The Complete Guide to Mobile Device Security for Business

Mobile devices have become the backbone of modern business operations across the United Kingdom. From checking emails on the morning commute to approving invoices from a client site, your team relies on smartphones and tablets for critical work tasks every single day. But this convenience comes with a significant security challenge that many UK businesses are failing to address adequately.

The shift to hybrid and remote working patterns — accelerated by the pandemic and now firmly embedded in British workplace culture — has dramatically expanded the attack surface for cybercriminals. Every mobile device that connects to your corporate data represents a potential entry point for threat actors, and the statistics paint a concerning picture for organisations of all sizes.

This guide provides a comprehensive overview of mobile device security for UK businesses. Whether you have ten employees or ten thousand, the principles and practices outlined here will help you build a robust mobile security strategy that protects your data without crippling productivity.

Why Mobile Device Security Matters More Than Ever

The days when business data lived exclusively on desktop computers behind a corporate firewall are long gone. Today, the average UK knowledge worker uses at least two mobile devices for work purposes. These devices access email, cloud storage, CRM systems, financial applications, and sensitive client data — often over unsecured public Wi-Fi networks in coffee shops, trains, and hotel lobbies.

The UK's National Cyber Security Centre (NCSC) has repeatedly warned that mobile devices represent one of the most significant and growing threat vectors for British businesses. Their guidance specifically highlights the risks of unmanaged devices accessing corporate resources, noting that many organisations lack even basic visibility into what mobile devices are connecting to their systems.

Under the UK GDPR and the Data Protection Act 2018, your organisation has a legal obligation to implement appropriate technical and organisational measures to protect personal data. If an employee's unsecured phone is compromised and customer data is exfiltrated, the Information Commissioner's Office (ICO) will want to know what mobile security measures you had in place. Fines for serious breaches can reach up to £17.5 million or 4% of annual global turnover — whichever is higher.

The Mobile Threat Landscape in the UK

Understanding the threats your mobile devices face is the first step toward building effective defences. The mobile threat landscape has evolved significantly in recent years, and UK businesses face a sophisticated and varied range of attacks.

Phishing and smishing attacks remain the most common mobile threat. Cybercriminals send carefully crafted text messages and emails designed to trick users into revealing credentials or installing malware. Mobile screens make it harder to spot suspicious URLs, and the immediacy of mobile notifications means users are more likely to tap before thinking. NCSC data shows that mobile phishing success rates are approximately three times higher than desktop phishing attempts.

Malicious applications continue to slip through app store review processes. While both Apple and Google have improved their vetting, determined attackers regularly publish apps that appear legitimate but contain hidden malware. In 2024, Google removed over 2.3 million policy-violating apps from the Play Store, but many had already been downloaded thousands of times before detection.

Man-in-the-middle attacks exploit unsecured Wi-Fi connections. When employees connect to public networks without VPN protection, attackers can intercept data in transit, capture login credentials, and even inject malicious content into legitimate web traffic. This is particularly concerning for UK business travellers who rely on hotel and airport Wi-Fi.

Device theft and loss remains a persistent physical security threat. The Metropolitan Police estimates that over 300 mobile phones are stolen every day in London alone. If a stolen device lacks proper encryption and access controls, the thief gains immediate access to every corporate resource configured on that device.

Mobile Device Management: The Foundation of Mobile Security

Mobile Device Management (MDM) is the cornerstone technology for securing business mobile devices. An MDM solution gives your IT team centralised control over every device that accesses corporate data, enabling you to enforce security policies, deploy applications, and respond to incidents remotely.

Microsoft Intune is the most widely adopted MDM platform for UK businesses, particularly those already invested in the Microsoft 365 ecosystem. Intune integrates seamlessly with Azure Active Directory, Exchange Online, and Microsoft Defender for Endpoint, providing a unified security management experience. It supports iOS, Android, Windows, and macOS devices, making it suitable for mixed-platform environments.

For organisations that prefer alternatives, VMware Workspace ONE, Jamf Pro (for Apple-focused environments), and Ivanti MobileIron are all established solutions with strong track records in UK enterprise deployments.

Key MDM capabilities you should be using include device enrolment and provisioning, which automates the setup of new devices with correct security configurations; policy enforcement, which ensures devices meet minimum security requirements before accessing corporate data; application management, which controls what apps can be installed and how corporate apps behave; and remote wipe, which enables you to erase corporate data from lost or stolen devices.

BYOD vs Corporate-Owned Devices

One of the most important strategic decisions in mobile security is whether to issue corporate-owned devices, allow employees to use their personal devices through a Bring Your Own Device (BYOD) programme, or adopt a hybrid approach. Each model has distinct security implications, cost considerations, and employee experience trade-offs.

Many UK businesses opt for a hybrid approach, issuing corporate devices to employees who handle sensitive data (finance teams, senior management, HR) while offering a managed BYOD option for staff with lower-risk access requirements. Microsoft Intune supports both models through its device enrolment types — full device management for corporate-owned devices and app-level management (MAM without enrolment) for BYOD scenarios.

Essential Mobile Security Policies

Technology alone cannot secure your mobile estate. You need clear, enforceable policies that set expectations for how employees use mobile devices and what happens when those expectations are not met. Your mobile security policy should be reviewed annually and form part of your broader information security management system.

Policy Area	Minimum Requirement	Best Practice
Screen Lock	6-digit PIN	Biometric + alphanumeric passcode
Auto-Lock Timeout	5 minutes	2 minutes or less
Device Encryption	Enabled (default on modern devices)	Verified via MDM compliance policy
OS Updates	Within 14 days of release	Within 48 hours for critical patches
App Installation	Official stores only	Managed app catalogue via MDM
VPN Usage	Required on public Wi-Fi	Always-on VPN for all connections
Jailbreak/Root Detection	Block access if detected	Automatic remote wipe if detected
Remote Wipe	Available on request	Automatic after 10 failed PIN attempts

Securing Mobile Email and Productivity Apps

Email remains the primary business communication channel and the most targeted attack vector on mobile devices. Securing mobile email access requires a layered approach that combines technical controls with user awareness.

Microsoft Defender for Office 365 provides advanced threat protection for mobile email, scanning attachments and links in real time before they reach the user. When combined with Intune's app protection policies, you can ensure that corporate email is only accessible through approved apps (such as Outlook for iOS and Android) and that email data cannot be copied to personal apps or cloud storage services.

Conditional Access policies in Azure Active Directory enable you to require specific security conditions before granting access to corporate resources. For example, you can require that a device is enrolled in Intune, running a supported OS version, and free from detected threats before it can access Exchange Online. This ensures that even if an employee's credentials are compromised, the attacker cannot access email from an unmanaged or non-compliant device.

Multi-factor authentication (MFA) is non-negotiable for mobile device access to corporate resources. The NCSC strongly recommends MFA for all cloud services, and Cyber Essentials Plus certification requires it for cloud-based access. Microsoft Authenticator app, hardware security keys (such as YubiKeys), and FIDO2 passkeys all provide strong second-factor options that work well on mobile devices.

Mobile Application Security

The applications installed on employee devices represent both productivity enablers and potential security risks. A robust mobile application security strategy addresses which apps can be installed, how corporate data within apps is protected, and how you respond when a vulnerable app is discovered.

App vetting and whitelisting ensures that only approved applications can be installed on managed devices. With Microsoft Intune, you can deploy a curated app catalogue through the Company Portal, making it easy for employees to find and install approved tools. You can also block specific apps known to be insecure or inappropriate for business use.

App protection policies (also known as MAM policies) create a secure container around corporate data within applications. These policies can prevent users from copying corporate data to personal apps, require a PIN to access managed apps, encrypt app data at rest, and selectively wipe corporate data when an employee leaves the organisation — all without affecting personal content on the device.

Network Security for Mobile Devices

Mobile devices frequently connect to networks outside your organisation's control, making network security a critical component of your mobile security strategy. The risks range from passive eavesdropping on public Wi-Fi to sophisticated man-in-the-middle attacks that can intercept encrypted communications.

A corporate VPN should be mandatory for all mobile devices when connecting to untrusted networks. Modern VPN solutions such as Cisco AnyConnect, Palo Alto GlobalProtect, and the built-in VPN capabilities of Microsoft Intune support always-on VPN configurations that automatically establish a secure tunnel whenever the device connects to a network, with no user intervention required.

DNS filtering provides an additional layer of network protection by blocking connections to known malicious domains. Services like Cisco Umbrella and Microsoft Defender for Endpoint's web protection feature work at the DNS level to prevent mobile devices from connecting to phishing sites, malware distribution points, and command-and-control servers, regardless of the network they are using.

For organisations with particularly sensitive data, per-app VPN configurations can route only corporate app traffic through the VPN while allowing personal traffic to use the standard internet connection. This improves performance and reduces bandwidth costs while ensuring that sensitive data is always encrypted in transit.

Responding to Mobile Security Incidents

Despite your best preventive measures, mobile security incidents will occur. Having a well-defined incident response plan that specifically addresses mobile device scenarios is essential for minimising damage and meeting your regulatory obligations under UK GDPR.

Your mobile incident response plan should cover several key scenarios. Lost or stolen devices should trigger an immediate remote lock followed by a remote wipe if the device is not recovered within a defined timeframe (typically 24 hours). Suspected malware infection should trigger device isolation from corporate resources, forensic analysis, and a full wipe and re-enrolment. Compromised credentials should trigger immediate password resets, MFA re-registration, and a review of recent access logs for signs of unauthorised activity.

Under UK GDPR, you must report personal data breaches to the ICO within 72 hours of becoming aware of the breach if it is likely to result in a risk to individuals' rights and freedoms. Mobile device incidents that involve the potential exposure of personal data — such as a stolen phone with accessible customer records — should be assessed against this threshold immediately.

Cyber Essentials and Mobile Device Compliance

The UK Government's Cyber Essentials scheme includes specific requirements for mobile devices. To achieve certification, your organisation must demonstrate that mobile devices accessing corporate data are properly configured with security controls including password protection, encryption, automatic updates, and restricted application installation.

Cyber Essentials Plus goes further, requiring hands-on technical verification of your mobile security controls. An assessor will check that your MDM policies are actually enforced, that devices are running current OS versions, and that security configurations cannot be easily bypassed by end users. Many UK businesses find that achieving Cyber Essentials Plus drives genuine improvements in their mobile security posture.

Building a Mobile Security Roadmap

Implementing comprehensive mobile security is not a single project — it is an ongoing programme that should evolve as threats change and your business grows. We recommend a phased approach that delivers quick security wins while building toward a mature mobile security posture.

Phase 1 (Months 1–2): Foundations. Deploy MDM to all corporate devices. Enforce basic security policies including screen lock, encryption, and automatic updates. Enable MFA for all cloud service access. Draft and communicate your mobile device usage policy.

Phase 2 (Months 3–4): Enhanced Controls. Implement conditional access policies. Deploy mobile threat defence. Configure app protection policies for key business applications. Set up VPN for remote workers. Begin Cyber Essentials preparation.

Phase 3 (Months 5–6): Maturity. Implement BYOD programme with app-level management. Deploy CASB for shadow IT visibility. Conduct mobile-focused penetration testing. Achieve Cyber Essentials Plus certification. Establish regular mobile security reviews.

Throughout this journey, user training and awareness should be a constant thread. Your employees are both your greatest vulnerability and your strongest defence when it comes to mobile security. Regular training sessions, simulated phishing exercises, and clear communication about mobile security expectations will significantly reduce your risk exposure.

Common Mobile Security Mistakes UK Businesses Make

In our experience supporting UK businesses with mobile security, we see the same mistakes repeated across organisations of all sizes. Avoiding these common pitfalls can dramatically improve your security posture.

Ignoring personal devices. If your employees access corporate email on their personal phones — and they almost certainly do — those devices are part of your attack surface whether you like it or not. Pretending BYOD does not exist is not a security strategy.

Relying solely on passcodes. A screen lock PIN is necessary but nowhere near sufficient. Without encryption, MDM, MFA, and app protection policies, a passcode is merely a speed bump for a determined attacker.

Neglecting Android security. Some IT teams apply rigorous security controls to iOS devices but treat Android as an afterthought. With Android representing approximately 45% of the UK smartphone market, this creates a significant gap in your security coverage.

Forgetting about leavers. When an employee leaves your organisation, their mobile device often retains access to corporate email, SharePoint, Teams, and other resources. Without MDM and a proper offboarding process, former employees may retain access for weeks or months after departure.

Not testing incident response. Many organisations have a mobile security incident response plan on paper but have never actually tested it. When a device is stolen or compromised, the first time you execute your response plan should not be during a real incident. Regular tabletop exercises and simulated incidents help identify gaps and build muscle memory.

The Future of Mobile Device Security

Mobile security is evolving rapidly, and UK businesses should be aware of emerging trends that will shape the landscape in the coming years. Zero Trust architecture is becoming the gold standard, moving away from the traditional perimeter-based approach toward continuous verification of every device, user, and network connection. Microsoft's Zero Trust model, deeply integrated with Intune and Azure AD, is leading this transformation.

AI-powered threat detection is enabling mobile security solutions to identify and respond to novel threats in real time, even when they do not match known attack signatures. Passkeys and passwordless authentication are gradually replacing traditional passwords, offering both stronger security and a better user experience on mobile devices.

The NCSC continues to update its mobile device guidance as the threat landscape evolves, and UK businesses should review this guidance regularly to ensure their mobile security strategy remains aligned with current best practices.