Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-6-2 – The cybersecurity requirements for mobile devices security and BYOD must be implemented.
Understanding the Requirement
This control requires organizations to implement a complete set of technical and administrative measures to secure mobile devices and any Bring Your Own Device (BYOD) used for work. It expects isolation and segregation of corporate data on personal devices, enforced use policies, least-privilege access, encryption of storage, remote-wipe capability, centralized management (for example via Active Directory or an MDM), secure configuration and hardening, user awareness training, and procedures to ensure compliance with relevant laws and regulations. These expectations align with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and are intended to reduce data leakage, unauthorized access, and regulatory exposure when mobile devices access or store corporate information.
Technical Implementation
- Adopt a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution: Deploy an MDM/UEM to enforce configuration baselines, push updates, require device encryption, set strong authentication, enable remote wipe, and separate corporate containers or managed profiles on BYOD devices. Choose a solution that integrates with your identity provider (Active Directory, Azure AD) for centralized policy application.
- Enforce separation of corporate data: Use containerization or managed profiles so corporate email, files, and apps are isolated from personal data. Apply encryption to the corporate container and prevent copy/paste or data sharing between corporate and personal apps. For company-owned devices, enforce full-disk encryption and hardware-backed keys where available.
- Implement least-privilege and access controls: Restrict privileged access on mobile endpoints—no administrative accounts for daily use. Enforce role-based access and conditional access policies that require device compliance (patched, encrypted, non-jailbroken) before granting access to sensitive resources.
- Secure configurations and hardening: Create and apply a hardened configuration profile for mobile OS and workstation settings (disable developer modes, block sideloading, restrict Bluetooth/file sharing, require screen lock timeouts). Use the MDM to audit and remediate non-compliant settings automatically.
- Data lifecycle and remote-wipe procedures: Define when and how organizational data is removed—on device loss, theft, or employee termination. Ensure remote wipe can remove only corporate data (selective wipe) for BYOD, and full wipe for company-owned devices. Log and verify wipe actions, and have an escalation path if remote wipe fails.
- User training, legal and process controls: Provide focused training on BYOD policies, secure use, phishing risks, and steps to report lost/stolen devices. Maintain written BYOD agreements and procedures that map to local laws and data protection requirements (e.g., consent for remote wipe, data retention rules).
Example in a Small or Medium Business
A 60-employee marketing agency adopts a phased mobile security program. They select a cloud-based MDM that integrates with their Azure AD and enroll all company phones and optional BYOD users into a managed work profile. The IT manager configures a corporate profile that enforces device encryption, enforces PIN/biometric screen locks, and restricts corporate data sharing to managed apps only. Conditional access rules block email and file access from devices that are jailbroken or that haven't checked in for updates within 7 days. HR updates employment contracts and issues a BYOD agreement requiring employees to accept selective wipe and follow acceptable-use rules. The company runs quarterly awareness sessions showing how to report a lost device and how to spot mobile phishing attempts. When an employee leaves, IT uses the MDM to remove the corporate profile and confirm no company data remains; when a contractor reports a stolen phone, IT triggers a selective remote wipe and notifies security to monitor for suspicious access. Logs from the MDM and conditional access provide audit trails for compliance and continuous improvement.
Summary
Implementing this control requires combining policy, technology, and processes: adopt centralized management (MDM/UEM and directory integration), enforce separation and encryption of corporate data, apply least-privilege access and hardened configurations, enable reliable remote wipe and lifecycle procedures, and train users while documenting BYOD agreements. Together these measures reduce data exposure on mobile devices, ensure consistent enforcement across company and personal devices, and demonstrate compliance with the Essential Cybersecurity Controls expectations for mobile and BYOD security.
