Staff awareness is biggest key to mobile security

Transparency is also important, according to attendees at an HP roundtable event

Organisations need to address mobile security issues through policies covering all employees from the top level right to the shop floor, while workers need training to be more aware of security issues. Security protection also needs to be transparent, so that it does not interfere with user productivity.

These key findings came from a roundtable on mobile security risks hosted by HP, where vice president for HP services Tony Redmond said that companies had to accept some laptops and mobile devices are going to get lost, and take measures to ensure that confidential data is not exposed when this happens.

"Our policy is that all executives have their laptop hard drive encrypted by default, but it can be difficult because there is substantial user push-back – it can be difficult for users if they have to manage multiple passwords," Redmond said. Smartphones and other mobile devices are an even bigger security risk, because they are much easier to misplace, he added.

Stephen Lamb, technical security advisor at Microsoft agreed, and said that encryption needed to be made transparent to users so that they did not have to be techies to use it, and would perhaps not even know their data was being protected this way.

Security needs to be built-in to products, so that policies can be crafted to make security pervasive, but Lamb warned that companies must be careful to strike a balance, or such measures will stifle productivity and users will simply work around them.

However, a major factor in security breaches is simply down to user ignorance, according to Stephen Mason, a barrister with a special interest in IT security issues.

"There are whole swathes of people out there who simply have no idea of the need for security, even at the executive level," he said. Many workers regard security as the responsibility of the IT department, and often do not realise that actions they are taking – such as forwarding emails containing confidential information – are potential security risks, he added.

Lionel Lamy, research director at IDC, said that organisations should consider training users to be more aware of potential security issues.

"Someone has to call in if their device gets lost, otherwise the IT department doesn't know to remotely wipe it," he explained.

Mason said that company security policy ought to form a part of employee contracts, but warned that the policy itself needed to be concise or staff simply would not bother to read it.

Finally, Redmond warned of the influence of younger workers just coming into employment that have grown up with the Internet and mobile phones. These workers just expect data to be available everywhere on any device, and have few qualms about sharing information, he said.

"The challenge for companies is to create infrastructures that are adaptive. You can guarantee that new workers will make mistakes with data," said Redmond.