This one starts with a slightly embarrassing admission.
A while ago, my phone fell out of my pocket at the gym during a workout. A couple of friends nearby picked it up — helpfully, they said — and decided to have a bit of fun before handing it back.
The photos they managed to take are, frankly, best left undiscussed.
As someone who works in IT security, my immediate thought was reassuring: “It’s fine — my phone is locked down.”
Turns out it wasn’t quite as locked down as I’d assumed.
The uncomfortable truth about “locked” devices
Most of us assume that a locked screen means a secure device. And in many cases, that’s broadly true. But “locked” is not the same as “secure” — and the gap between those two things is where problems tend to live.
Here are a few things that are often accessible on a locked phone, depending on how it’s configured:
- Notification previews showing email and message content
- Quick reply to messages without unlocking
- Camera access (hello, gym photos)
- Voice assistant access to contacts, calendars and recent activity
- USB data transfer depending on device settings
None of these are necessarily wrong for personal use. But if your team is using mobile devices for business — and almost everyone is — each of these represents a potential exposure point that’s worth thinking about.
Physical access still matters
One of the core principles of security is that physical access to a device changes the risk profile significantly. Most security thinking focuses on remote threats — phishing emails, malware, account compromise. Those are real and worth taking seriously.
But a device left unattended in a coffee shop, dropped in a taxi, or picked up by a well-meaning colleague at the gym bypasses most of those controls entirely. The device is right there. The question is what someone can access without knowing the PIN.
For business devices, this is especially relevant. Work email, client contacts, Teams messages, shared documents — all of it potentially accessible on a device that’s “locked.”
What good mobile security looks like
The basics aren’t complicated, but they do need to be configured properly and consistently across your team’s devices:
- Lock screen notifications: Turn off previews for email, messaging apps and anything sensitive
- Voice assistant on lock screen: Disable it, or at minimum limit what it can access without authentication
- Camera on lock screen: Decide whether you need it, and disable if not
- USB connections: Restrict data transfer to charging-only unless the device is unlocked
- Auto-lock timing: Set it to lock quickly — 30 seconds to 1 minute for work devices
- Remote wipe: Make sure you can wipe a device remotely if it’s lost — and that your team knows how
For businesses using Microsoft 365, many of these settings can be managed centrally through Intune or basic MDM policies — so you’re not relying on individual team members to configure their own devices correctly.
The lesson I took home from the gym
Controls are only effective if you fully understand their limits. That applies to mobile devices, laptops, cloud workloads and anything else in your IT environment. Having controls in place is a start — knowing exactly what they do and don’t protect you against is the part that actually matters.
After the gym incident, my phone security settings got a thorough review. Probably overdue, if I’m honest.
If you’d like us to review the mobile device security setup across your team — or talk through what a sensible mobile device policy looks like for a business your size — get in touch. We’re happy to take a look.