The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 4.10 is a no brainer today, especially as more and more of us are working remotely. 4.10 requires enforcement of automatic device lockout on portable end-user devices. So for example for laptops, do not allow more than 20 failed authentication attempts, tablets and smartphones the requirement is no more than 10 failed attempts.

If you're working with Apple Configuration Manager it's maxFailedAttempts or Microsoft Intune it's called Device Lock. Every Mobile Device Manager MDM provider has this functionality.

If you're not striving for Implementation Group 2 or 3 compliance, simply documenting these requirements in your Mobile Device or Remote Work policy gets you started in the right direction.

This requirement is more than just requiring a password on a device when using Outlook but that is a critical component that you should have as well.

So why is this critical?

First let's be honest users are not the best at Locking their computers when they are away (CIS Control 4.3). I've seen unlocked and unaccompanied devices at conferences, hotels, airports, and everywhere in between. If it's locked or unlocked setting up device lockout can limit the damage by your users.

Here the goal is to prevent brute force login attempts on a device that has been stolen, without the added automatic device lockout feature you're enabling the thief an unlimited amount of attempts to guess your password - that is probably just under the keyboard or inside the battery compartment (yes I have found them there).