Securing Mobile Devices: Phones and Tablets as a Major Entry Point to Company Data.

Every staff member in a typical Irish SME carries a smartphone that has direct access to the company's Microsoft 365 email, SharePoint files, Teams conversations, and potentially the company's CRM, accounting software, or HR platform. Most of those phones are personal devices. Most are not managed by the company's IT provider. Most have no corporate security controls whatsoever.

The company's server may be locked down. The company's laptops may have endpoint protection and managed encryption. The staff member's personal iPhone in their jacket pocket has everything the server has, on a device the company has no visibility of, connected to networks the company does not control.

The Mobile Threat Landscape

Mobile devices are a primary attack vector in Irish SME incidents for three reasons. First, they access corporate data continuously — email, files, and applications are always open and always syncing. Second, they are personal devices that are used for both work and personal activity, exposing corporate sessions to personal browsing risks and personal app permissions that would never be accepted on a corporate device. Third, they are physically mobile — used on public Wi-Fi, in clients' offices, on public transport, and left unattended in ways that a desktop computer never is.

The specific mobile threats include: SIM-swapping attacks that hijack SMS-based MFA; infostealer malware distributed through malicious apps and mobile phishing pages; session cookie theft from mobile browsers; and physical access to unlocked devices.

What Mobile Security Means in Practice

Enforce a PIN or biometric lock. Every device that accesses company data must require a PIN, fingerprint, or face recognition to unlock. This is the most basic control and can be required through Microsoft 365 Conditional Access or Google Workspace policies without any app installation on the device.

Use authenticator apps rather than SMS for MFA. SMS-based MFA is vulnerable to SIM-swapping. Microsoft Authenticator and Google Authenticator are apps — not tied to the phone number — and are significantly more resilient. For staff using Microsoft 365, configuring Authenticator app MFA rather than SMS MFA is a straightforward configuration change in the admin centre.

Microsoft App Protection Policies (MAM). For businesses on Microsoft 365, App Protection Policies allow the business to apply data governance controls specifically to corporate data within Microsoft apps (Outlook, Teams, OneDrive, SharePoint) on personal devices — without requiring full device management. The policies can prevent corporate data from being copied to personal storage apps, require a PIN to open Microsoft apps, and remotely wipe only corporate data from a device without touching personal data. This is the most practical mobile security control for BYOD environments.

Conditional Access for mobile devices. Microsoft 365 Conditional Access can be configured to block or restrict access from mobile devices that do not meet defined criteria — such as requiring that Outlook for iOS or Android is used rather than the native mail client, which provides significantly less corporate data protection.

Do you know how many personal devices currently have access to your Microsoft 365 tenant? In the Entra admin centre, under Devices, you can see every device that has registered to access your tenant. Book a free 20-minute strategy call — mobile device policy is one of the most commonly overlooked gaps in Irish SME security configurations.

Mobile Device Management vs App Management

There are two approaches to mobile security for BYOD environments. Mobile Device Management (MDM) provides full management of the device — the company can remotely wipe it, enforce configuration policies, and monitor it in detail. This is appropriate for company-owned devices but is invasive and often resisted when applied to personal devices.

App Management (MAM), using Microsoft's App Protection Policies, manages only the corporate data and corporate apps on the device — without touching the personal content, apps, or configuration. Staff are far more willing to accept MAM than MDM because it does not give the employer visibility of their personal phone usage.

For most Irish SMEs with BYOD staff, MAM via Microsoft App Protection Policies is the practical target. It provides meaningful corporate data protection with proportionate intrusiveness.

The Lost or Stolen Device Scenario

Every mobile device security policy must address what happens when a device is lost or stolen. For a device with App Protection Policies applied, the response is a selective wipe — removing corporate data from the Microsoft apps on the device without affecting personal content. For a company-owned managed device, the response is a full remote wipe.

The ability to perform this wipe must be tested before it is needed. Confirm that the wipe function works in your Microsoft 365 admin centre before a device is lost, not after.

What Next

1. Audit which mobile devices currently have access to your Microsoft 365 or Google Workspace tenant. The Entra admin centre or Google Admin Console shows all registered devices.

2. Implement Microsoft App Protection Policies for BYOD devices. This is the highest-value, lowest-friction mobile security control for most Irish SMEs. Your IT provider can configure this in a half-day.

3. Switch MFA from SMS to Authenticator app for all staff. This removes SIM-swap vulnerability and is a straightforward configuration change.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Remote and Hybrid Work Risks: Securing Home Workers and Personal Devices
• The One Microsoft 365 Setting That Stops 90% of Credential Attacks
• Password Policies, Managers and MFA: Blocking Most Account Takeovers

[^1]: Data Protection Commission Ireland — Mobile Device Guidance [^2]: NCSC Ireland — Mobile Security Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.