SMEs: Managing the mobile device cyber risk

What would happen if your phone was stolen? Especially if it was taken straight from your hand, with the screen unlocked?

While your immediate concern may be for the personal information stored on the device, as well as the potential for payment and financial apps to be exploited, it’s a scenario that could also open the door to risks in the workplace too.

That’s because today, our phones aren’t just personal devices; they are gateways to our professional lives.

While phones and laptops may once have been stolen for quick cash, they now offer a payout that is potential far bigger, due to what they contain. Lost or stolen devices now being a common route for cybercriminals to gain access to sensitive information and launch broader attacks.

Losing a phone – or indeed a laptop, tablet or other mobile device – that doesn’t have appropriate protections in place, could provide criminals with easy access to all sorts of sensitive company data and systems. The end result being anything from service disruption to severe financial and reputational damage for the business.

 

How many devices are being lost in the UK?

Mobile phone thefts in the UK surged to 99,000 in 2024. That’s over 270 phones stolen every day. A 70% increase on the previous year and the highest level in two decades.

Some recent high profile examples include:

  • The Bank of England reportedly lost or had stolen over 300 laptops, tablets, and smart phones in just three years.
  • UK government departments reported over 1,200 lost or stolen devices in 2024 alone. HMRC accounted for 804 of these, including nearly 500 mobile phones.
  • NHS Trusts have also faced scrutiny over incidents of missing laptops and USBs containing sensitive patient data, that have prompted investigations.
  • While Transport for London revealed that a whopping 18,000 items – including phones, tablets, and laptops – were misplaced on the Tube, buses, and in taxis, in 2023 alone.

Whether it’s a phone grabbed from a café table or out of your hand, a laptop left in a taxi or on a train, or a tablet stolen from a coworking space, every lost device is a potential breach.

 

Five common weak points in device security

The security of devices is paramount. However, many organisations overlook critical vulnerabilities that could compromise their data and privacy. Here are five common weak points that can leave devices exposed to threats.

  1. Unencrypted devices – Without encryption, a stolen phone or laptop can be accessed with basic tools.
  2. Weak PINs or no biometric timeout – A 4-digit PIN or always-on Face ID makes it easy for thieves to unlock a device.
  3. Saved credentials – Many apps keep users logged in, giving instant access to sensitive systems.
  4. Lack of remote wipe capability – If you can’t lock or erase a device remotely, you’ve lost control.
  5. No staff training – Employees may not realise the risks of using public Wi-Fi, unattended devices, or having outdated software.

 

What SMEs can do right now

  1. Encrypt All Devices

Ensure full-disk encryption is enabled on laptops and that phones require a strong PIN or password to activate encryption.

 

  1. Enable Remote Lock and Wipe

Use tools like Apple’s Find My, Android’s Find My Device, or a Mobile Device Management (MDM) platform like Microsoft Intune or Jamf Now to track and wipe lost devices.

 

  1. Strengthen Access Controls

Require six-digit or alphanumeric PINs. Set biometric unlocks to time out after inactivity. Use multi-factor authentication (MFA) for all business-critical apps.

 

  1. Audit and Limit App Access

Review which apps are installed on work devices. Remove anything unnecessary and ensure business apps are protected with MFA and session timeouts.

 

  1. Create a work profile on devices

Have a separate, secure environment on devices where work-related data and applications are stored and accessed securely.  This ensures that sensitive information, such as emails, is only accessible after logging in to the secure profile, and no previews are displayed without proper authentication.

 

  1. Train Your Team

Run regular sessions on digital hygiene and physical security. Teach staff to:

  • Avoid using public WiFi networks
  • Reboot devices weekly
  • Report lost or stolen devices immediately
  • Be alert in public spaces – especially when using phones on the move

 

  1. Create a clear policy for lost or stolen equipment

Establishing a clear policy for lost or stolen equipment is crucial in safeguarding both personal and professional data. This policy should outline the immediate steps employees must take if their equipment is lost or stolen, including reporting the incident, remotely wiping the device if possible, and changing all relevant passwords.

Additionally, the policy should cover issues such as regularly backing up data and using strong, unique passwords to minimise the risk of data breaches.

 

  1. Build a cyber security culture

Cybersecurity isn’t just about firewalls and antivirus software. It’s about people, habits, and awareness. Every employee should understand that their phone or laptop is a potential entry point for attackers and that their actions matter.

For more pointers on nurturing a cyber secure culture, check out our blog here.

 

  1. Seek expert advice

Consulting with experts, such as our team here at Dragon, is essential in ensuring that your systems are always secure and efficient, regardless of how and where your employees work. Our team can provide tailored advice and solutions to address your specific needs, helping you implement best practices for data security, system optimisation, and risk management. By leveraging our expertise, you can stay ahead of potential threats and ensure that your organisation’s operations always run smoothly and securely.

 

In summary

With phone snatches at a 20-year high and many devices now a gateway into company systems, SMEs must treat device security as a frontline defence issue. Because when it comes to cybersecurity, prevention isn’t just cheaper than the cure, it’s often the only thing standing between you and a serious breach.

In need of expert support with your IT and cybersecurity? Here at Dragon IS, we work with small and medium sized businesses, supporting them with all their IT infrastructure and cybersecurity needs. For an informal chat about how we could help your business, please email info@dragon-is.com or call us on 0330 363 005.