Picture a field sales rep with everything on his Nokia: the customer list, price quotes, and last month’s orders. When he leaves the phone in a taxi or has it lifted from his bag, nobody knows where that data ends up. Syncing company email to a handset, keeping the calendar up to date, storing client contacts on the device — these habits are becoming routine. But behind that convenience, a serious security exposure is quietly opening up.
Moving corporate data to a mobile phone effectively stretches the company’s security perimeter far beyond the office walls. The policies applied to desktops and laptops — password requirements, screen locks, antivirus — are rarely thought about when a handset is involved. Yet device loss, unauthorized access, and data leakage happen faster in a mobile environment. You notice when a laptop goes missing; leaving a phone in a taxi is far easier and far more common.
The first thing companies need to clarify is what data actually lives on these devices. Email archives, customer contact details, internal documents, price lists — each carries a different level of sensitivity. When an employee’s personal address book is full of company clients, or a year’s worth of correspondence has accumulated in the inbox, the scope of what gets exposed when a device disappears becomes very concrete. Building a policy starts with taking that inventory: which types of data may be kept on a mobile device, and which may not?
A password policy is the most basic and least expensive control available. Requiring a screen lock, enforcing a PIN, setting an automatic lock after a period of inactivity — these are technically straightforward steps, but applying them consistently across an organization is routinely neglected. Employees disable locks for convenience; managers let it pass without a second thought. Yet a stolen or lost phone with no screen lock means instant access to everything on it, with no barrier whatsoever.
Remote wipe — erasing a device’s contents after it is lost or stolen — is one of the strongest tools available for corporate mobile security at this stage. Some corporate email platforms and mobile device management solutions already offer this capability; when the device next connects to a network or receives an SMS command, it resets to factory settings and the data becomes inaccessible. For this to work, the device must be enrolled in the corporate system and the policy must be defined in advance. There is no time to set up the infrastructure once a crisis is already underway.
The hardest practical challenge is employees accessing company data on their personal handsets. Enforcing a policy on a device the company purchased and configured is relatively straightforward; but when an employee connects to the corporate email server from his own Nokia, the company’s control over that device is extremely limited. This raises questions the organization may not have considered yet: does the company have the right to wipe a personal device remotely, and what are the legal and ethical boundaries of doing so? Most SMEs in Turkey have not asked this question yet, but as the number of devices grows, the ambiguity becomes a real operational problem.
For an SME manager approaching this topic, a good starting point is a simple question: how many employees currently have company data on a mobile device, and which of those devices belong to the company versus the individual? Drawing up that list alone tends to create significant awareness. The next step is to define at minimum a screen lock and remote wipe policy for company-owned devices and put it in writing. The technical infrastructure does not need to be complex, but having a policy in place and making sure employees know it exists is the only way to have a clear answer when a device goes missing.
This article was originally written in Turkish by Gökhan MERCANOĞLU on February 26, 2007 and has been automatically translated into English and other languages using machine translation.