Submitted by Antony Savvas on May 17, 2021

The IASME Consortium that oversees Cyber Essentials assessment and certification has put updated requirements into effect that all MSPs and their clients operating in the UK need to be aware of.
As the UK government’s cyber security standard, the Cyber Essentials certification process empowers organisations to demonstrate robust capabilities for securing sensitive data and systems.
While the technical controls for Cyber Essentials certification haven’t changed dramatically, IASME has now clarified its requirements to ensure organisations have up-to-date protections against the most common and current data breach threats.
Chief among these changes is that employee-owned bring your own device (BYOD) hardware able to access or store company data is now firmly within the scope of Cyber Essentials security controls.
With this change, every MSP responsible for clients’ data security must take immediate steps to secure all BYOD devices in use within those organisations. Importantly, this means securing not just all phones and tablets with access to company data, but also all USB data storage devices as well.
IASME identifies BYOD devices as “probably the biggest risk to any company,” and rightfully so. In scenarios where an employee-owned device able to access sensitive company or customer information is lost, stolen or otherwise compromised, the company is at severe risk of suffering a data breach.
Where mobile and BYOD devices previously fell into a grey area of the Cyber Essentials certification scheme, they can no longer be ignored. The update now offers absolute clarity: MSPs and their clients must address the current state of device usage and related risks in order to operate in-line with Cyber Essentials compliance requirements.
This means that if a mobile phone is used solely for phone calls and text messages as well as receiving two-factor authentication (2FA) codes, it is not in scope. However, as soon as that device is used for accessing organisational email or any other organisational data, it would come into scope.
There are several models and a total soup of acronyms for approaches to an IT strategy catering to the use of personal devices in addition to the tried-and-true BYOD, such as CYOD (choose your own device), COPE (company owned/personally enabled) and COBO (company owned/business only), plus a few more that largely relate to enterprise-scale mobility.
These are challenged by the fact that nobody wants to carry two phones, nor do smaller businesses want the costs of owning these fast-ageing assets. At the same time, employees might resist employers controlling their device with fears of snooping and personal communication access.
It is not all doom and gloom for MSPs wanting to assist their smaller customers, as SMBs need not burden themselves with the complexity nor sophistication of enterprise mobility, containerisation, and the like, but instead implement a strategy that works for them. This gives rise to a model we at Beachhead call POBS (personally owned/business secured) - whereby the balance is weighted towards whole device security rather than granular device control, segmented data access, total oversight and user tracking. The POBS model provides for reasonable measures to protect the data on the device.
MSPs should seek out and adopt mobile device management (MDM) capabilities that they can easily deploy to protect client-owned and employee-owned BYOD mobile phones, tablets and USB storage devices. These mobile device security protections must be enforced remotely, and should be simple for MSPs to implement and manage.
An MSP’s MDM strategy should also be seamless and unobtrusive from the client perspective, to the degree of being functionally invisible to employees so that they can perform their duties unencumbered by any security overhead.
At the same time, all data accessible from or residing on mobile devices must be protected by encryption. MSPs must be capable of remotely revoking access and deleting data from any device that becomes compromised. Most importantly though is for employers to obtain the buy-in from employees and that means the security app used by the MSP should be non-invasive and not overly controlling of the user-owned device - and done with a sense of transparency and disclosure to the users about the permissions and security being enforced on their personal device.
Durgan Cooper, CEO of CETSAT, a UK-based MSP, explains that with this new angle, cyber insurance will “most certainly evolve to focus on the potential losses incurred through compromise of non-company owned equipment - and insurers are likely to increasingly determine that loss of corporate data on such devices constitutes wilful negligence”.
Cyber Essentials also calls for MSPs to maintain an understanding of precisely where a client’s data resides, and manage all devices BYOD or otherwise that have access to the client’s network and services. So, maintaining an audit of the devices becomes an important factor here as well.
Finally, the Cyber Essentials update has expanded user access control requirements to include all third parties with access to a certifying organisation’s data and services. This means that MSPs themselves are now decisively in scope for Cyber Essentials account controls and security requirements.
The clarification comes as MSPs are increasingly the targets of cyber attackers. Attackers have realised that a successful data breach against an MSP, exposing the data of multiple client companies at once, is far more efficient than attacking those clients one at a time. MSPs must now be certain to take their own medicine and ensure that the layered device security and data access controls they provide to clients are also applied across their own organisations.
Cooper added: “There have been many examples - which have been increasing recently - where supply chain attacks have been a successful attack vector into a target organisation. We have seen a number of compromises of our peers’ environments over the past year which have significantly affected both themselves and their customers, and none of us can be complacent.
“Having a robust approach to securing endpoint devices, which have previously been seen as out of the control of any company, are now firmly in the spotlight,” he said.
For MSPs and their clients, practical and affordable BYOD device security strategies are more critical than ever, and must be implemented to effectively meet the updated requirements of Cyber Essentials audits and protect every device in use within these organisations.
*Amit Parbhucharan is general manager of EMEA and Asia at Beachhead Solutions