Is anti-malware installed on every device, or just the ones IT remembered?

Here's a scenario that plays out often enough to be a pattern, not a one-off: a business has anti-malware properly installed and managed across every company laptop. What it doesn't have is anti-malware on the personal phone someone uses to check work email on the train, or the old desktop in the back office that still runs the till software, or the laptop a freelancer brought in for a three-month project and never had checked. Nothing on the main fleet ever gets infected. The infection comes in through the device nobody counted.

Cyber Essentials asks this directly under CE4 Malware Protection: is anti-malware software installed on all devices in your organisation? The word doing the work in that sentence is "all," and most businesses, when they actually map it out, find their anti-malware coverage stops at whatever they think of as the official device list, not the full set of things actually connecting to company systems and data.

Why "all devices" is a wider net than it sounds

When most people picture anti-malware coverage, they picture the laptops and desktops issued to staff. That's usually the easy part, and it's usually covered. The gaps open up around everything adjacent to that core list: personal phones used for work email, tablets used to check rotas or take payments, older machines kept around for one specific legacy task, and devices brought in by contractors or freelancers who aren't on the company's IT inventory at all.

Cyber Essentials doesn't carve out an exception for any of these. If a device can access company data, email, or systems, it falls inside the scope of this question, regardless of who owns it or how often it's used.

Why this gets missed even by businesses that take security seriously

The businesses that fail this aren't usually careless. They've bought decent anti-malware, rolled it out properly, and genuinely believe they're covered, because they're thinking in terms of "the company's devices" rather than "every device that touches company data." Bring-your-own-device habits make this worse. A staff member checking email on their personal phone feels like a minor convenience, not a new entry on the security inventory, so it never gets added to the list of things anti-malware needs to cover.

Legacy equipment causes the same problem from a different angle. A machine that's been doing one specific job for years, often without much attention, is easy to forget is still connected to anything at all.

How to actually find the gaps

Start with a genuine device inventory, not the IT asset register if that register was last updated when the business was smaller. Walk through every category: company-issued laptops and desktops, any device with access to email or cloud storage, devices used by contractors or freelancers during their engagement, and any older equipment still plugged into the network even if it feels retired in spirit. For each one, confirm anti-malware is actually installed, not assumed to be installed because it was once part of a rollout.

Where personal devices are used for work under a bring-your-own-device policy, the conversation needs to happen explicitly: either company anti-malware extends to that device, or that device doesn't get access to company systems. There's no comfortable middle ground that satisfies Cyber Essentials.

Frequently asked questions

Does this include personal phones used only occasionally for work email? Yes, if a device can access company email or data in any capacity, it falls within scope, regardless of how often it's actually used for that purpose.

What about devices that are on the network but don't store any company data themselves? Cyber Essentials' concern is about malware spreading through any connected device, so even a device with no data stored locally can still be a route in if it's network-connected and unprotected.

Do contractors and freelancers need to use anti-malware we provide, or can they use their own? Either is acceptable as long as you can confirm the protection is genuinely in place; what matters is that the device is covered, not who supplied the software.

Is free antivirus software enough to satisfy this requirement? Cyber Essentials doesn't mandate a specific product or price point, only that anti-malware is genuinely installed and functioning, though paid business-grade products typically offer centralised management that makes ongoing compliance easier to maintain.

How do we find devices that were never added to our inventory in the first place? A short staff survey asking what devices they use to access work email or systems often surfaces more than an IT audit alone, since it catches personal devices that were never formally logged anywhere.

Run a free scan of your domain and your CE Readiness checklist will walk through this and the rest of CE4 Malware Protection, ready before your assessor asks: olimpio.io/free-scan