The National Cyber Security Centre (NCSC) has warned organisations that they cannot perform all their functions securely when allowing staff to use their own devices for work.
It has emphasised the point in publishing an updated version of its guidance on cyber security under a ‘bring your own device’ (BYOD) approach.
Senior platforms researcher Luna R commented in an accompanying blogpost: “You cannot do all your organisation’s functions security with just BYOD, no matter how well your solution may be configured.
“If you’ve given BYOD users admin access to company resources, revoke that access immediately, then come back.”
The guidance involves a series of actions, beginning with determining the organisation’s objectives, user needs and risks. The latter include the device having had a previous life which means it may not report accurately on its state of health for security purposes. It also comes with workers using it for other purposes.
The second action is to develop the policy, first by establishing its goals then determining the controls available.
Third is to understand additional costs and implications, with need to support a greater number of types of devices, keeping multiple operating systems patched, extracting audit logs and monitoring the operating systems, and responding to security incidents across a variety of devices and systems.
Fourth is to assess deployment approaches for different technologies – such as web browsers and virtual desktop infrastructure – and fifth to put technical controls into practice.
These are supported by 12 security principles as a basis for the configuration of specific devices.
Flesh wounds
Luna R said that BYOD relieved the pressure on some organisations during the Covid-19 lockdown, and that a few “flesh wounds” were justified in rushing it into use. But the time has come to deal with the wounds and there is a need to undo quick fixes and start afresh.
She also said that while the technical controls in the guidance are similar to those applied in zero trust architecture – principles for which were published during the summer by NCSC – it does not mean that if an organisation has it in place that it is ready for BYOD deployments.
“Zero trust is maturing (quickly), but in its current state there are still challenges to overcome before it can be considered suitable for everything and everyone,” she said.
“Remember, BYOD is complex, so take your time.”
Image from iStock, izusek
