Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-6-3 – The cybersecurity requirements for mobile devices security and BYOD must include at least the following:
Understanding the Requirement
This control requires SMBs to define and enforce minimum security requirements for mobile devices and bring-your-own-device (BYOD) use. In practical terms, the organisation must satisfy the sub-objectives listed as 2-6-3-1, 2-6-3-2, 2-6-3-3 and 2-6-3-4 by creating policy, operational and technical measures that cover device inventory and ownership, secure configuration and patching, access controls and authentication, and data protection including remote wipe and loss prevention. This control comes from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is intended to reduce risk from unmanaged or poorly configured mobile devices connecting to corporate resources.
Technical Implementation
- Write a clear BYOD and mobile device policy. Specify who may enroll devices, acceptable device types and OS versions, minimum security settings (screen lock, automatic updates, encryption), and what corporate data is allowed on personal devices. Require agreement to the policy during onboarding.
- Maintain a device inventory and enrollment process. Use an automated Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution to register every device that accesses corporate email or apps. Track device ownership (company-owned vs personal), OS, last-seen time and compliance status; remove access for devices not registered.
- Enforce secure baseline configuration and patching. Configure MDM profiles to require device encryption, a strong passcode/PIN or biometric unlock, disable developer/side-loading on Android, and block jailbroken/rooted devices. Push OS and app updates or deny access until devices meet minimum patch levels.
- Implement strong access controls and multi-factor authentication (MFA). Require MFA to access corporate email, VPN and cloud services from mobile devices. Combine device checks (compliance posture) with conditional access rules that restrict resources when a device is non-compliant or connects from risky networks.
- Protect corporate data with containerization and remote wipe. Use app-level containerization or Mobile Application Management (MAM) to separate corporate data from personal data; enforce data loss prevention (DLP) policies like copy/paste restrictions and blocking unapproved cloud backups. Ensure the capability for selective or full remote wipe when a device is lost, stolen or an employee leaves.
- Monitor, audit and train. Enable logging for device enrollment, access attempts and policy violations. Schedule quarterly audits of device compliance and provide short, role-based training for employees on secure BYOD practices and incident reporting procedures.
Example in a Small or Medium Business
Harbor Marketing, a 45-person digital agency, allowed designers to use personal tablets and phones for email and file access but needed better controls. The leadership approved a BYOD policy that required employees to enroll devices in a cloud MDM during onboarding. The IT lead configured a baseline profile enforcing device encryption, automatic OS updates, screen-lock timeout, and blocking of rooted or jailbroken devices. Conditional access rules were applied so only compliant devices could access cloud storage and email, and MFA was enforced for all remote logins. For designers who needed corporate files on personal devices, IT issued a containerized file app with DLP rules that prevented saving to personal cloud accounts and allowed selective remote wipe. When an employee resigned, IT used the MDM to deprovision the device and confirm the corporate container was wiped without affecting personal data. Quarterly checks and a short training session for staff on secure device practices reduced both incidents and support calls, and the agency documented the controls as part of their security checklist.
Summary
Combining a concise BYOD policy with technical controls—MDM/UEM enrollment, enforced secure baselines, MFA/conditional access, containerization and remote wipe—lets SMBs meet the requirements of Control 2-6-3. These measures provide inventory, configuration hygiene, access control and data protection while preserving employee flexibility. Regular monitoring, audits and user training complete the program, ensuring devices that access corporate resources remain accountable and secure.
