3 Tips for Securing Company Data on Mobile Devices

Post Date: 09/25/2019
feature image

Learn how to protect sensitive information in Teams with our free webinar “Preventing Data Leaks in Microsoft Teams (and Other Collaboration Systems)!”

The media has had it’s a field day the past few months reporting gigantic breaches of personal (especially health-related) data. Ecuador’s data breach was huge as nearly everyone in Ecuador fell victim to it. Lion Air Group’s Malindo Air confirmed a data breach of its Amazon cloud system shortly after wherein the information of around 30 million passengers was leaked.

While most recent breaches involve unprotected or misconfigured cloud systems, mistakes as minor as a lost mobile device can also lead to a data breach. With 70 million smartphones lost each year and only seven percent recovered, this should be one of the top concerns of every organization.


Most mobile devices have the capability for full disk encryption or remote-wipe. However, those measures won’t stop instant messaging (IM) from significantly expanding your perimeter of potential data leakage. For instance, take the case of the National Health Service (NHS) we saw a few years ago where doctors and nurses were using WhatsApp and Snapchat to share information about patients “across the NHS.”

Mobile phones can have up to 256GB of storage, making them the perfect tools to shift corporate data. Instant messaging can contribute to this risk exponentially if proper controls aren’t in place. If your organization allows for personal mobile devices, keep this in mind: How do you ensure all those files shared via IM have been successfully and completely removed from an ex-employee’s device when they depart?

Worried about employees accidentally leaking data via their mobile phones? Check out this post: Click To Tweet

With all of those concerns in mind, here are three tips to keep data safe when thinking about instant messaging and mobile devices:

1. Protect Against Data Loss

It’s everyone’s concern when data is lost; one of the biggest fears businesses have is if an employee loses a mobile device regardless of if it’s corporate or personal. There are solutions on the market (MobileIron and Airwatch) that provide mobile application management and allow you to remotely delete content or block access, but mitigating the risk is better than worrying about security. It’s much safer to enforce not storing content on mobile devices and instead push for sharing links to files. This way, it won’t be a massive issue if a device ends up in the wrong hands.

2. Enterprise Administration

It’s not that you shouldn’t trust your employees, but it’s much better to manage your users. The first question your IT department should ask when looking into an IM solution is “How do we ensure an easy roll-out with transparent monitoring of companywide policies?”

The first step organizations should take is to understand which users and what devices are working with (or more importantly, allowed to use) company data over IM and mobile devices.

An employee may have more than one device or even use the device/IM service for both personal and professional purposes, and it’s important for organizations to separate business from private communication.

Having a dedicated enterprise IM solution like Microsoft Teams allows you to set the standard of what can be communicated with who and how. If employees are using WhatsApp, Line, WeChat, or similar IM solutions, the sheer variety of systems can be a nightmare to manage (and some of those IM services even co-exist together, further complicating matters).

Microsoft Teams gives users access to an Admin Center where they can use granular controls to moderate everything from message deletion, to meme usage, to guest access, and much more.

Auditing and monitoring are also must-haves when choosing an IM solution, especially having immediate support when something isn’t working and end users are left in the dark. Free IM solutions may not cost you a cent, but it also might not offer any enterprise administration, monitoring, auditing, or chance to control anything at all.

3. Data Residency and Regulatory Compliance

With the European Union General Data Protection Regulation (EU-GDPR) came the awareness of data residency requirements. Many countries started to follow a similar approach soon after, which only makes sense if you want to protect the data of your users.

Most IM solutions are cloud-based and, when choosing any cloud service nowadays, you must consider where data is stored, how it’s used, and with whom it could potentially be shared. If a European doctor is using an ungoverned IM service to ask a foreign colleague’s opinion on a patient matter, for instance, this may be a red flag if certain pre-requisites aren’t already in place (consent, anonymization, etc.).

If you’re interested in finding more ways to secure your Microsoft 365 environment, including mobile device management, here’s a great article to get you started.

Want more insight into data protection? Be sure to subscribe to our blog


During his tenure as a Senior Compliance Technical Specialist at AvePoint, Esad was responsible for research, technical and analytical support on current as well as upcoming industry trends, technology, standards, best practices, concepts and solutions for information security, risk analysis and compliance.

View all post by Esad I.

Subscribe to our blog