Securing Mobile Devices for Business: A Guide for Australian SMBs
Practical steps for Australian small businesses to secure staff phones and tablets against theft, smishing, malicious apps, and account compromise.
Smartphones and tablets have become essential business tools for Australian small businesses — used for email, messaging, cloud apps, banking, and client communication. That convenience comes with risk. Mobile devices are lost, stolen, and targeted by attackers in ways that many business owners haven't thought through. Here's what you need to know.
Why Mobile Devices Are a Growing Security Risk
A work smartphone typically has access to business email, cloud file storage, internal messaging tools, and sometimes banking or payment systems. If that phone is lost or compromised, an attacker can access all of those things. Unlike a laptop, phones are carried everywhere, connected to unfamiliar Wi-Fi networks, charged from shared USB ports, and far more likely to go missing.
The threat isn't just physical theft. Smishing (SMS phishing) has become a major attack vector — Australian businesses receive fake messages impersonating Australia Post, the ATO, banks, and telecommunications providers, designed to steal credentials or install malicious apps. Mobile-specific threats are real and growing.
BYOD vs Company-Owned: The Key Trade-offs
Choosing between staff using personal devices (BYOD) or providing company-owned phones affects how much control you have over security:
- Company-owned devices give you full control — you can enforce security policies, remotely wipe the whole device, restrict app installs, and ensure encryption is enabled. The downside is the upfront and ongoing cost.
- BYOD avoids device costs but limits your control. You generally cannot wipe the entire device (only the work data container if you're using MDM), and you depend on the staff member maintaining reasonable personal security hygiene.
For staff who handle sensitive data — financial records, client health information, confidential business plans — company-owned devices are the safer choice.
Essential Security Controls for Mobile Devices
Screen Lock and Authentication
Every work device must have a screen lock enabled — PIN, password, or biometric (fingerprint or Face ID). A six-digit PIN is the minimum. Biometric is convenient and acceptable for most business contexts. Devices without a screen lock are essentially open to anyone who picks them up.
Encryption
The good news: modern iOS and Android devices encrypt their storage by default when a screen lock is enabled. You don't need to do anything special. Just make sure screen locks are actually turned on across all devices.
Remote Wipe Capability
Before a device is ever lost, make sure you know how to wipe it remotely. For iPhones and iPads, this is done through iCloud's Find My feature. For Android devices, use Find My Device via Google. For a more centralised approach across multiple devices, an MDM solution handles this for all devices from one dashboard.
Work/Personal Separation
On BYOD devices, mixing work and personal apps creates risk — a compromised personal app could potentially access work data. MDM solutions create a secure "work container" on BYOD devices, keeping work apps and data in an encrypted, separately managed space. If the employee leaves, only the work container is wiped, not their personal photos and messages.
App Approval and Updates
Staff should only install apps from official stores (App Store or Google Play), and should keep apps updated. Malicious apps do occasionally make it onto official platforms, but they are far more common on unofficial sources. Restrict sideloading (installing apps from outside the official store) on work devices.
Mobile-Specific Threats to Know
- Smishing — SMS phishing. Fake messages impersonating trusted organisations with urgent links. Train staff to never click links in unexpected SMS messages; go directly to the official website instead.
- Malicious apps — apps that appear legitimate but steal credentials or data. Stick to reputable, well-reviewed apps and review app permissions before granting access.
- Juice jacking — attackers can embed malware in public USB charging points at airports, hotels, and cafes. Use a power-only USB cable (no data pins) or carry a portable battery pack instead of using public USB chargers.
- Unsecured Wi-Fi — public Wi-Fi can expose unencrypted traffic. Use a VPN on public networks, or rely on mobile data instead.
What to Do When a Device is Lost or Stolen
- Remotely lock and wipe the device immediately using Find My (iOS) or Find My Device (Android), or your MDM console
- Change passwords for all work accounts accessible on the device — start with email and cloud storage
- Revoke active sessions in your cloud accounts (most services let you sign out all devices remotely)
- Notify your team and assess whether any sensitive data was accessible on the device
- Consider whether the loss triggers a notifiable data breach under the Australian Privacy Act
The actions you take in the first hour after a device goes missing make the biggest difference. Have a written procedure — even a simple one — so staff know exactly what to do without having to think it through under pressure.
Free tool
Know your cyber risk in 15 minutes
50 plain-English questions. Prioritised recommendations. Free PDF report. No sign-up.
Start free assessment →Frequently asked questions
Should my staff use their personal phones for work?
BYOD (Bring Your Own Device) arrangements are common in Australian small businesses because they avoid the cost of providing company phones. The tradeoff is that you have less control over the security of the device — you cannot enforce screen lock policies, remotely wipe the entire device, or restrict which apps are installed. If staff use personal phones for work email or cloud apps, the minimum you should require is a screen lock, MFA on all work accounts accessed from the device, and a clear policy about what happens if the device is lost. For staff handling sensitive data, company-owned devices with MDM are a safer choice.
What is mobile device management (MDM) and do I need it?
MDM is software that lets you centrally manage and secure mobile devices from a dashboard. With MDM you can enforce screen lock and encryption policies, remotely wipe a lost device, push app updates, and separate work data from personal data on BYOD devices. Whether you need it depends on how many devices you're managing and how sensitive the data on those devices is. For a business with more than 5–10 staff using phones for work — especially if any of those phones access financial systems, client records, or sensitive files — MDM is worth the modest cost. Microsoft Intune and Jamf Now are popular options that work well for small businesses.
What should I do if a work phone is lost or stolen?
Act quickly — the window before a device is accessed is short. First, use your MDM solution or the device's built-in remote wipe feature (Find My iPhone for Apple, Find My Device for Android) to remotely lock or wipe the device. Second, change the passwords for any work accounts that were accessible on the device, particularly email and cloud storage. Third, revoke any saved sessions or app access tokens by signing out of all sessions through your account settings (most cloud services support this). Finally, report the loss to your IT manager or security contact, and if the device contained sensitive personal or financial data, assess whether you have a notifiable data breach under Australian privacy law.
Tags