NCSC warns organisations: ‘You cannot perform all functions securely with just BYOD’

Written by Sam Trendall on 11 October 2021 in News
News

National cyber body updates guidance on use of employee-owned technology – a practice which proliferated during the pandemic

Credit: Free Photos/Pixabay

The National Cyber Security Centre has updated its guidance for organisations operating a ‘bring your own device’ (BYOD) initiative.

The updated recommendations come with a warning for businesses and public bodies: “You cannot do all your organisation's functions securely with just BYOD, no matter how well your solution may be configured.”

And before even reading the advice, organisations that have already “given BYOD users admin access to company resources” are instructed to “revoke that access immediately, then come back” to the guidelines.

The NCSC advises that BYOD, in this instance, is used to describe the professional use of computing devices that are both owned and managed by employees. 

“If your users are happy to allow traditional full-device management of devices that they own… [this] will effectively make them corporately issued,” the centre said.

Prior to introducing any form of BYOD, companies are advised to “determine what approach will best suit your organisation – if any”.


Related content


To help do so, the NCSC has outlined five main actions that should be undertaken, beginning with “determine your objectives, user needs and risks”.

As part of this process, organisations should consider whether using employee-owned devices is a stopgap measure or a long-term intention. Other issues to be considered are which business functions are likely to take part in any BYOD programme, and what kinds of devices will be involved.

The second action advised by the cyber body is to “develop the policy” for a BYOD scheme. Policies should be informed by considering what tasks will be performed on employee devices and what internal services will be accessed via external machines. Organisations should also question the extent to which their desired policy objectives are enforceable. 

The third action advised by the NCSC is to “understand additional costs and implications”; this may include increased spending on support or new legal responsibilities.

The next step will be to consider “deployment approaches”. The NCSC guidance runs through the major benefits and drawbacks of five of the most widely used methods of adopting BYOD: access via web browser; virtual and remote desktops; bootable operating systems; mobile device management; and mobile application management.

The final action advised by the NCSC before green-lighting the use of staff devices is to “put technical controls in place”. This process will differ depending on what method has been chosen to enable access.

For example: for web browsers, controls are likely to include some form of multi-factor authentication, while a mobile device management approach may require device compliance monitoring and whitelists for new applications.

In a blog post announcing the new guidance, a senior platforms researcher at the NCSC said that, at the start of the coronavirus crisis, many organisations had adopted a “’just make it work’ mentality” to enabling BYOD that, while entirely understandable, had created some issues that now need addressing.

“Like so many other technology solutions, [BYOD] started out with a threatless utopian dream: work with the device of your choice to do what you need to, whenever and wherever,” the blog said “The problem is, modern technology, marvellous though it may be, is not invulnerable to cyberattack. In fact, threats are pretty much ubiquitous.”

It added: “BYOD solutions and approaches continue to evolve, with a lot of features and controls to help keep you and your organisation safe, whilst still enabling and empowering your employees. The catch is: BYOD needs to be done properly to be effective and secure. Our new guidance provides an overview of the technical controls that are available for the different types of BYOD deployments, so you can get this right.”

 

About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

Scottish organisations warned to update IT systems as cyber risk emerges
30 December 2021

A potential hack was identified earlier this month

UK organisations report increased cyberthreat as a result of homeworking
14 January 2022

Study finds that more than half feel more exposed to attacks

Most departments wipe devices after failed password attempts
7 January 2022

FOI responses find that two thirds of government entities reset phones – a practice firmly discouraged by MPs

DCMS agency recommends industry kitemark for AI systems
5 January 2022

The Centre for Data Ethics and Innovation has called for a competitive market for assurance providers