Achieving Cyber Essentials: options for colleges and universities

This is illustrated by a recent threat report issued by the National Cyber Security Centre (NCSC) noting that, “Due to the increased number of personal devices connected to enterprise networks, it is likely these devices will be targeted to gain access to the enterprise network”. 

Threats have increased significantly in the many years since organisations first started implementing BYOD initiatives (in many cases before smartphones and tablets even existed).  

The NCSC’s view is that policies around the use of personally owned devices have not kept pace with the threat landscape and need to be updated to be effective and secure. 

For colleges and universities to meet the BYOD criteria for CE and CE+ there are now three options: 

• Continue to provide access to personally owned devices. This will require measures to track and list device details, enforce compliance and manage access via technical controls
• Stop providing access to personally owned devices. Colleges and universities could give all staff that require mobile access a corporately procured and managed device. This gives a greater level of control over device specification, configuration and use
• Seek certification against a sub-set scope (for a specified part), rather than for the whole organisation. This does not negate the requirement to provide inventory details for and manage any personally owned devices in use within the sub-set, but focusing on part of the organisation rather than all of it reduces the scale of the task. 

Option three means that an institution could seek certification for a sub-set, where BYOD access is stopped for the staff in the sub-set (for example, a finance or HR team), but continues for the rest of the organisation, so long as the network or networks used by the sub-set are appropriately segregated. 

In response to an approach from Jisc, the Department for Education (DfE) and the Education and Skills Funding Agency (ESFA) have also updated the requirements for achieving CE and CE+ for further education (FE) providers in England. 

The regulations state that FE providers should be at least “working towards” a CE certificate during the year 2022/23. 

Further, the DfE agreed that English FE providers can still achieve CE using the option of a sub-set scope, as described above, rather than procure a technical solution across the whole organisation. 

However, Jisc is supportive of the NCSC’s strong recommendation that the CE controls should be applied as widely as possible. Jisc members should also be prepared to extend the coverage of CE certification in future, which will strengthen their overall security posture. 

While this may involve a time and money investment, any outlay that helps to build cyber security strength will certainly be less than the potential cost of a cyber attack. From Jisc’s computer security incident team’s (CSIRT’s) work in helping HE institutions and FE providers recover from ransomware incidents, we are aware of impact costs exceeding £2m. 

Implementing the fundamental security controls set out within the CE scheme as widely as possible is now more important than ever.  

Further information 

• For more information on the technical aspects of BYOD criteria for CE and CE+, see our Jisc Involve blog
• To help members achieve CE and CE+, Jisc runs a monthly Cyber Essentials drop-in clinic. Members can also contact professional.cyberservices@jisc.ac.uk for more information about support Jisc provides for CE