In the age of remote and hybrid working, mobile devices are central to how organisations work, communicate and collaborate. But as smartphones and tablets are used to access more sensitive data, new risks come with that – which is why they’re very much in scope for Cyber Essentials.
This short guide explains what counts as an in-scope devices, why written policies on their own are insufficient and the practical steps every organisation should take to stay compliant.
The core rule of thumb is a simple one: if a device is used to access business data, it’s in scope for Cyber Essentials. This includes company-issued phones, tablets and personal devices under a BYOD arrangement.
So, whether someone logs in to check their emails or a shared calendar, posts marketing content via an app or communicates via Teams, the device they use has to meet the required Cyber Essentials standard if it comes into contact with business information.
A mobile is only considered out of scope if it’s used exclusively for traditional phone calls, SMS messaging or authenticator apps. As soon as it accesses email, cloud services, business apps or internal systems, it falls within scope of Cyber Essentials.
Small businesses may have a written policy advising staff on how they should manage and secure their phones. These policies can be very helpful, but on their own they don’t deliver assurance that you have met the Cyber Essentials requirements.
Relying on individuals to keep their devices updated, encrypted and configured correctly simply isn’t reliable, even if there’s only a handful of staff. Technical controls are vital because they provide assurance that devices are compliant in practice as well as on paper.
Cyber Essentials is crystal clear on this point: you must be able to enforce controls, not just request them. Our assessors constantly find devices not running compliant operating systems, where end-users think their device is compliant, but its not.
There are two main approaches to enforcing mobile security:
The good news is that most organisations already have access to these capabilities. Microsoft 365 and Google Workspace both include mobile management tools, which an MSP should be able to enable and configure with minimal disruption.
The bottom line is that there’s no substitute for a technical control. Whether you allow BYOD or issue company devices to staff, MDM or MAM are reliable ways to demonstrate compliance.
From our own experience at Cyber Tec, there are some recurring problems that tend to crop up during Cyber Essentials assessments. For instance, iPhones and iPads are often found running outdated or unsupported versions of iOS, leaving them vulnerable. Apple Macs can also cause trouble, particularly when they aren’t centrally managed and users run as local administrators.
BYOD devices are another weak spot. Without enforced controls, users may rely on short PINs skip updates or use insecure configurations. All of these can lead to non-compliance when it comes to a Cyber Essentials assessment.
To meet Cyber Essentials requirements, mobile devices must:
These rules apply to phones, tablets and any other portable device used for business purposes, whether BYOD or company owned.
Mobile devices are an indispensable part of the way we work today, but they’re also a potential entry point for cybersecurity threats. Cyber Essentials can help eliminate many of these threats by ensuring organisations take control of every device that’s used to handle business data. Mobile management tools make compliance far simpler and offer stronger protection.
Cyber Tec Security specialises in helping organisations of all sizes achieve Cyber Essentials and Cyber Essentials Plus certification. Find out more by contacting our team today.