Everyone seems to have a smartphone or tablet these days, as much for personal use as work.  But have you thought about the type of information stored on an employee’s mobile device?  Or what would happen in the event a smartphone, tablet or laptop went missing?  With the growth of the mobile work environment comes an increase in electronic security risks – lost, stolen, corrupted or compromised data.  We’re going to run a series of posts discussing mobile security issues.

The security risks fall broadly across three areas: theft, malware, and user behavior.  (We’ll discuss malware and user behavior in our next two posts, so stay tuned!)  The risk of a stolen device is fairly obvious – unintended and possibly malicious access to sensitive data – voicemails, e-mails, text messages, documents, contact logs, etc.

According to a McAfee/Carnegie Melon University study, as reported by CNN (Work-issued mobile devices emerging as key security risk), 40% of companies surveyed have experienced the loss or theft of their mobile devices – and half of these devices contained “business critical data.”  Over one-third of these device losses had a “financial impact” on the organization.  The type of sensitive data lost included customer data, corporate intellectual property, financial data, and employment data.

If your device was stolen, what would you do (other than declare that your life was over)?  Do you know what procedures your company can take to protect the information on your device?  Can they remote wipe it?  Can they lock it down?  Has anyone at your company ever talked to you about mobile security issues?  Are you required to use a password to access your device?  If so, do you?

According to the McAfee/Carnegie Melon survey, probably not.  That study indicated that while most companies have some mobile security policies in place, two-thirds of employees were not aware of their employer’s security policies, or even how to activate their mobile device’s access or permission settings.  Additionally two-thirds of the companies surveyed increased their mobile security procedures only after the discovery of a lost/stolen device, which indicates that existing measures were not deemed sufficient after the company actually faced a real security threat.

It seems obvious that a well-defined and documented mobile security policy, which outlines the necessary recovery process, would lessen the potential for disclosure of critical data or confidential client information, and minimize the financial impact of business disruptions.  However, your employees must know about the policy in order for it to be effective!

What does this survey tell us?  Mobile security is very much like other issues relating to employee use of technology – having a policy in place is only step number one.  Step number two is making sure that employees actually know about the policy, know how to implement it and know who to go to when a device is lost or stolen.  What do you think?  Do you have a policy in place?  Do your employees know about and follow that policy?