Image of a laptop in a cafe showing an encryption symbol

Mobile Device Security, Encryption and Remote Working Risks

Mobile Working in Brief

Phones, laptops and tablets carry organisational data outside the office. Device encryption, mobile device management, secure connection back to base and remote wipe are the standard controls for UK businesses.

Handheld Devices, Encryption and Remote Working

Information security used to be largely about what happened inside the office, on company-owned desktop computers, on a company network. Remote working has now meant that information security risks extened beyond the office. Information now travels on laptops, phones, tablets and removable storage. It crosses public networks. It sits on devices that get lost, stolen and used in cafes and on trains. The controls that worked for fixed equipment in a controlled environment have to be rethought for hardware that goes wherever the worker goes.

The principles still hold - confidentiality, integrity, availability - but the practical controls are different. Encryption, mobile device management, remote working procedures and clear policies on personal devices are what stops mobile working becoming the weakest part of the information security model.

Mobile Devices and Information Security

A mobile device for these purposes is anything that travels - laptops, smartphones, tablets, USB drives, portable hard drives, anything that can hold information and leave the office. A major risk is loss or theft. A laptop stolen from a parked car has historically been the cause of more reported personal data breaches than any other single category, and the position has not changed substantially with the rise of remote working.

The practical controls are full-disk encryption on every device that holds business information, password or biometric authentication required to unlock the device, automatic locking after a short period of inactivity, the ability to remotely wipe a device if it is lost, and a register that records which devices are issued to whom. Mobile device management software covers most of these requirements in one place for company-owned hardware.

Devices used to access information should be kept up-to-date. Operating system patches, security updates and application updates close the vulnerabilities that attackers scan for. The further behind the device gets on patching, the more exposed it becomes. Where a device cannot be kept current - usually because it is too old to receive updates - it should be replaced.

Encryption for Mobile Working

Encryption is the control that makes lost devices manageable. A lost laptop with full-disk encryption is a hardware loss; the information on it is not accessible to whoever finds the device. A lost laptop without encryption is a data breach, with all the reporting obligations and reputational consequences that follow.

Modern operating systems include strong encryption that can be turned on with no extra software. BitLocker on Windows, FileVault on macOS, and the equivalent on iOS and Android are all built in. The job is to make sure encryption is actually enabled on every device, with the recovery keys held centrally so that the company can recover information if needed.

Encryption matters in transit as well as at rest. Confidential information sent by email or transferred between systems should be encrypted using approved methods - encrypted email, secure file transfer services, or password-protected files where the password is sent separately. A cryptographic policy should set out what algorithms and methods are approved, and which are no longer considered secure.

Working Away from the Office

Home working, teleworking and remote working all involve information leaving the office and being processed in a less controlled environment. The information security expectations do not change - confidential information remains confidential whether it is being handled in the office or at the kitchen table - but the practical controls have to fit the new context.

The standard set is: only approved equipment used to access company systems, virtual private network or other secure connection for access to internal resources, the same clear desk and clear screen approach applied at home as in the office, no use of personal cloud storage or personal email accounts for business information, and physical security of devices in the home environment. A home working risk assessment can confirm that a worker has a suitable place to work and understands the security expectations.

Public spaces - cafes, trains, hotel lobbies - introduce additional risks. Shoulder surfing, intercepted Wi-Fi, devices left unattended for a moment that becomes longer than expected. The practical guidance is that confidential information should not be visible on screen in public, that public Wi-Fi should be treated as compromised by default and used only with a VPN, and that devices should never be left unattended in public.

Bring Your Own Device and Personal Devices

Bring your own device (BYOD) is the practice of allowing workers to use personal phones, tablets or laptops for company work. It saves the organisation the cost of supplying hardware and gives workers flexibility, but it raises information security questions that need an explicit answer rather than a default assumption.

The questions are: what company information is the personal device allowed to access, what controls are required on the device (password, encryption, anti-malware, current operating system), what monitoring or management does the company have over the device, and what happens to company information when the worker leaves or stops using the device for work. Mobile device management can apply company controls to personal devices in a contained way - separating company data from personal data so that the company part can be wiped without affecting the worker's own information.

Where BYOD is permitted, the policy should be explicit about what is allowed and what is not, and the worker should sign to acknowledge they have read and understood the requirements. Where BYOD is not permitted, the policy should say so and the company should supply the equipment workers need.

The single biggest difference encryption makes is turning a panic into a paperwork exercise. Lose an unencrypted laptop with personal data on it and you have a data breach to report, customers to inform and a reputation hit to manage. Lose an encrypted one and you fill in a form, order a replacement, and carry on. The cost of switching encryption on is essentially zero. The cost of not having it is potentially enormous.

When I audit mobile working I look at the device register first. The register tells me what is in scope and whether the organisation actually knows what it has. From there I sample a few devices and check that they are encrypted, are running current software, have the expected access controls, and can be remotely wiped. The biggest gap I find is encryption that has been enabled inconsistently - some laptops yes, some no - because nobody has made it a default for new builds.

I also check the leaver process specifically for mobile devices. Phones and laptops not returned at the leaver point are a recurring finding, and the lack of a remote wipe capability turns a slow return into a serious data exposure. The position should be that company information is no longer accessible from the device on the day the worker leaves, regardless of whether the hardware itself is back in the office yet.

We rolled out mobile device management about three years ago and it transformed how we handle laptops and phones. The visibility alone was worth it - knowing what each person had, whether it was encrypted, whether it was up to date.

Practical Compliance Guidance

The IMS1 Manual covers mobile working as part of the wider information security management section. The same controls that apply in the office - access control, classification, secure disposal - extend to mobile devices and remote working with the additional layers needed for the off-site context.

The following alphaZ documents support a practical approach to handheld devices, encryption and mobile working.

alphaZ document	How to use it
ISO 27001 Toolkit	Full document set for setting up an information security management system, including the policies covering mobile devices, remote working and cryptography.
P-29 Mobile Device Policy	Policy covering company-issued mobile devices including laptops, phones and tablets, with the security expectations and approved use.
P-32 Own Device Policy	Policy covering bring your own device (BYOD) arrangements where personal hardware is used for company work.
P-28 Teleworking Policy	Policy covering remote and teleworking arrangements including the security controls applied when working away from the office.
P-36 Home Working Policy	Policy covering working from home, including the home working risk assessment and the practical security controls that apply.
P-30 Cryptographic Policy	Policy setting out the approved encryption algorithms, when encryption is required, and how cryptographic keys are managed.
PP-8-100 Information Security Policy Procedure	The master policy that sets out the mobile device, remote working and cryptography sections referenced from the standalone policies above.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Is full-disk encryption really necessary on every laptop?

In nearly all cases, yes. Full-disk encryption is built into modern operating systems, has minimal performance impact, and is the difference between a hardware loss and a personal data breach when a device goes missing. The cost of enabling it is essentially zero. The exception would be a laptop that holds no business or personal information at all, which is rare in practice. The recovery keys do need to be held centrally so that the organisation can recover the device if needed.

Should we let staff use their personal phones for work?

It depends on what they need to do with them. Email and calendar access on a personal phone is reasonable for most organisations, provided the device is protected by a passcode or biometrics, the operating system is current, and the company has the ability to remotely remove its data when the worker leaves. Access to confidential information beyond email may need a company-issued device or a managed personal device using mobile device management. The decision should be documented in a BYOD policy that the worker signs.

Is public Wi-Fi safe to use for work?

It depends on what is meant by safe. Modern websites and applications use end-to-end encryption that protects content even on untrusted networks. The residual risks are around the network itself - rogue access points pretending to be legitimate hotspots, captive portals that try to install software, or attempts to redirect traffic. Where confidential information is being accessed, a virtual private network (VPN) is the standard control. Where only basic browsing is happening, modern HTTPS is generally enough. The policy should make the position clear so that workers do not have to decide on the spot.

What should we do if a laptop or phone is lost or stolen?

Trigger the incident response process immediately. Initiate a remote wipe if the device is enrolled in mobile device management. Change any passwords for systems the device had saved access to. Assess whether personal data was on the device and, if so, whether the loss is likely to result in a risk to the rights and freedoms of the individuals affected - that determines whether the breach has to be reported to the Information Commissioner's Office within 72 hours. Encryption strengthens the case that the breach is unlikely to result in significant risk, which is one of the practical reasons to have it enabled in the first place.

UK Legislation

The following UK legislation is directly relevant to mobile working and device security. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

Further Resources