Mobile Device Security for Business: Protecting Work Phones

Why mobile security is often overlooked

Laptops and desktops receive significant attention in most business security programmes — endpoint protection, patch management, encryption. Mobile devices often receive far less. Yet a modern smartphone carries the employee's email account, authentication apps, corporate contacts, document access, and often direct access to finance systems and CRM platforms. In many respects it is a more sensitive device than the laptop, because it also contains personal data and is more likely to be lost or stolen.

The UK National Cyber Security Centre identifies lost and stolen devices as one of the most common causes of personal data breaches. A smartphone without a PIN, without encryption, and without the ability to be remotely wiped is a significant liability for any business subject to UK GDPR.

The mobile threat landscape

Mobile devices face several distinct categories of threat:

• Physical loss and theft: The most common mobile incident. A device left in a taxi or stolen from a coffee shop table is a direct data exposure risk if it is not secured and encrypted.
• Malicious applications: Apps downloaded outside official stores, or legitimate-looking apps with embedded malware, can exfiltrate data, log keystrokes, or provide remote access.
• Phishing via SMS and messaging apps: Smishing (SMS phishing) is increasingly used to deliver credential-theft links, often bypassing email security controls entirely.
• Unsecured Wi-Fi: Connecting to unsecured public Wi-Fi networks exposes traffic that is not encrypted at the application level. Modern HTTPS ensures most web traffic is encrypted, but insecure apps remain a risk.
• SIM swap attacks: Criminals convince mobile network operators to transfer a target's phone number to a SIM card they control, intercepting SMS authentication codes and bypassing SMS-based MFA.

Mobile Device Management (MDM)

Mobile Device Management is the foundation of a managed mobile security programme. MDM platforms — Microsoft Intune, Jamf, VMware Workspace ONE — allow IT administrators to:

• Enforce PIN, passcode or biometric authentication requirements
• Enable and verify full-device encryption
• Configure managed email, calendar and app access
• Enforce application allow/block policies
• Remotely lock or wipe a device that is lost, stolen or used by a departing employee
• Monitor compliance status and report on devices that are out of policy

Microsoft Intune is included in Microsoft 365 Business Premium and manages both iOS and Android devices. For organisations already in the Microsoft 365 ecosystem, Intune is typically the most cost-effective MDM choice.

Corporate-owned vs BYOD

The decision between issuing corporate-owned devices and permitting BYOD has both security and cultural dimensions. Corporate-owned devices can be fully managed — the IT team controls the configuration, the applications, and the security policies without compromise. BYOD reduces hardware costs but creates a hybrid device that contains both personal and corporate data, which complicates both security management and employee privacy.

Intune and similar MDM platforms support a middle-ground approach: a separate managed work profile on personal Android devices, or supervised mode on corporate iOS devices. The work profile applies corporate policies and allows the IT team to wipe only the corporate data partition — not the employee's personal data — if needed. This respects employee privacy whilst maintaining security over corporate data.

Secure mobile authentication

SMS-based authentication codes — where a six-digit code is sent by text message — are better than no MFA, but are vulnerable to SIM swap attacks and interception. For business use, authenticator apps (Microsoft Authenticator, Google Authenticator, or hardware tokens) provide stronger MFA that is not dependent on the phone number.

Phishing-resistant MFA — FIDO2 passkeys or certificate-based authentication — represents the strongest available option and is increasingly supported by mobile operating systems and enterprise applications. For the majority of UK SMEs, an authenticator app is a proportionate and significant improvement over SMS codes.

Mobile device policy

Technical controls work best when supported by a clear mobile device policy that covers: acceptable use of corporate mobile devices, requirements for personal devices used for work, procedures for reporting a lost or stolen device, and the basis on which the IT team can access or wipe a device. Employees should understand and sign the policy before accessing corporate resources from mobile devices.

AMVIA provides business mobile services — including device procurement, MDM configuration with Microsoft Intune, and managed support — ensuring that mobile devices are secured to the same standard as the rest of the business IT estate.