NCSC issues warning over ‘bring your own device’ IT policies

National cyber body updates guidance on use of employee-owned technology – a practice which proliferated during the pandemic
Free Photos/Pixabay

By Sam Trendall

14 Oct 2021

The National Cyber Security Centre has updated its guidance for organisations operating a ‘bring your own device’ (BYOD) initiative.

The updated recommendations come with a warning for businesses and public bodies: “You cannot do all your organisation's functions securely with just BYOD, no matter how well your solution may be configured.”

And before even reading the advice, organisations that have already “given BYOD users admin access to company resources” are instructed to “revoke that access immediately, then come back” to the guidelines.

The NCSC advises that BYOD, in this instance, is used to describe the professional use of computing devices that are both owned and managed by employees.

“If your users are happy to allow traditional full-device management of devices that they own… [this] will effectively make them corporately issued,” the centre said.

Prior to introducing any form of BYOD, it is advised to “determine what approach will best suit your organisation – if any”.

To help do so, the NCSC has outlined five main actions that should be undertaken, beginning with “determine your objectives, user needs and risks”.

As part of this process, organisations should consider whether using employee-owned devices is a stopgap measure or a long-term intention. Other issues to be considered are which business functions are likely to take part in any BYOD programme, and what kinds of devices will be involved.

The second action advised by the cyber body is to “develop the policy” for a BYOD scheme. Policies should be informed by considering what tasks will be performed on employee devices and what internal services will be accessed via external machines. Organisations should also question the extent to which their desired policy objectives are enforceable.

The third action advised by the NCSC is to “understand additional costs and implications”; this may include increased spending on support or new legal responsibilities.

The next step will be to consider “deployment approaches”. The NCSC guidance runs through the major benefits and drawbacks of five of the most widely used methods of adopting BYOD: access via web browser; virtual and remote desktops; bootable operating systems; mobile device management; and mobile application management.

The final action advised by the NCSC before green-lighting the use of staff devices is to “put technical controls in place”. This process will differ depending on what method has been chosen to enable access.

For example: for web browsers, controls are likely to include some form of multi-factor authentication, while a mobile device management approach may require device compliance monitoring and whitelists for new applications.

In a blog post announcing the new guidance, a senior platforms researcher at the NCSC said that, at the start of the coronavirus crisis, many organisations had adopted a “’just make it work’ mentality” to enabling BYOD that, while entirely understandable, had created some issues that now need addressing.

“Like so many other technology solutions, [BYOD] started out with a threatless utopian dream: work with the device of your choice to do what you need to, whenever and wherever,” the blog said “The problem is, modern technology, marvellous though it may be, is not invulnerable to cyberattack. In fact, threats are pretty much ubiquitous.”

It added: “BYOD solutions and approaches continue to evolve, with a lot of features and controls to help keep you and your organisation safe, whilst still enabling and empowering your employees. The catch is: BYOD needs to be done properly to be effective and secure. Our new guidance provides an overview of the technical controls that are available for the different types of BYOD deployments, so you can get this right.”

Sam Trendall is the editor of CSW's sister title PublicTechnology, where a version of this story first appeared.

Read the most recent articles written by Sam Trendall - Home Office asylum seeker ankle tag-monitoring pilot 'highly intrusive', watchdog finds

Share this page
Read next