With one in three companies having suffered a data breach due to mobile devices, when it comes to ensuring the security of your IT systems, it’s important for SMEs to have the right policies in place!

So, whether your company provides phones, tablets, USB memory sticks and laptops, or you employ more of a Bring-Your-Own-Device (BYOD) approach, some clear guidelines are vital. This not only ensures staff members are clear on what data and services they can access on their personally-owned equipment, but it also helps to keep security tight and data breaches at bay.

So, what exactly should be included in a mobile device policy? Our tech-sperts share some advice below…

Disclosure agreement

First and foremost, this important piece of documentation ensures that standards and guidelines surrounding device usage are understood and adhered to by all parties.

Ultimately, the aim of the agreement is to cover all bases when it comes to protecting the confidentiality of your SME’s data.

From stipulating what files can be accessed on which device, to outlining where information can be stored, this needs signing by both the employee and the employer.

There is also normally a clause which states that if a company email account is linked to a personal device, the employer has the right to wipe it if they suspect foul play.

For company device policies, the below should be taken into consideration:

Keeping software up to date

There should also be a section which covers the importance of staff members keeping their devices – from smartphones and tablets, to notebooks and laptops – up to date with the latest system and security updates.

Clickers of the ‘remind me later’ button – you know who you are – listen up! It can be all too easy to ignore the little box popping up on the right-hand side of the screen when you’re busy, but it takes less than a minute to set a time when the updates can take place.

Installing new features and updates helps keep your device running quickly and securely.

Include Wi-Fi

It’s also worth noting somewhere in the document that employees shouldn’t connect the device to public Wi-Fi hotspots.

You might just be quickly replying to an email or logging on to the system to check some numbers, but there are risks to be aware of when doing these seemingly safe tasks – hackers could be lurking!

One way to help prevent unauthorised users from intercepting data, when connecting from any external location to your office, is to use a Virtual Private Network (VPN). This extra layer of security offers an encrypted connection between two sites, making it harder for any third-party to access your data.

Back it up

Because sometimes there are things you just can’t prepare for – think floods, power cuts and theft – it’s crucial to ensure your workforce is backing up company-owned devices, then nothing is lost forever!

Report loss or theft

It goes without saying that if an employee’s device is lost or stolen, SME data could be jeopardised, so an agreement needs to be in place whereby the incident is reported immediately.

As a result, this will give your IT support team the time to deploy action – such as the wiping of remote devices – as rapidly as possible.

Now, when it comes to physical device policies, here are some more points to consider…


A basic rule that’s easy to stick to, it’s important you stipulate in the document that all devices require a password. If you think of your SME’s IT security as being multi-layered – like an onion – a password is one of the initial barriers facing a potential hacker, so it needs to be there.

And, when creating an effective password, there are many elements to consider – such as length, special characters, numeric PIN and the use of upper/lower case letters, to name a few!

Device inactivity

Here’s another quick win… Be sure to include information about how long a device should be inactive before requiring the user to re-enter their password.

This is a great way to help keep device access to authorised users only.

Device wiping

We mentioned earlier about employers being able to erase information from a device, but it may be useful to drill down into the circumstances, for clarity on both sides. For example, it could be deleted after a certain number of failed password attempts, or only in the case of a breach.

Disable hardware features

Employers can deactivate functions such as Bluetooth, camera access, UBSs and storage cards etc. to minimise the risk of security compromise and data interception.

There are many areas to consider when looking to draft an effective mobile device policy which all workers comply with, but if you’d like to have a chat about how to create the perfect one for your SME, give us a call on 01524 581690 or drop us a message!

Send us a message

    Talk to us

    Lancaster: 01524 581690

    Technical IT Support illustration at Q2Q HQ Lancaster, Lancashire and the North West