Achieving Cyber Essentials: options for colleges and universities

Jon Hunt

In 2014, the UK government introduced a scheme to help organisations, whatever their size, protect themselves against a range of the most common cyber attacks – Cyber Essentials (CE) and Cyber Essentials Plus (CE+).

IT professional looks at a laptop while working on a server in a data centre.

While Jisc fully supports CE certificates as part of a strategic programme of cyber security measures, we acknowledge they can be tricky for colleges and universities to achieve.  

One of the CE criteria colleges and universities can struggle to meet is around ‘bring your own device’ (BYOD) measures.  

In many ways, BYOD offers a good fit with education environments, supporting flexible access from a range of different locations and devices. More recently, personally owned devices have been essential to the enforced shift to home working during the pandemic, and to the new hybrid ways of working that are a legacy of COVID-19. 

However, the changes in the threat landscape mean additional controls now need to be put in place. 

Because of the increasing likelihood that cyber attackers will target end-user devices, the latest revision of CE and CE+ (in force since January 2022) clarifies BYOD arrangements.  

Changes in the threat landscape mean additional controls now need to be put in place

This is illustrated by a recent threat report issued by the National Cyber Security Centre (NCSC) noting that, “Due to the increased number of personal devices connected to enterprise networks, it is likely these devices will be targeted to gain access to the enterprise network”. 

Threats have increased significantly in the many years since organisations first started implementing BYOD initiatives (in many cases before smartphones and tablets even existed).  

The NCSC’s view is that policies around the use of personally owned devices have not kept pace with the threat landscape and need to be updated to be effective and secure. 

For colleges and universities to meet the BYOD criteria for CE and CE+ there are now three options: 

  • Continue to provide access to personally owned devices. This will require measures to track and list device details, enforce compliance and manage access via technical controls
  • Stop providing access to personally owned devices. Colleges and universities could give all staff that require mobile access a corporately procured and managed device. This gives a greater level of control over device specification, configuration and use
  • Seek certification against a sub-set scope (for a specified part), rather than for the whole organisation. This does not negate the requirement to provide inventory details for and manage any personally owned devices in use within the sub-set, but focusing on part of the organisation rather than all of it reduces the scale of the task. 

Option three means that an institution could seek certification for a sub-set, where BYOD access is stopped for the staff in the sub-set (for example, a finance or HR team), but continues for the rest of the organisation, so long as the network or networks used by the sub-set are appropriately segregated. 

In response to an approach from Jisc, the Department for Education (DfE) and the Education and Skills Funding Agency (ESFA) have also updated the requirements for achieving CE and CE+ for further education (FE) providers in England. 

The regulations state that FE providers should be at least “working towards” a CE certificate during the year 2022/23. 

Jisc is supportive of the NCSC’s strong recommendation that the CE controls should be applied as widely as possible

Further, the DfE agreed that English FE providers can still achieve CE using the option of a sub-set scope, as described above, rather than procure a technical solution across the whole organisation. 

However, Jisc is supportive of the NCSC’s strong recommendation that the CE controls should be applied as widely as possible. Jisc members should also be prepared to extend the coverage of CE certification in future, which will strengthen their overall security posture. 

While this may involve a time and money investment, any outlay that helps to build cyber security strength will certainly be less than the potential cost of a cyber attack. From Jisc’s computer security incident team’s (CSIRT’s) work in helping HE institutions and FE providers recover from ransomware incidents, we are aware of impact costs exceeding £2m. 

Implementing the fundamental security controls set out within the CE scheme as widely as possible is now more important than ever.  

Further information 

  • For more information on the technical aspects of BYOD criteria for CE and CE+, see our Jisc Involve blog
  • To help members achieve CE and CE+, Jisc runs a monthly Cyber Essentials drop-in clinic. Members can also contact for more information about support Jisc provides for CE

Get involved

Join our defend as one campaign and help us unite higher and further education in a common cause - to build robust defences across the sector. As a member, you can sign up to receive personalised instructions on how to improve your cyber security posture across your organisation.

About the author

Jon Hunt
Cyber security service delivery manager