Mobile Device Security: Protecting Smartphones in Your Business

Your Smartphone Knows a Lot About Your Business

Pick up any smartphone used for work and you'll likely find business emails, customer contacts, accounting app access, cloud file storage, messaging tools, and possibly banking or payment apps. Smartphones have become portable business hubs — and that makes them a significant target for cybercriminals.

Yet mobile device security often gets less attention than laptop or desktop security. Many Australian small businesses have no specific policies or controls around smartphones at all. Given that mobile devices are lost and stolen more frequently than any other type of business hardware, that's a gap worth closing.

The Mobile Threat Landscape

Understanding what you're up against helps you prioritise the right protections:

Phishing via SMS and messaging apps

SMS phishing — known as "smishing" — is one of the fastest-growing attack methods. Attackers send text messages impersonating banks, Australia Post, the ATO, or other trusted organisations, with links that lead to fake login pages. On a small phone screen, it's much harder to spot a dodgy URL than on a desktop browser. Business messaging apps like WhatsApp, Slack, and Teams are also being used to deliver phishing attempts.

Malicious apps

Apps from outside official app stores can contain malware. Even occasionally, malicious apps make it through Google Play Store or Apple's App Store before being removed. Once installed, a malicious app can access contacts, messages, files, and even activate the camera or microphone.

Public WiFi interception

Smartphones constantly seek and connect to WiFi networks. On unsecured public networks in cafes, airports, and hotels, data transmitted without encryption can be intercepted. Business email and app traffic should always be encrypted in transit — and sensitive work tasks should be avoided on public WiFi without a VPN.

Physical loss and theft

A lost or stolen phone is the most immediate mobile security concern. Without proper protections in place, that device gives whoever finds it access to everything on it — and everything it can log into.

Baseline Security for Every Business Smartphone

Whether devices are company-owned or personal, these baseline measures should apply to every smartphone used for work:

Strong screen lock

Every work smartphone should have a screen lock — ideally a six-digit PIN or longer, a strong password, or biometric authentication (fingerprint or face recognition). Set it to activate automatically after no more than two minutes of inactivity. Avoid simple swipe patterns, which are easily observed.

Keep iOS and Android up to date

Apple and Google regularly release security updates for their operating systems. These updates fix known vulnerabilities that attackers actively exploit. Enable automatic updates, or at minimum, apply updates within a few days of release. On iPhone, go to Settings > General > Software Update and enable Automatic Updates. On Android, go to Settings > System > System Update.

Only install apps from official stores

The Apple App Store and Google Play Store aren't perfect, but they're far safer than third-party sources. On Android devices, ensure the setting to install apps from "unknown sources" is disabled. Review app permissions — an app that requests access to your camera, microphone, contacts, or location when it doesn't need them for its core function is a red flag.

Enable remote wipe capability

Both iPhones and Android phones have built-in remote wipe features. On iPhone, this is enabled through Apple's Find My service (findmy.apple.com). On Android, Google's Find My Device (android.com/find) provides similar capability. Ensure all work smartphones are enrolled in these services so you can wipe them remotely if lost or stolen.

Use MFA on all business accounts

Multi-factor authentication (MFA) protects business accounts even if login credentials are stolen from a mobile device. Use an authenticator app like Microsoft Authenticator or Google Authenticator rather than SMS codes wherever possible — authenticator apps are more secure than SMS-based MFA.

Going Further: Mobile Device Management

If your business has multiple staff using smartphones for work, a Mobile Device Management (MDM) solution gives you centralised control. MDM lets you:

• Enforce screen lock and passcode policies across all enrolled devices
• Ensure devices are running required OS versions
• Push business apps to devices and remove them remotely
• Remotely wipe lost or stolen devices without needing the employee to act
• Separate business data from personal data using containerisation

Microsoft Intune is included with many Microsoft 365 Business Premium plans. Jamf Now is a popular choice for businesses using iPhones and iPads, with a free tier for up to three devices. Mosyle is another Apple-focused option with a user-friendly interface suitable for smaller teams.

A Note on SIM Swapping

SIM swapping is an attack where a criminal convinces a mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they can receive your SMS-based two-factor authentication codes and lock you out of accounts. To reduce this risk, contact your mobile carrier and ask them to add a PIN or security question to your account before any SIM changes can be made. This is a worthwhile precaution for business owners who use their mobile number for account recovery.

What to Do When a Device Is Lost or Stolen

Have a clear plan in place before it happens:

1. Remotely lock the device immediately using Find My or Find My Device
2. Change passwords for any accounts accessible from the device
3. Remotely wipe the device if recovery seems unlikely
4. Revoke active sessions for business accounts (Microsoft 365 and Google Workspace both allow this)
5. Consider whether the data on the device triggers any obligations under the Notifiable Data Breaches scheme

Key Takeaways

• Smartphones are high-value targets because they hold significant amounts of business data
• Every work smartphone needs a strong screen lock and automatic OS updates enabled
• Remote wipe capability should be enabled on all devices before they're needed
• Use authenticator apps for MFA rather than SMS codes wherever possible
• MDM solutions like Microsoft Intune or Jamf Now are practical for businesses with multiple staff smartphones
• Have a written plan for responding to a lost or stolen device

Mobile security is one of many areas covered in the free cyber risk assessment at flagged.com.au. Take five minutes to see how your business is tracking and get clear, practical recommendations.