Mobile Device Security for Small Businesses

Mobile devices are treated differently from laptops in most small business security programmes — usually meaning they're not treated as security assets at all. Yet a typical staff member's smartphone holds business email, calendar entries with sensitive meeting details, access to cloud services used for work, contact information for clients and colleagues, and often authentication apps that protect other accounts. The phone is, in practice, one of the most sensitive devices in the organisation.

This post covers the security controls that every small business should have in place for mobile devices used for work, whether those devices are company-owned or personal.

The Minimum Security Standards for Any Work Device

Whether a device is a company iPhone or a personal Android used for work email, the following baseline controls should be in place:

• Screen lock with a strong PIN or biometric. A device without a screen lock is a device that anyone who picks it up can access in full. A six-digit PIN is the minimum; biometric authentication (fingerprint or face recognition) combined with a strong PIN provides both convenience and security. The four-digit PINs and simple swipe patterns that many people still use are insufficient.
• Auto-lock after a short idle period. A device that stays unlocked when left on a desk provides no protection from physical access. Configure auto-lock to activate after 30 seconds to two minutes of inactivity.
• Operating system updated to the latest version. Mobile operating systems receive regular security updates. iOS devices update through Settings; Android devices vary by manufacturer. Ensure updates are applied promptly — the same 14-day window that applies to desktop systems applies here.
• Remote wipe capability enabled. Apple's Find My and Google's Find My Device both provide the ability to remotely locate and wipe a lost or stolen device. This capability must be enabled before a device is lost — it cannot be enabled after. Verify that remote wipe is configured for every device with work access.
• Encrypted storage. Modern iOS devices are encrypted by default when a passcode is set. Android devices running Android 6 or later are encrypted by default on most configurations. Verify that encryption is enabled — a device that is lost or stolen with unencrypted storage exposes all of its contents to whoever picks it up.

Application Management

Mobile apps request permissions — access to contacts, location, microphone, camera, files — that affect what information they can access. Staff should be encouraged to review and limit permissions for apps on their work devices, particularly for apps that have no legitimate reason to access sensitive resources. A basic flashlight app that requests access to contacts and microphone is requesting more than it needs and warrants removal.

Install apps only from official stores: the App Store on iOS and Google Play on Android. Third-party app stores and sideloaded APK files (Android app packages from outside the Play Store) bypass the vendor's basic security review process and are a common distribution mechanism for mobile malware.

Keep apps updated. App updates frequently include security fixes alongside feature changes. Enable automatic app updates, or set a regular schedule for manually reviewing and applying updates.

Personal vs Company Devices (BYOD)

Bring Your Own Device (BYOD) — allowing staff to use personal phones and tablets for work — is almost universal in small businesses. The security challenge is that the business has limited control over a device it doesn't own, while that device has access to business data and systems.

The minimum BYOD requirement is that any personal device accessing business email, cloud services, or applications meets the baseline security standards above: screen lock, encryption, remote wipe capability, and current OS. This should be documented in your acceptable use policy and communicated clearly to staff.

The practical mechanism for enforcing BYOD standards is Mobile Device Management (MDM). MDM software allows a business to set and enforce security policies on enrolled devices — requiring a minimum PIN length, enforcing encryption, enabling remote wipe, and in some cases separating work and personal data into isolated containers. For small businesses, Microsoft Intune (included with Microsoft 365 Business Premium) and Apple Business Manager provide MDM capabilities. Google Workspace includes basic Android and iOS MDM at no extra cost.

Implementing MDM on personal devices requires staff consent and transparency about what the management software can and cannot see. Be clear: business MDM typically cannot see personal photos, messages, or app content — it manages security settings and work data, not personal data. Explaining this accurately avoids the mistrust that arises from staff fearing their employer is reading their personal messages.

What to Do When a Device Is Lost or Stolen

The response process for a lost or stolen device should be defined in advance, not improvised at the moment it happens. The immediate priorities are:

1. Remotely lock the device immediately via Apple Find My, Google Find My Device, or your MDM console.
2. Remotely wipe the device if recovery seems unlikely.
3. Revoke access tokens for any business services the device was authenticated to — Microsoft 365, Google Workspace, cloud applications — by forcing a sign-out of all sessions through the admin console.
4. Change any passwords that were stored on the device in a browser or app not protected by the MDM container.
5. Report the loss to your IT provider so they can review logs for any unusual activity from the device prior to its loss.

The ability to execute steps 1–3 depends on the remote wipe and session revocation being configured before the device is lost. This is the core reason for maintaining an up-to-date asset inventory that includes mobile devices: you need to know what access a device had before you can revoke it.