Should you have AV on mobile devices?
From a Cyber Essentials perspective the answer is “not always”. In fact, you cannot rely on it to answer question 8.1 (Malware Protection). So what’s the answer?
The National Cyber Security Centre's Secure by Default philosophy is all about promoting platforms mitigating threats. They have a (long standing) guide on device security guidance and this is reflected in the standard.
As a result you must limit installation of applications by application allow listing.
The allow listing option means that you must have a list of approved applications which can access organisational data or services.
How can this be accomplished?
With company-owned devices, using an MDM (Mobile Device Management) solution will only permit specific applications to be installed on devices.
Now, you’re all thinking “what about Bring Your Own Device” Policies? No one wants to prevent users downloading whatever weird and wonderful game or social media platform is now occupying all their time. So what is the answer?
For personally-owned devices, Cyber Essentials is only concerned with applications which access organisational data and services. It's not possible to control what people install on their own devices, but it is possible to control what applications have access to. You must ensure that only the applications on the allow list can access data and services - for example, making sure that users can only access email using an approved application such as Apple Mail or Outlook.
