Hardly a day goes by without a new innovation in mobile technology. Mobile banking and transactions will soon be commonplace, and organisations such as hospitals and councils increasingly rely on mobile devices to access sensitive information from private databases.
Mobile markets are driven by demand for ease of use and functionality, not security. This raises some worrying issues. As technology advances, criminals will find new ways to exploit it, and as devices shrink, their job will become easier. If someone can walk out of an NHS trust with a desktop PC, how are organisations going to protect data carried around in their employees' pockets?
There is a tendency to look to increasingly sophisticated technology to meet these challenges, but the biggest problems will always lie with the user. Even where the technology is designed with security in mind, people still fall for basic scams or mislay unencrypted data.
There have been few high-profile mobile embarrassments so far, meaning mobile security has been seen by many as a low priority. But this also means we have an opportunity to get things right first time. The IT profession has a key role to play, ensuring technology and attitudes are ready for mobile security challenges from the start. We do not want to see corporate policies hurriedly implemented six months down the line, once the damage has been done.
Most IT professionals understand the risks of malware and Trojans, remote access to servers, or losing data storage devices with unencrypted data. Yet it is exactly these errors that we have seen causing big problems in the last few years.
Organisations need to look at ways to mitigate these problems and limit worst-case scenarios. Success here will come from having procedures in place to prevent these problems occurring, communicating them effectively, and having a pre-determined response plan when something goes wrong.
Enforcing strict rules is counter-productive - not only will it be met with resentment, but reducing communication functionality could impede company progress. Instead, introduce best practice guides and educate employees about the risks of not taking data security seriously.
Each organisation will face different challenges, and IT professionals must assess the risks to their organisation and form a policy accordingly. Plans should address all aspects of mobile data security, be formalised with board-level backing and rolled out throughout the organisation.
It only takes one error to damage corporate reputation, so it is important that everyone, at all levels, is aware of the risks, their personal responsibilities and, where appropriate, the sanctions for failing to exercise reasonable care when dealing with data.
Remember also that manufacturers can help. IT departments should use their networks and purchasing power to demand better security is built into new systems from the start - such functionality should be high on any procurement tender questionnaire.
People are the key. If you can encourage staff to follow basic security procedures, you will dramatically reduce the chance that your organisation is at the centre of the next big data loss story.
Tony Dyhouse is director of the Cyber Security Programme of the Digital Systems Knowledge Transfer Network
This was first published in January 2010