There are a number of changes announced to the Cyber Essentials scheme administered by IASME the NCSC’s Cyber Essentials partner this month, in the update there are a series of ‘clarifications’ to the requirements for certification bodies and customers to be aware off.
At the Risk Dashboard, one of our key modules in keeping businesses safe online is our Information Security module, where we see varying degrees of knowledge and understanding when it comes to online/digital security.
The IASME update due for release on the 26th focuses on a number of changes, we would like to focus on ‘Bring Your Own Device’ or BYOD.
IASME Notification: An update to the Bring Your Own Device (BYOD) requirement to explain what is out of scope.
How it will be worded:
In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).
The term ‘native voice’ refers to voice calls. This means that if a mobile phone is used solely for phone calls and text messages as well as receiving 2FA codes, it is not in scope, however, as soon as that device is used for accessing organisational email or any other organisational data, it would come into scope.
What does this actually mean to businesses and employees?
It can be an absolute headache to any businesses HR/IT depts to request details of their employees or contractors mobile device(s). IASME and here at the Risk Dashboard we agree that BYOD is probably the biggest risk to any business – after our staff!!
We see so many businesses that neither have a BYOD policy or are even aware of the risks and implications to their companies.
The Risk Dashboard estimates that 4 out of 5 SME’s have no BYOD policy, or a back-up plan to restore essential systems in the event of a breach.
It is now part of the Cyber Essentials certification that BYOD forms part of the assessment.
Cyber Essentials will now be requiring businesses to know what devices including personal which are accessing their network and services.
Consider this:
- Right now, we work from home on our personal devices accessing many cloud services – Dropbox / LinkedIn (where there was a considerable data breach recently), Microsoft 365 etc whilst connecting to the office network.
- At the weekend, the same devices are used for gaming or apps checking up on emails, and our employers have no visibility of what we are accessing, viewing or downloading.
- Actions like this are the breeding ground for hackers where malware can be deployed without the user even knowing.
- Monday we return back up at work (hopefully soon for the majority of us..) and our device connects back onto the office network or cloud service, where the malware gets to work – literally, transferring all manner of unwanted risks and threats to the business.
At the Risk Dashboard, our real-time evidence based compliance technology. Allows business owners to understand the various types of risks, threats and vulnerabilities that YOU may be exposing your business too.
The Risk Dashboard has been designed to create UK resilience and growth across SME’s especially as we exit the pandemic, so now is a great time to self-assess your business.
If you would like to learn more about what the Risk Dashboard can do for your business, please contact Neil Campbell, Commercial Director at Risk Dashboard on info@riskdashboard.co.uk .
We look forward to hearing from you.