Cyber Essentials and mobile devices
When it comes to Cyber Essentials, there is still a lot of confusion from applicants when it comes to what is in scope and what is out of scope for mobile devices. This blog post will hopefully answer any questions you have around this area.
When it comes to Cyber Essentials you must include all mobile devices which access your organisational data, for example Emails, documents, electronic documents and so forth, including Bring Your Own Devices (BYOD) as well. However, if you only use your mobile device for voice calls and two-factor authentication, then the devices are outside of scope of the Cyber Essentials scheme requirements.
The NCSC’s Cyber Essentials Requirements for IT Infrastructure guide goes through what is acceptable and what is not, make sure you review this document as part of your certification process.
So, what does this mean to you, the business, how can you ensure that you comply with the scheme and protect your business against possible data loss or incident? For all larger businesses which are over 50 employees, you must ensure that you protect your mobile devices through technical controls. Ideally this will be in the form of a Mobile Device Management (MDM) solution, such as Microsoft Intune, or Google Endpoint Management. This type of technical solution will not only help the business streamline their management of devices which will also likely already be integrated into the business in one way or another.
For smaller businesses which are 49 and under, you can manage and configure mobile devices through policies, however, we recommend that you also look to ensure that all devices are still managed with a MDM solution, if possible, as its easier for management, monitoring and generally configuring all your devices and will safe you time and effort in the long run.
But how do you ensure that your BYOD are protected and comply with the scheme? This is one of the bigger areas of conflict and concern when it comes to businesses. You must ensure that the personal device of the employee is managed via technical controls, usually through MDM as discussed above. This may cause backlash from the staff, but if handled correctly can be implemented accordingly. Or if that does not go down well, you may have to either offer business related phones, so they have a personal and work phone or simply they don’t access organisational data on their personal device.
Additionally with mobile devices you must also ensure that they are fully up to date, this means that at the time of writing, if you have an Android device it must be running at least Android 10, but ideally something more recent. If you are using iOS then you must be running the latest iOS version available.
You are not allowed to run beta versions of Operating Systems, so ensure that you are running the latest and greatest versions which are in beta before your assessment as you will be penalised for it.
When it comes to mobile devices you must also ensure that the devices only have the default Operating System and authorised trusted SSL certificates installed on the device, for example VPN trusted certificates.
The mobile devices must be supported by the manufacturer and must not be jailbroken or rooted when they are accessing organisational data. You must ensure that all devices are still receiving software updates.
And with that I hope that makes sense and helps you understand what you need to do for mobile devices and Cyber Essentials.