David Hewson
Cyber Security Assessor
Cyber Essentials Plus, is one of the most sort after certifications designed to effectively test your organisation's cybersecurity posture. Bringing in an expert cybersecurity consultant to run detailed vulnerability assessment to test and ensure that the organisation is readily protected against those with malicious intent. A pass results in a badge of excellence for the next 12 months, which can be proudly displayed on a website, attached to an email signature or you could even tattoo it to your skin (although you might regret it if you fail to recertify). Sounds easy right?
The first part of most certifications is setting the scope, what are we certifying against? Is it the whole company? Is it a certain office or department? Then looking at what assets sit within that environment. Fundamentally when deciding what’s in scope we can go back to the reason devices can be out of scope – either they don’t process company data, or they don’t connect to the internet.
It’s 2020, we’re connected much more heavily than we were 10 years ago, and no I’m not talking about being more open with our feelings. I’m referring to the Internet. We’re no longer held back by dial-up, screaming downstairs to your mum as you get disconnected from the internet watching your RuneScape window crash because the phone rang and she selfishly answered it (sorry to anyone who was born after the year 2000).
Mobile devices! That’s how we’re all connected, we all have them, we all use them daily, our lives are on them, not just our personal lives but our work lives. Whether we have a work phone or a personal phone this data is available at our fingertips constantly, and organisations must manage and protect this data effectively. Mobile devices and how they're managed is becoming an increasingly popular topic of conversation when performing a gap analysis for Cyber Essentials Plus. Why? Well, a plethora of reasons, usually it’s a knowledge gap, the organisation is not aware of all their options so are not sure the best place to start, especially where there is an ever-growing amount of personal devices with access organisational data as it would likely lead to more issues and a disgruntled workforce if the organisation was requesting access to personal devices.
No data should ever be left unprotected, particularly organisational data we can access from mobile devices as we roam around connecting to a variety of networks, including unprotected ones in your local coffee shop. Managing these devices isn’t always a simple task but crucial nonetheless and necessary to achieve Cyber Essentials Plus.
There are various ways we can go about protecting this data, the ideal solution will be chosen based on whether the devices are company devices, the number of users and the capabilities of your organisation. Let’s run through some of the solutions.
What techniques can I use to manage this risk?
Paper Policy – this one is a simple way of rolling out set standards whether the devices are company-owned or personal. Organisations produce a written policy that states what best practices a user must follow when using company devices or accessing applications which access company data. This can include a variety of terms such as;
- Password Requirements (how long the password is, how many unique characters/number/symbols, how often it has to be changed)
- Use of multi-factor authentication (MFA)
- When updates must be installed by
The challenges are that there is no way of checking if the user is following these terms without physically checking their phone which can become complicated with personal devices. Upon a Cyber Essentials Plus audit, a user device or several devices may be selected for assessment, if the device didn’t match the policy terms that satisfy the Cyber Essentials Plus standards it would lead you to fail the audit.
Mobile Device Management (MDM) – a much larger, more expensive solution but invaluable in its capabilities. MDM configurations can be deployed that operate in line with the Cyber Essentials Plus standards additionally giving the organisation a great level of control over company devices. This can ensure updates are rolled out on time, only safe and necessary applications are installed, only secure connections are used, data is transported effectively and more. This approach has limitations, as it works effectively when company owned devices have been rolled out which is expensive in itself but not so well with personal devices. I’m sure most employees don’t want to grant any organisation access and full control over their devices.
Mobile Application Management (MAM) – I like to see this as a happy middle ground for both organisations and their workforce, it works well with both company issued and personal devices. Instead of having control over the entire device the organisation is managing how applications that have access to company data are used, such as email and cloud storage.
This can include what security measures have to be in place for the user to access company data, so a strong 6-digit pin, multifactor authentication and installing updates. Again, comes with its issues, is the user happy with these requirements. Generally, with most modern phones a 4-6-digit pin is a minimum requirement to gain access to the devices alongside biometrics. However, other forms of Multifactor Authentication are not so user may not understand them and therefore require training from the organisation or just not want this application on there phone. If not, they simply can’t access this data. The reason for a user not been happy with this is important too, this could be they just don’t want anyone other than themselves having access to there device in any form, which is fair.
Some staff may still not want to use their own device for accessing corporate systems as may reduce its life expectancy due to been used heavily for work, or they may even feel compensation is due here or a company mobile required as if the phone is to break and the user feels work tasks is partially the reason. This is why it is important that with mobile devices we make sure we’ve considered all options.
Remove Mobile Device Access – if we can’t find a way to secure the data from mobile devices you will need to restrict access from these devices. Doing this will mean the device is now out of scope and won't affect Cyber Essential Plus Certification.
So, there it is, hopefully, this gives a clearer view of how mobile devices can be managed to work inline with Cyber Essential Plus requirements. Mobile Device Management is always going provide the highest levels of control, but Mobile Application Management may provide a better middle ground, or the organisation provides devices to allow access to those who need it. If the users are not happy with the organisation securing their devices or the above options are practically for the organisation, we make the workspace feel like we’re part of the flintstones and provide no access. These decisions ultimately come down to the organisation as always it is important to consider the options.