Mobile Device Security for UK Businesses

Why Mobile Device Security Is a Business Priority

Mobile devices have become integral to how UK businesses operate. Smartphones and tablets access business email, Microsoft Teams, cloud-stored files, and line-of-business applications — often with fewer security controls than the managed laptops and desktops that sit within the corporate cybersecurity perimeter. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, and mobile devices represent a growing attack surface that many organisations have yet to address comprehensively.

The mobile threat landscape is expanding rapidly. Kaspersky blocked approximately 33 million mobile malware incidents in 2024, and phishing delivered via SMS (smishing) and messaging applications is increasing in both volume and sophistication. Banking trojans, credential-stealing apps distributed through unofficial app stores, and malicious configuration profiles are all established mobile attack vectors. A compromised mobile device with access to corporate email or cloud storage can serve as an entry point for a broader network compromise, making mobile security an essential component of any business cybersecurity strategy.

Common Mobile Threats Facing UK Businesses

Understanding the threats that target mobile devices helps businesses prioritise their defences. With 85% of breaches involving phishing (DSIT 2025), mobile-specific phishing is particularly concerning because mobile screens make it harder for users to verify sender addresses and URLs before tapping links.

Phishing and Smishing

Mobile users are targeted through SMS phishing (smishing), messaging app attacks via WhatsApp and Teams, and traditional email phishing that is harder to scrutinise on a small screen. Shortened URLs, which are common in mobile messaging, obscure the true destination and make it difficult for users to assess whether a link is legitimate before tapping.

Malicious Applications

Apps downloaded from outside official app stores — or occasionally from within them — may contain malware that harvests credentials, accesses business data, or establishes persistent access to the device. On Android devices, sideloading of applications from unofficial sources is a significant risk vector that should be restricted through device management policies.

Lost and Stolen Devices

A lost or stolen mobile device that has unencrypted access to business email containing personal data is a potential reportable breach under UK GDPR. The ICO expects businesses to have technical controls in place to mitigate this risk — specifically encryption and remote wipe capability. The average cost of a data breach for UK organisations was £3.4 million in 2024 (IBM 2024), and a preventable breach caused by a lost device carries both financial and reputational consequences.

Unsecured Wi-Fi and Network Attacks

Mobile devices frequently connect to public Wi-Fi networks in coffee shops, hotels, and transport hubs. Without VPN or network protection, data transmitted over these networks may be intercepted. Man-in-the-middle attacks on unsecured networks can capture credentials and session tokens.

Mobile Device Management (MDM)

Mobile Device Management (MDM) provides centralised control over mobile devices, enforcing security policies, managing applications, and providing remote control capabilities including device wipe. Microsoft Intune, included in Microsoft 365 Business Premium, is the primary MDM platform AMVIA deploys for UK SMEs.

MDM transforms mobile security from a device-by-device manual process into a centrally managed, policy-driven programme. Without MDM, businesses have no visibility into which devices access their data, no ability to enforce security settings, and no mechanism to remove business data when a device is lost or an employee leaves the organisation.

Company-Owned Device Management

For company-owned devices, Intune provides full device management — controlling which applications can be installed, enforcing configuration settings such as screen lock timeouts and password complexity, managing OS updates, and providing complete remote wipe capability. Devices can be enrolled automatically during initial setup, ensuring that security policies are applied from the moment the device is first used.

Mobile Application Management for BYOD

Bring Your Own Device (BYOD) scenarios require a different approach. Employees are understandably reluctant to submit their personal devices to full corporate management. Mobile Application Management (MAM) policies address this by applying controls to specific business applications — Outlook, Teams, OneDrive — without managing the personal device itself. MAM prevents copying business data from managed apps to personal apps or cloud storage, enforces application-level PINs, and allows selective wipe of business data only when a device is lost or an employee leaves.

The key to successful BYOD deployment is transparency. Staff need to understand exactly what MDM and MAM can and cannot see on their personal devices. On BYOD devices enrolled via MAM, Intune can only see information about the business applications it manages — not personal app data, photos, messages, or browsing history. AMVIA provides clear privacy documentation for staff to support this communication.

App Management and Security Policies

Beyond device-level management, controlling which applications can access business data is critical. App protection policies in Intune can require that business data is only accessed through managed applications, prevent data transfer between managed and unmanaged apps, require a minimum OS version before granting access, and block devices that have been jailbroken or rooted — a process that removes built-in security protections and exposes the device to significantly greater risk.

For businesses that deploy custom line-of-business applications on mobile devices, Intune can manage the deployment, updating, and retirement of these apps centrally, ensuring that all users are running current versions with the latest security patches applied.

Conditional Access for Mobile Devices

Conditional Access policies in Microsoft Entra ID can require mobile devices to be enrolled in Intune and compliant with MDM policies before accessing Microsoft 365. This means a non-compliant or unmanaged device — one without a screen lock, running an outdated OS version, or that has been jailbroken — is blocked from accessing corporate email and files until it meets the defined requirements.

This compliance-based access control is fundamentally more robust than simply trusting any device that presents valid credentials. It ensures that every device accessing your business data meets minimum endpoint security requirements, creating a consistent security baseline across your entire mobile device estate regardless of whether devices are company-owned or personal.

Remote Wipe Procedures

Having remote wipe capability is essential, but it is only effective if there is a clear, documented procedure for when and how it is used. Staff must know who to contact immediately when a device is lost or stolen, and the wipe should be executed within hours, not days. AMVIA's managed service includes a documented remote wipe procedure as standard, with the ability to initiate a wipe out of hours when required.

For company-owned devices, a full device wipe restores the device to factory settings, removing all data and applications. For BYOD devices, a selective wipe removes only the company's managed applications and their data — Outlook, Teams, OneDrive, and any managed business apps — without affecting personal content. This selective wipe capability is a critical part of the employee offboarding process and should be performed on the final day of employment.

Building a Mobile Security Programme

Effective mobile device security requires a structured approach. Start by identifying all devices that currently access business data — including personal devices that staff may be using without formal approval. Deploy MDM for company-owned devices and MAM policies for BYOD. Configure Conditional Access to block non-enrolled or non-compliant devices. Establish and communicate your remote wipe procedure. Review your mobile security posture regularly as part of your broader cybersecurity programme. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), and mobile device incidents should be included in whatever response procedures you establish.

AMVIA configures and manages Microsoft Intune MDM and MAM as part of its managed IT service. We set up enrolment processes, configure security policies, handle remote wipe requests, and provide monthly reports on enrolled device counts and compliance status. Contact AMVIA on 0333 733 8050 to discuss mobile device security for your business.