it, but they also mean the type of device used (personal/corporate/both) and how it is being run (Android/iOS any number of other operating systems). And it’s a pretty major mindset shift to ensure all of these mix-and-match approaches have the same level of security that user devices had in the past when they were managed through centralized administration that ensured consistency across the organization, aka a “castle and moat” approach to network security.
For the public sector, a Cyber Essentials Certification is often a requirement for organizations working on UK government contracts. But following these guidelines is not just important from a compliance point of view; it also makes good business sense. Cyber liability insurance costs are rising, so anything firms can do to keep their premiums in check, such as employing additional BYOD security measures, will surely be beneficial. Additionally, with the UK becoming the second-fastest-growing freelance market, third-party access to corporate systems will inevitably rise. Finally, but in a similar vein, it simply isn’t practical in terms of total cost of ownership to issue corporate-owned devices to contractors, students, suppliers and other third parties — especially when the majority of these people will be carrying around perfectly fit-for-purpose devices in their pockets.
While the majority of these drivers are characteristic of recent times, objections to some BYOD approaches remain the same, chief among them concerns that device enrollment can lead to lack of privacy and increasingly complex IT support requirements. This is best exemplified by traditional mobile device management (MDM) solutions which security practitioners have turned to for over a decade to secure remote and personal mobile devices. There is still widespread skepticism about allowing MDMs on personal devices, concerned that admins can glean personal information and control how they use their devices. This level of rigidity and invasiveness is something that many employees are simply not OK with. But how do you minimize the risks associated with a BYOD programme without an MDM solution?
What we need is a fresh approach, befitting BYOD 2.0, that combines two-factor authentication and device insight with single sign-on (SSO) capabilities that supports every device and OS. It should also be user-centric with the ability for self-remediation, and have an agentless approach that collects only security information about devices. With this functionality, organizations can ensure that users are who they say they are, and that their devices are secure enough to access business applications — all with one single login. To find out more, contact us today.