Many organisations work with contractors who offer an intermittent or regular service such as IT support, accounting or any number of other roles. These workers are not employees, and by and large, do not work on the premises, however, they usually have accounts that access organisational data. That might be within the company network or via a cloud service such as Microsoft 365 or Azure.
The Cyber Essentials requirements clearly states that all devices that access organisational data and services are in scope. That includes trustees, governors, volunteers or contractors and their personal devices, (often referred to as BYOD) that access work emails and/or cloud services.
So how do you apply the Cyber Essentials controls to a contractor and their devices? How do you control things like their router firmware, the operating system, security updates and device locking on a contractor’s laptop?
The answer to this conundrum has three possible solutions; all start with…defining the scope.
Pass the Cyber Essentials requirements down the supply chain to them. This would mean mandating that all contractors working with your organisation would need their own Cyber Essentials certificate. If a contractor is Cyber Essentials certified, you would know that the Cyber Essentials controls had been applied to their devices. The accounts that the contractor are using, however, are owned by your organisation and it is therefore your responsibility to ensure that the controls such as multi-factor authentication are applied to those accounts.
Cyber Essentials is generally considered the minimum level of certification for a UK organisation to prove that it is compliant with the basic controls that would prevent the majority of cyber-attacks. If you are using a third-party IT provider, it is highly recommended that you look for one that is Cyber Essentials certified. This demonstrates to you that the provider is serious about cyber security as well as being fully competent and supportive when it comes to implementing the controls to your network.
You include the contractor and their devices and accounts within the scope of your Cyber Essentials certification.
Devices and operating systems
You will need to provide the make of the laptop, computes, smartphones, virtual desktop that the contractor uses for accessing your organisational data or services. In addition, you will need to provide the edition and feature version of the operating systems used on those machines.
If you have an MS365 environment, you would be able to use the tools provided with the service to get this information.
Most contractors will have a home router that is provided by their internet service provider and not your organisation. That means that the router and its firewall is not in scope for your Cyber Essentials certification, and you do not need to concern yourself with the router firmware or firewall rules.
The Cyber Essentials controls must be applied to the software or host-based firewall, installed on the contractor’s laptop or computer. Where your organisation does not control the boundary firewall, for example, in a coffee shop, hot desk or conference centre, the host-based firewall on the device will act as the boundary.
Your contractors may use a virtual private network (VPN) . To meet the Cyber Essentials requirements, the only secure option is a corporate VPN which is a direct single tunnel that connects remote workers, including in this example the contractor, back to your organisation’s office location, or to a virtual or cloud firewall. The corporate VPN must be administered by your organisation so you know that the firewall controls have been applied.
Access control and passwords
Contractors will need to follow your company password policy, this will include:
That all default passwords on all devices are changed
Each user requires their own username and password and there are no shared accounts
Details of the process to change passwords promptly if a user knows or suspects the password or account has been compromised. (Please note, In order to answer ‘yes’ to this question, organisations need to be aware of what constitutes a breach and be confident that contractors would recognise and report one.)
The importance of using different passwords for different systems
Guidance and support on how to create good passwords within your organisation
The measures needed to protect accounts against brute-force password guessing
Your password policy can be achieved by giving guidance to your employees and contractors and this can be as you see fit -through policies, procedures, training or technical controls.
When accessing cloud services where the accounts belong to your organisation, in addition to a minimum length password of 8 characters, user identity must be confirmed with multi-factor authentication (MFA). Your contractors will need to use one of the following methods to authenticate their accounts:
Using a managed/enterprise device as an extra factor
Using an app on a trusted device as an extra factor
Using a physically separate extra factor
Using a known or trusted account as an extra factor
A Bring Your Own Device Policy
As your contractor’s devices are in scope for your Cyber Essentials certification, your organisation will need to take some administrative control over them, treating them as Bring Your Own Devices ( BYOD). It will probably be necessary to write and enforce a Bring Your Own Device (BYOD) policy. This might be in addition or incorporated into other key policies like IT Acceptable Use Policy, IT Security Policy, and Mobile Working Policy.
A BYOD policy should address the use of personal devices that connect to your organisational networks, and cloud services like Microsoft 365.
The contractor/ owner of the device must understand and accept the terms and conditions of the BYOD policy.
Here are some suggestions that could be included in the BYOD policy:
The Operating System and apps must be fully supported by the manufacturer and receive security updates
Software based firewalls are activated and configured in line with the Cyber Essentials requirements
All critical and high security updates must be installed within 14 days
Cyber Essentials password controls are applied to users own devices (BYODs)
Users logging in on computers and tablets have a day-to-day account, and this is separate to the administrator account
The device automatically locks when not in use and requires a 6 digit or more pin/pass code to unlock, (use a biometric if available)
Anti-malware software is installed on Windows and Mac machines and kept updated. All other devices should use application allow listing in line with the organisations allow list.
Unused apps should be uninstalled
If lost or stolen, it must be reported to the business promptly
Rooting or jailbreaking is not permitted
A remote erase and tracking app must be installed and activated so you can track a lost device, lock access and erase data. Obtain written consent in advance from the device owner to remote wipe the device in the event of loss, theft or termination of employment. (This suggestion is beyond the Cyber Essentials requirements.)
Clarify how, when and why monitoring will take place and require the device and passwords to be delivered up on reasonable request (This suggestions is beyond the Cyber Essentials requirements.)
Although all of your security requirements can be explicitly referenced in your policy and included in your SLA or contract, a written policy cannot substitute applying controls to a BYOD device; technical measures also need to be in place. Some of the tricky issues such as managing security updates, software firewall rules, controlling unnecessary accounts, malware protection and application allow listing can be more effectively managed with a technical solution.
Container Apps or Managed Apps are types of software that separate the organisation’s data and personal data on the device and would enable the organisation to limit monitoring and remote wiping to company data only.
Mobile Device Management software (MDM) allows you to monitor, manage, and secure employees’ mobile devices. There are different software models ranging in price.
Mobile application management (MAM) is software that secures and enables IT control over enterprise applications on users’ personal devices. MAM software allows IT administrators to apply and enforce security policies on mobile apps and limit the sharing of corporate data among apps.
Desktop virtualisation software, such as Citrix, allows employees and contractors to securely access data stored on the corporate network using their own device. Organisational data is accessed remotely and stays on a secure server. It may be necessary for staff to agree not to copy the organisation’s data onto their own device.
If you are certifying to Cyber Essentials Plus, a sample of devices will be tested for compliance by an Assessor. Even if you are not going for the audit this time, you could always follow this approach and look at a sample as part of your management checks.
A word about Remote Desktop Protocol (RDP)
Remote Desktop Protocol enables a user of a computer in one location to access a computer or server somewhere else. This is often used by technicians to support users and to carry out maintenance tasks.
Remote Desktop Protocol is a common entry point for ransomware and should only be used on internal networks. It is vital that the RDP port is closed or blocked at the firewall of devices accessing organisational data, so that it is not open for use across the internet.
Where possible, rather than using remote connections, utilise cloud services such as OneDrive or Google Drive. Cloud services need to be correctly configured and users need to have training to understand how to use them securely.
An alternative to mandating that your contractors are Cyber Essentials certified, or including their personal device within your Cyber Essentials scope is to provide all your contractors with devices that are managed by your organisation. This would mean that you are in complete control of the devices and can dictate the technical controls that are in place to protect those devices to mirror those applied to all devices within your organisation.
Because these devices are owned and managed by your organisation, these would form part of the scope of your Cyber Essentials assessment.
Option C is often considered as the simplest solution when working with contractors and offers you the most control over the devices that are interacting with your organisational services and data. Providing equipment for contractors could have implications with tax; these rules can be difficult to understand and we would recommend that you discuss this with your accountant or the HMRC.
Glossary of terms
Biometrics are unique identifiers such as fingerprints, face, iris and/or voice, that can be used instead of or in addition to passwords, to make human identity authentication more secure.
Bring Your Own Device (BYOD) is a widespread term for when an organisation allows staff to use their own laptops, tablets or phones for work purposes.
Jailbreaking is the process of removing the limitations put in place by a device’s manufacturer. Jailbreaking is generally performed on Apple iOS devices, such as the iPhone or iPad. Jailbreaking removes the restrictions Apple puts in place, allowing you to install third-party software from outside the app store. Essentially, jailbreaking allows you to use software that Apple doesn’t approve.
Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network.
Multi-factor authentication or MFA means that in addition to a password, account holders will be asked to prove their identity with one or more other ways. This could be a code sent to another device such as a text message to a mobile phone or a single use code generated by an authenticator app or physical token.
Rooting is the process of gaining “root access” to a device. Similar to jailbreaking, but this is generally performed on Android devices.
A virtual private network or VPN is a technology that allows a secure and private connection on the internet.