Security for Non-Technical Founders – A 10-Minute Read

We used to argue about whether staff should be allowed to use their own phones. The argument has moved on. Most owners have not.

The question on the table now is not ‘should staff use their own phones?’. It is ‘if a device went missing tonight, would you know, and could you wipe it?’. Most owners cannot answer either with confidence. That is the gap this blog is about.

The train scene

A recruitment consultant gets off the late train. Their laptop is in the bag they left on the seat. By the time the bag reaches lost property, one of two things is true.

In the first version, the laptop is encrypted, has a PIN, and can be remotely wiped from a web console. Whoever finds the bag has a paperweight. The owner gets a message confirming the wipe is queued. Insurance opens Monday. Nothing goes to the regulator because the data is not readable.

In the second version, none of that is true. The laptop has a four-digit Windows PIN, no encryption, three years of cached candidate emails, and eighteen CVs and a salary spreadsheet sitting in the Downloads folder. It is now a regulator-relevant event, the company is the data controller, and the next 72 hours involve a lot of phone calls.

The interesting bit is not which version is more dramatic. It is that they cost roughly the same to set up in advance. The difference is whether anyone got round to it.

Why this is a regulatory story, not an IT story

UK GDPR puts the liability on the employer, not the device. Whose phone it is does not change whose fine it is.

The cleanest precedent is still the Ealing and Hounslow Council case. Two unencrypted laptops carrying records of around 1,700 vulnerable people were stolen from a worker’s home. Both councils had encryption policies in writing. Neither had encryption configured on the actual device. Fifteen years on, the takeaway is the same. The staff handbook is not the thing that protects you. The configuration on the laptop is.

For a recruitment business carrying CVs, right-to-work documents, salary history and sometimes medical disclosure on every laptop, this is the regulatory failure mode that comes up first when an officer asks what controls you had in place. ‘We have a policy’ does not, on its own, satisfy the question. ‘We set the rule centrally and the dashboard shows every device green’ does. Per head of staff, recruiters carry more sensitive personal data than most SMEs the same size.

Intune, in five plain sentences

  • Intune pushes encryption to every device that joins, applying BitLocker on Windows, FileVault on Mac, and a screen-lock PIN on phones. The rule is set once and enforced automatically.

  • Intune runs compliance reports that show every device as green or red against the rules you set. The dashboard is the document a cyber-insurance underwriter or auditor will ask for.

  • Intune blocks non-compliant devices at sign-in, either refusing access outright or forcing them into a web-only session.

  • Intune can perform a full remote wipe from the same web console, resetting a missing laptop to factory state.

  • Intune can also perform a selective wipe, removing only company data and apps while leaving personal photos, contacts and apps untouched. This is the capability most owners have not realised exists, and it changes the BYOD conversation completely

BYOD without owning the phone

The old BYOD argument was a binary. Either the company hands out work phones to everyone, which costs real money and creates real friction, or staff use their own phones with no controls and the company carries the risk.

App protection policies give you a third option. The company does not enrol the phone, does not own it, does not see the personal apps. It only manages the work apps inside that device.

What you can enforce inside that fence: a separate PIN to open the work apps, a block on copy and paste between work apps and personal apps so a consultant cannot paste candidate data out of Outlook into WhatsApp, a block on screenshots inside the work chat app, and a selective wipe of the work data when an employee leaves or the phone goes missing, with personal photos untouched.

The combination of ‘we let staff use their own phones’ and ‘we have no app-level controls’ is the failure mode. The fix is not a corporate phone policy. It is the boring bit of configuration nobody got round to doing.

The bit that decides everything: support or repair

Most founders think they are paying for IT support. Most are paying for repair.

The difference shows up at the moment the laptop goes missing, not before. A break-fix arrangement is reactive by design. Something breaks, you call, an engineer attends, an invoice is generated. Nothing about that model has anything to say about whether your devices were encrypted at 19:48 last Tuesday. By the time the engineer is involved, the laptop is already gone.

Managed services, done properly, is a different posture. The provider is responsible for the configuration that prevents the bad version of the train scene. The work that does not generate an invoice is the work that decides what happens when a device disappears.

What to do with this on Monday morning

Three things, in order –

  • Find out, today, whether the laptops your team carry are actually encrypted. Not whether the policy says so. Whether the device has BitLocker or FileVault on, right now.
  • Find out, today, what would happen if a personal phone with cached work email went missing. Can you wipe the work data without touching the family photos? If the answer is ‘we do not know’, that is the gap.
  • Decide whether the people who look after your IT can answer questions one and two without needing to schedule a call.

If a work laptop went missing tonight, would you know?

Could you wipe it?

Let’s talk

Complete this quick form, and we'll be in touch to schedule a call at a time that suits you.
Our diverse team brings the knowledge and perspectives to provide IT solutions that are reflective of and responsive to the unique needs of your business.

CONTACT US

+44 20 7947 0345 hello@avensystech.com
Office 7
35 – 37 Ludgate Hill
London
EC4M 7JN
© Copyright 2025 Avensystech
Sitemap Privacy Policy Cookie Policy