Exchange Server doesn't provide much flexibility in its remote-wipe settings for iPhones, iPads, and supported Android devices: It's on or off, and all you can specify is the number of failed log-in atempts needed to trigger a complete device wipe. But third-party MDM tools give you the ability to wipe just corporate data (coming from your servers, not the users' data) based on a failed log-in threshold that you set.
Your first line of defense should be requiring a strong-enough password, on-device encryption, and a low autolock time (a few minutes) for both mobile devices and PCs. You want a device locked with a password complex enough to not be easily guessed, but not so complex it will be hard to enter or so hard to remember it gets taped to the back of the device or to the PC monitor's bezel or keyboard tray.
A locked and encrypted device will be protected from most prying eyes. A lock also buys time for the user to find the smartphone or tablet, should it be misplaced; chances are it's under a cushion, a chair, or another innocuous location. If you jump to a "wipe when called" policy, your users simply won't call until it's been missing a few days. It's better to issue a more stringent lock to the device instead, which some MDM tools can do, as can Apple's iCloud service and -- for IT's use -- OS X Server for both Macs and iOS devices. Microsoft's System Center has similar capabilities for Windows, and a variety of security vendors such as F-Secure and Symantec offer related capabilities for several mobile and desktop platforms, such as Android.
The point is that for most organizations, there are several security options available before you come to a complete device wipe. Start with them before you set off the neutron bomb.
This article, "Don't be so trigger-happy for a remote wipe," was originally published at InfoWorld.com. Read more of Galen Gruman's Smart User blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.