One of the most common questions we get is how to keep staff mobile devices compliant with Cyber Essentials without it becoming a headache for everyone involved. The good news is there are two practical ways to approach this:
- Mobile Device Management (MDM) software, which is a great fit for larger organisations and those with higher security demands.
- A policy-based approach ideal for smaller organisations looking for a straightforward, low-overhead solution.
This post focuses on the policy-based route, and we've put together a ready-to-use template to help you get started.
A little investment in cyber awareness training for your staff goes a long way here too. When people understand why a policy exists, they're far more likely to follow it and to recognise when something doesn't look right.
With that in mind, our template policy is designed for personally-owned devices that access your organisation's data. It gives staff clear, practical guidance to keep their devices updated and securely configured, helping protect your organisation without putting unnecessary burden on your team.
Template BYOD Mobile Device Policy
- Only apps from approved app stores may be installed.
- You should only interact with organisation data using applications explicitly permitted. These include:
- Safari Browser
- Chrome Browser
- Microsoft 365 Apps (Outlook, OneDrive, Teams, Word, Excel, Powerpoint)
- Apple Apps (Mail, Messages, Calendar, Contacts)
- Google Apps (Gmail, Calendar, Cloud Search, Contacts, Chat, Meet, Drive, Docs, Sheets, Forms, Groups, Sites, Slides, Voice)
- Rooting or jailbreaking is not permitted.
- Install all operating system and app updates as soon as possible and certainly within 2 weeks.
- Do not override default protections (e.g. by allowing installation of unknown or unsigned applications)
- Ensure the device automatically locks when not in use.
- Unlocking must use biometrics or PIN/password/unlock-pattern with 6 digits/characters/points minimum.
- Avoid downloading organisation data to the device (you can make this completely forbidden if you want).
- Report a lost device so any currently active sessions can be terminated and the account credentials can be changed.
- As a matter of good practice:
- Ensure the device is enrolled in the vendor’s lost device tracking and remote erase/reset facility as it is not usually possible to enable it after a device is lost. On iPhone, this means activating ‘Find My’ within iCloud. On Android, you should enable ‘Find My Device’ in the Google ‘Find Hub’.
- Remove unused apps
- Remove all company accounts and company data from the device when requested or on when your role comes to an end.
We hope this template gives you a solid foundation to build on to create a policy that works for your organisation and your people. Security doesn't have to mean friction, instead clear, well-communicated information goes a long way towards keeping everyone on the same page.
If you have any questions or would like further guidance, we'd love to hear from you.