Background
I've recently joined a rapidly growing small business (from 4 to 20 people in last 12 months) with a very DIY IT setup. It's fallen to me (I'm a developer so I just happen to be sitting nearest IT world...) to improve their security and specifically we are aiming to achieve compliance with Cyber Essentials (we are in the UK).
The general mode of operation is that every employee is on a MacOS or Windows8+ laptop (some purchased by the company, some personal devices), and all work takes place within Google Workspace. People also connect to Google Apps like Gmail on their personal phones. There is an internet connection and wireless router in the office, but not other infrastructure to speak of.
The Question
I have prepared a long list of "to-do's" for the users of these laptops which would bring them in line with Cyber Essentials requirements, but I wondered what the guidance would be on employees "self-managing" these things (with formal training, assistance and regular check-ins). There is no device management in place and everyone just uses them like their own devices.
It could make sense to recall, wipe, set up device management of some sort, and re-issue the laptops to employees - but this would be incredibly disruptive and met with much resistance so I am keen to either avoid that or make sure I am 100% sure before requesting it.
I wondered if the protections offered by Google Workspace's endpoint protection/device management would be considered sufficient, given that business data never leaves Google Workspace (and indeed the new policy would be that this act would be a HARD no for employees!). Obviously this leaves tasks like running updates, keeping security features turned on, etc up to the employee - but that's no different to a BYOD situation - right?
I would be keen to know if anyone out there has been in a similar position. I do feel like the hard way is probably the right way but any advice would go a long way to helping my argument for this with management.