Imagine this…

You wake up in the morning and your mobile phone is dead. It died during the night. Hardware can fail at any time and these amazing devices take a daily battering in pockets / bags / coats.

Perhaps you woke up late because your alarm didn’t go off? If, like me, you use your phone to manage many aspects of your business and personal life, that might be the least of your problems in the day ahead.

Maybe your phone didn’t fail during the night. Maybe you left it on the train? Or maybe it was stolen from you on a night out – snatched from your hands by a thief on an electric scooter. Whatever the cause you are now without the device you rely on so much, and your personal and company data could be at risk.

A modern work nightmare

Personally it can be a pain as you deal with the fallout but it’s usually just an inconvenience and perhaps a cost – yet another thing to deal with in a busy life. But let’s explore the business implications of this event:

  • You want to let your boss or your team or staff know that you might be late this morning and that you might have trouble getting started. How will you let them know? Do you have their phone number stored somewhere else or is it just on the contacts in your phone?
  • You can’t log on to Microsoft 365 via the web because that requires multifactor authentication (MFA) which is most likely linked to the authenticator app on your phone.
  • You might not be able to log on to your work laptop depending on whether multifactor authentication is configured. Again if this is linked to the authenticator app on your mobile phone you can’t start work or communicate with anyone that way.
  • If you can log in to your laptop, can you log into the various systems you need to do your job? These should all require multifactor authentication – again most likely linked to the app on your phone.
  • How will you contact your IT Support team so they can help you regain access to your systems?

A treasure trove for criminals

Enough about the problems getting started with work, what about the phone that was lost? That treasure trove of personal and company data that’s now under someone else’s control. This is particularly relevant to accountants, lawyers & financial services companies that have regulatory and compliance requirements, but in practice applies to all companies.

  • Did you have company email, or Teams, or SharePoint – or any other business application configured on the phone? Was the company data ringfenced and secured?
  • Did the phone have a pin code set, or biometrics enabled?
  • Did you have an ‘Express Travel Card’ set that under certain circumstances allows the use of a payment card stored on the phone without authentication?
  • Did you have “notes” stored on the phone with any data in that you don’t want to fall into the wrong hands?
  • Did you have a password manager application on the phone? Was that set to always require a pin code or biometrics?
  • If you think a data breach may have occurred because the company data wasn’t properly secured, do you have a breach procedure to follow?

What can you do to prevent the nightmare?

So now you’ve read through some of the consequences of losing a mobile phone, what do you do? Bury your head in the sand and hope this never happens to you or take a few steps to make it a bit easier when it happens?

  • Take some basic precautions – jot down a few contact numbers where you can find them if you need them. Go old school, get a notebook and keep it in a drawer. You can always borrow someone else’s phone to make a few calls – if you know the numbers to call.
  • Make sure you know your IMEI number so you can contact your mobile network provider if you need to and get the phone blocked and a replacement sim card issued. You can find this in the settings or by dialling *#06#.
  • Consider insurance so you can quickly replace your device.
  • If you have an iPhone enable “Stolen Device Protection” About Stolen Device Protection for iPhone – Apple Support (UK)
  • Make sure your phone is backed up so you can easily restore it when you replace it.
  • Make sure you keep your phone updated so any vulnerabilities that might grant unauthorised access are addressed – if you don’t know how then check out our blog for details.
  • Make sure you know how your multifactor authentication apps are backed up. Not all of them are, and just think of the time it will take to reset access to all those systems. This is one of the things that is usually easier (but just as time consuming) to do in a business environment as someone else has administrative access to those systems.
  • Choose the right phone – check out our blog article on just how to do that here.

Essential considerations for business owners

If you’re a business owner, it pays to take careful consideration of the following.

  • What are the implications of running your business with such a reliance on a staff owned device where you have little control over the age and capability of the device?
  • Have you considered other methods of multifactor authentication that are not reliant upon equipment owned by your staff?
  • Have you taken steps to secure company data on mobile devices, whoever owns them?
  • Do you have procedures in place to deal with the scenarios outlined above?
  • Does your IT department or outsourced IT provider know what to do in these circumstances and can they respond quickly enough to limit the damage?
  • Have you taken basic steps to ensure best practice by achieving Cyber Essentials or Cyber Essentials Plus certification?

If anything above concerns you or you want to know more about how best to protect your company data on personal devices get in touch. We specialise in Cyber Security and IT strategy and support for Accountants, Lawyers and Financial Services firms, but the principles above apply to all companies big and small.