In October 2025, Morgan McSweeney's mobile phone was reportedly stolen on a London street. The device was said to be a government phone, containing work messages, emails, and sensitive correspondence. What apparently happened next - or rather, what did not - offers a sobering case study for security leaders.
Only those directly involved can verify the details. For CISOs, however, the reported sequence of events is useful precisely because it describes a plausible, high-impact scenario that plays out in organisations every day. The lessons below are drawn from that scenario.
1. A Stolen Phone Is a Data Breach More than a Property Crime
When a work phone is stolen, the immediate concern is rarely the hardware. A modern smartphone contains access to email, messaging apps, authentication tokens, VPN configurations, cloud storage, and often sensitive documents cached for offline use. For a senior executive, that device is a master key to the organisation.
The CISO imperative: Treat device theft as a security incident from the first report, not an IT support ticket. Your incident response playbook should include specific steps for stolen or lost executive devices: immediate remote wipe assessment, access revocation, MFA re-enrolment, and forensic logging review. The first hour matters more than the first day.
2. Remote Wipe Only Works If It Is Enabled - and Tested
Remote wipe capabilities are standard on modern mobile device management (MDM) platforms. But they are not always enabled, particularly on bring-your-own-device (BYOD) schemes or on devices where privacy concerns have led to partial enrolment. Even when enabled, remote wipe requires network connectivity. A thief who knows what they have taken may immediately power down the device or place it in a Faraday bag.
The CISO imperative: Audit your MDM coverage quarterly. Ensure all work devices - including those issued to the most senior executives - are fully enrolled with remote wipe, encryption, and location tracking enabled. Test the remote wipe process in a controlled environment. Know exactly how long it takes from report to execution, and who has authority to trigger it.
3. Access Revocation Must Be Faster Than Device Recovery
The goal is not just to recover or wipe the device. It is to ensure that a stolen device cannot be used to access corporate systems. That means revoking active sessions, resetting passwords, and re-issuing authentication factors for any account accessible from the device. If the victim used biometric authentication, assume the thief may attempt to bypass it.
The CISO imperative: Build an access revocation checklist specifically for device theft. This should cover email, cloud services, collaboration tools, VPNs, and any single sign-on (SSO) sessions. Automate where possible. In a well-prepared organisation, the critical accounts should be locked within minutes of the theft being reported.
4. Senior Leaders' Devices Need Enhanced Protection
Senior executives are high-value targets. Their devices contain not just more data, but more sensitive data. They are also more likely to travel, work from multiple locations, and operate under time pressure - all of which increase the risk of loss or theft. Standard corporate security policies are often insufficient for this risk profile.
The CISO imperative: Implement enhanced mobile security controls for senior leaders and other high-risk roles. This might include dedicated, hardened devices with stricter MDM policies, mandatory hardware security keys for authentication, automatic screen lock with short timeouts, and restrictions on sideloading apps or storing data locally. Consider whether BYOD is appropriate for these roles at all.
5. Your Device Should Not Hold the Only Copy
One of the reported concerns in the McSweeney case was whether the theft meant certain messages and records were permanently lost. If a mobile device is the sole repository of important business communications, its loss creates an immediate and potentially irreversible gap. This is as much a business continuity issue as it is a security one.
The CISO imperative: Ensure that work data on mobile devices is backed up or archived automatically. Email should sync to a central server. Messages in collaboration tools like Slack, Teams, or WhatsApp should be retained according to policy. Critical documents should live in cloud storage, not just local device cache. A stolen phone should be an inconvenience, not a data loss event.
6. MAM Often Beats Full MDM for BYOD
Full MDM gives the organisation deep control over a device - but it also gives employees a strong incentive to avoid enrolling their personal phones. Nobody wants their employer to be able to wipe their family photos or track their location. The result is often partial enrolment, shadow IT, or executives simply refusing to use the scheme.
Mobile Application Management (MAM) takes a different approach. Instead of managing the entire device, MAM creates a secure container around corporate apps and data. If the device is lost or the employee leaves, only the work container is wiped. The personal side of the phone remains untouched.
The CISO imperative: If you run a BYOD programme, evaluate whether MAM or containerisation is a better fit than full MDM. The goal is to protect corporate data without creating privacy friction that drives users to work around your controls. For many organisations, MAM delivers better security in practice because employees actually comply with it.
7. Incident Response Must Include Communications and Legal
A stolen device containing sensitive information can trigger regulatory notification requirements, media interest, and legal discovery obligations. The response is not purely technical. Security, legal, communications, and executive leadership need to coordinate from the outset. Delays in reporting, unclear accountability, or ad hoc decision-making compound the damage.
The CISO imperative: Ensure your device theft incident response runbook includes clear escalation paths to legal, communications, and executive teams. Define who makes decisions about disclosure, when regulators must be notified, and how the organisation will respond to external scrutiny. Rehearse this scenario in tabletop exercises at least annually.
The Bigger Picture
The reported McSweeney incident - whether it unfolded exactly as described or not - is a reminder that some of the most consequential security incidents are also the most mundane. A phone stolen on a city street. A report made to the police. And then, according to the available account, a gap where decisive security action should have been.
For CISOs, the relevant question is not whether your executives are targets. They are. The question is whether your organisation can move fast enough when their devices - and the data they contain - are suddenly out of your control.