Top Risks

Mobile Device Security Issues

Target Process
Target Asset
Any Digital


  • A lost or stolen device contains locally saved confidential files.
  • A lost or stolen phone allows access to a company platform or system that contains confidential files.
  • A lost or stolen device is logged in to a platform that provides access to confidential files in cloud storage.
  • A lost or stolen phone is used as an MFA authenticator for access to platforms containing confidential files.


  • Policy should prohibit storing IP locally on devices that are frequently moved outside of secure areas, whenever possible
  • Company-issued devices with remote deactivation capabilities should be required for employees, temps, contractors, and vendors working on confidential IP locally or via system access.
  • When personal devices or profiles must interact with confidential IP, they should be disconnected from any personal cloud storage systems, such as a google or Microsoft account, or an apple ID, to prevent automatic upload of any IP to these accounts.•
  • All devices used for confidential IP should require password or biometric login to access.


  • Banner notifications on phone/tablet devices should be disabled or displayedwithout preview for all communication apps so messages are not readable on locked screens.
  • Install software that allows for a connected device to be remotely disabled until a recovery key is entered on devices that will hold or allow system access to sensitive IP.
  • Conduct “baseline checks”with staff issued company devices to ensure all devices are accounted for and to remind staff of their obligations to secure them.


  • Systems containing confidential IP should require individual accounts that can be monitored for unusual activity and failed login attempts.
  • All company-owned devices used to access or house confidential files should be logged centrally, so that their exposure potential can be quickly determined if they are lost/stolen.