Mobile Device Security — Canadian Baseline Control BC.8

What Mobile Device Security Means

Mobile device security encompasses the policies, technologies, and practices used to protect smartphones, tablets, and other portable devices that access business data and systems. Under the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), control BC.8 addresses the need for organizations to manage and secure mobile devices, whether organization-owned or personal devices used for work purposes.

Mobile devices present unique security challenges because they operate outside the physical perimeter of the office, connect to various networks, and can be easily lost or stolen. As Canadian businesses increasingly rely on mobile access to email, cloud services, and internal systems, securing these devices becomes a necessary component of overall cybersecurity.

This page provides educational information based on publicly available Canadian Centre for Cyber Security guidance. It is not professional cybersecurity advice. Organizations should consult qualified professionals for advice tailored to their specific circumstances.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations establish controls for mobile devices that access organizational data. The guidance recognizes that mobile devices are a significant and growing part of the business IT environment and must be managed accordingly.

Key recommendations from the CCCS include:

• Establish a mobile device policy that defines how mobile devices may be used to access business data, including rules for both organization-owned and personal (BYOD) devices.
• Require device encryption so that data on the device is protected if it is lost or stolen.
• Enable remote wipe capability to allow the organization to erase business data from a device that is lost, stolen, or when an employee departs.
• Require screen locks and strong authentication on all devices that access business data, using PINs, passwords, or biometric authentication.
• Keep devices updated by applying operating system and application updates promptly to address known vulnerabilities.
• Control application installation to reduce the risk of malicious or insecure apps being installed on devices with access to business data.

Why This Matters for Canadian Businesses

Mobile devices are now a standard part of the work environment for most Canadian businesses. Employees access email, file storage, customer relationship management tools, and other business applications from their phones and tablets on a daily basis. This creates both productivity benefits and security risks.

The security concerns associated with mobile devices include:

• Device loss and theft — Mobile devices are portable and frequently used in public settings, making them vulnerable to loss or theft. An unsecured device can give an attacker direct access to business email, files, and applications.
• Unsecured networks — Mobile devices commonly connect to public Wi-Fi networks at cafes, airports, and hotels, where data can potentially be intercepted if connections are not properly secured.
• Malicious applications — Apps installed from unofficial sources, or even legitimate-looking apps with hidden malicious functionality, can compromise device security and access business data.
• Data leakage — Without controls, business data can be copied to personal cloud storage, shared via personal messaging apps, or otherwise moved outside the organization's control.
• Privacy obligations — Under PIPEDA and provincial privacy legislation, organizations that collect personal information are responsible for protecting it regardless of which device it resides on.

How to Get Started

Implementing mobile device security does not require an enterprise mobility platform from the outset. The following steps provide a practical starting point for Canadian SMBs.

1. Assess Your Current Mobile Landscape

Understand how mobile devices are currently used in your organization. Determine which employees use mobile devices for work, whether they are company-owned or personal, and what business data and systems they can access. Our free cybersecurity assessment can help identify gaps in your mobile security posture across all 13 Baseline Controls.

2. Create a Mobile Device Policy

Document clear rules for mobile device use. A practical mobile device policy should address:

• Which devices are permitted to access business data (company-owned, personal, or both)
• Minimum security requirements (encryption, screen lock, OS version)
• Rules for installing applications
• Acceptable use of business data on mobile devices
• The organization's right to remotely wipe business data
• What employees must do if a device is lost or stolen
• What happens to business data when an employee leaves the organization

3. Implement Basic Device Security Controls

Even without a formal MDM solution, you can improve mobile security immediately:

• Require screen locks — All devices accessing business data should have a PIN, password, or biometric lock enabled.
• Enable device encryption — Modern iOS and Android devices support full-device encryption. On most current devices, this is enabled by default when a screen lock is set.
• Enable auto-lock — Devices should lock automatically after a short period of inactivity.
• Enable Find My Device — Both iOS and Android include built-in capabilities to locate, lock, and erase lost devices.

4. Consider Mobile Device Management Software

For organizations with more than a handful of mobile users, an MDM solution provides centralized control over device security policies. MDM platforms allow you to:

• Enforce security policies (encryption, password complexity, auto-lock) across all managed devices
• Remotely wipe business data from lost or stolen devices
• Separate business and personal data on BYOD devices using containerization
• Control which apps can be installed
• Push security updates and configurations
• Monitor device compliance with your security policies

Several MDM solutions are available at price points suitable for SMBs, including cloud-based options that do not require on-premises infrastructure.

5. Address BYOD Specifically

If employees use personal devices for work, consider these additional measures:

• Containerization — Use solutions that create a separate, encrypted container for business data on personal devices, keeping work and personal data separate.
• Conditional access — Configure business applications (such as email and cloud services) to require devices to meet minimum security standards before granting access.
• Clear agreements — Have employees acknowledge the organization's BYOD policy, including the right to remotely wipe business data if needed.

6. Manage Application Security

Control which applications can access business data:

• Instruct employees to install apps only from official app stores (Apple App Store, Google Play Store)
• Identify and approve specific apps for business use
• Use multi-factor authentication for business applications accessed on mobile devices
• Review app permissions to ensure they do not request excessive access to device data

Common Mistakes to Avoid

Mobile device security programs can be undermined by common oversights. Be aware of these pitfalls.

No Policy at All

Many SMBs allow mobile access to business data without any formal policy or security requirements. This creates an unmanaged risk. Even a simple, documented policy with basic requirements is significantly better than no policy.

Ignoring BYOD Realities

Prohibiting personal device use for work is often impractical for SMBs. Rather than pretending BYOD does not happen, acknowledge it and implement appropriate controls. Ignoring the reality of personal device use means having no security controls over a significant portion of your business data access.

Relying Solely on Device Passwords

A device screen lock is necessary but not sufficient. If the device is compromised or if business applications use single-factor authentication, a screen lock alone will not protect business data. Combine device security with strong authentication on business applications and services.

No Plan for Lost or Departed Devices

Organizations that do not have a process for handling lost devices or retrieving business data when employees leave are exposed to data loss and potential breaches. Establish and document these procedures before they are needed.

Forgetting to Update

Mobile operating systems and apps receive frequent security updates. Devices running outdated software are vulnerable to known exploits. Establish expectations for timely updates and use MDM tools to monitor compliance where possible. This aligns with secure configuration (BC.4) practices.

Connecting Mobile Security to Other Controls

Mobile device security intersects with several other Baseline Controls:

• Authentication (BC.5) — Mobile devices should use strong authentication methods, and business applications accessed from mobile devices should require multi-factor authentication.
• Secure Configuration (BC.4) — Mobile devices should be configured securely with encryption, auto-lock, and current software, following the same principles as other IT assets.
• Access Control & Authorization (BC.12) — Access to business data from mobile devices should follow the principle of least privilege, granting only the access each employee needs for their role.

For a complete view of how all 13 Baseline Controls work together, visit the controls overview page or take the free assessment to evaluate your organization's current posture.

Additional Resources

• CCCS Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089)
• CCCS — Mobile Device Security (ITSAP.00.034)
• Cybersecurity Canada Resources Page
• Free Cybersecurity Baseline Assessment