Safeguard Your Associates-model Organization from Cyber Threats with Cyber Essentials and Mini Certification

Over the past few years, I’ve worked with a few organisations that rely heavily on an “associates” model. This type of organisation seems to be becoming more prevalent.

What appears to happen is that an organisation will form around a certain “domain” capability where the individuals doing the work tend to be high performers, in particular high performers who a) want to be self-employed, and b) demand decent pay packets. So rather than being an organisation with employees and a lot of infrastructure, you end up with a small infrastructure piece in the middle and a collection of self-employed associates doing the delivery.

A very common model for this is management consultancy where the members doing the delivery have enough experience and skills to demand a working model that works for them. Also with those organisations, you tend to see sophisticated sales and marketing functions retained as core within the organisation because – for example – management consultants tend to suck at sales and marketing.

To summarise then, you have a small membership organisation, with very light-touch infrastructure, strong sales and marketing, and a bunch of (usually) non-technical individuals doing service delivery.

What these organisations then tend to is run into is problems with IT governance. Computers are required to support delivery, and these associates need to look like members of a larger organisation and so have email addresses that represent them as being a full-fledged member of the organisation (as well as making the organisation look bigger than it really is). They also need access to a file server and other resources.

In a normal organisation, the IT team will (quite aggressively) manage those resources, e.g. locking down the laptops, putting mobile device management on the phones, etc. However, in an associates organisation management of the IT stops at the cloud, and the associates use their own devices. A very common problem that occurs is that associates will use laptops that do not have encryption enabled. (In my experience, virtually all non-technical people have a significant blind-spot around encryption. In my IT support business, encryption is a conversation I have more than any other.) This does create a horrendous risk exposure where any one of the associates can cause real problems for the whole organisation.

Other problems include poor malware protection (for example, flat out using fake antivirus products that are malware presenting as security products), poor password hygiene, or taking a laissez-faire attitude towards updates.

Where this problem gets compounded is that management of these sort of organisations also tend not to see IT as an important discipline either. These organisations are often founded by non-technical people who happen to be good at sales and marketing and collect capable peer individuals under the umbrella in order to achieve some sort of scale. As a result, there tends to be no top-down push at all around IT governance.

What should ideally happen is that the infrastructure the organisation provides should extend to IT infrastructure as well. The easiest way to do this is to buy laptops and phones and give them to associates, and have your outsourced IT support provider (MSP). A laptop that is more than adequate for management consultant-type activities should cost no more than £600+VAT – a sum that’s very easy to cover if you’re trying to bill over a £1k per diems. However, for whatever reason, this almost never happens because of the lack of appetite and/or awareness about the need for IT governance even in this sort of organisation. Specifically, this sort of organisation wants to keep the complexity around the IT provision with the associates.

Personally, I believe this is the wrong approach, but if we instead concern ourselves with the hand we’re dealt…

A very decent way of managing a baseline level of information security within small organisations is through Cyber Essentials. Cyber Essentials doesn’t technically cover the IT equipment used by suppliers (which is what associates are, technically), but that doesn’t stop you using it as a foundation piece and then building on top of it.

What I have seen work is creating your own “mini certification” process that associates are asked to sign-up to. This involves having someone technical remote into each associates machine and evaluate the baseline issues – a) is encryption enabled (BitLocker on Windows 1x Pro, device encryption if not, FileVault on macOS), b) is antivirus running (Windows Defender is fine, Mac adds some complications), c) is the OS version current and are updates enabled, d) is the Microsoft Office version current and are updates enabled, e) are other app versions current, and are updates enabled, f) is the device password good (and/or is a Windows Hello method used), and finally g) are they using a password manager.

The results of that process are then fed back into the organisation, where it can deal with each issue on a case-by-case. For example, the associate who is using a 15-year old Microsoft Vista install might be encouraged to pay a visit to Dell Outlet Store. Overall though, this is an easy process that can manage out cyber security and information security risks without being too onerous.

By Matthew Reynolds