Call me typical. I own my very own smartphone, which I use at work and when I'm away from work. I'm now on my eighth mobile device over a period of five years. I can't honestly tell you exactly how I've lost all those smartphones. But I suspect that since I travel a great deal for business and pleasure, my smartphones could easily have dropped out off my beltclip and ended up in a cab in New York City, in a gutter in rain-soaked Seattle, or in a trash bin behind my favorite sushi bar in Tokyo.

You may find my inability to hold on to my mobile devices surprising or amusing, but I can assure you that losing a smartphone is more common than you might think, and it is no joke. Such unintentional slipups can lead to potentially serious corporate data breaches with serious consequences. In the recent past, when we talked about enterprise data breaches, we were concerned about the security of confidential company data on laptops that traveled back and forth from office to home. It used to be that the proverbial foxes were in the hen house, and then they also went home. Now the foxes are in the hen house, and they travel all over the world—with smartphones or PDAs in tow that may house valuable, unprotected corporate information like customer lists, specifications for an unreleased product, an unpublished annual report, and who knows what else.

Tim Smith, an Information Week blogger, revealed a startling statistic: "A New York-based financial services firm loses one laptop per day and five smartphones per day in taxicabs, says John Pironti, chief information risk strategist for the consulting firm Getronics. A common outcome: The cab companies sell off the gear after 30 days. How that's for risky business?"
(Source: http://www.informationweek.com/blog/main/archives/2007/10/interop_winners.html)

Left to their own devices
The problem stems in part from the fact that many enterprises don't usually provide smartphones for their employees. The operational expense is just too high. Companies don’t want to purchase, support, maintain, and inventory smartphones, so they leave their employees to their own devices—literally—and this means that most mobile devices are largely unsecured. The fact that smartphones and the like double as personal devices compounds the problem, of course.

Most Fortune 100 companies have detailed, written policies regarding proper use and security of the mobile devices they allow onto their corporate networks, but I challenge you to find me a user within those organizations who knows exactly what is in these policies—let alone is aware that they even exist. And, let's be honest, you can't expect your employees to be security experts.

Smartphones are getting smarter
Large enterprises that we talk to on a regular basis are telling us that they are experiencing as many as 15 times more breach incidents now that mobile devices are a must-have business tool. With the advent of more powerful devices like the iPhone and Microsoft Windows Mobile-based devices, people are using smartphones as PC replacements when they’re on the road. On most smartphones and PDAs, you can preview documents produced with Microsoft Office applications, and on many devices, you can edit those documents as well. The ubiquity of Microsoft Office means that every mobile device—even those not based on software from Microsoft—has the ability to view Office documents. The ease of sharing Office documents with mobile users is compounding risk.

A board-level issue
"That's great!" you might say, "Now I can download business documents from the office and work on them while I'm on the road. What does that have to do with data breaches?" Well, the answer is simple. Criminals who get a hold of your smartphone can easily view, if not actually save and download, the confidential documents you have on your handset.

Smartphone data breaches are a board-level issue because if sensitive information leaks out, the company you work for is liable. Thirty-eight U.S. states have enforceable privacy laws. And then there are the federal laws, like Gramm-Leach-Bliley Act, which requires financial institutions to protect their customers' nonpublic personal information. The laws don't care how the data leaks out or how much of it is lost. It could be four credit card numbers on a customer support rep's smartphone or an annual report on the CEO's Blackberry. Whatever the scope of the breach, the consequences can be severe—from an unflattering headline in the New York Times to damage to brand equity and costly reparations.

And another equally disturbing risk is the potential for loss of intellectual property, like patents, designs or specifications for unreleased products, and secret formulas.

Smart solutions for smartphones
You probably don't want to keep the foxes from entering the hen house or trotting the globe, but you can secure your data. One surefire method is encryption. Enterprises can require employees to set up encrypted space on their smartphones (or removable storage devices like iPods and USB sticks) which forces downloaded or copied company documents to be automatically encrypted. The encrypted documents can only be decrypted with a special key or a thumb print, rendering this data useless to prying eyes.

The other method—and perhaps the best one—is to control which behaviors are allowed and which are not when users’ devices connect to your corporate network resources. Both device control and data encryption products allow you to specify which approved devices can and can't be used according to product ID, vendor ID, serial number, device class, device name, and other parameters. Device control solutions also help you regulate how users copy data to external devices and block any copy attempts that violate your policies.

Conclusion
Companies do see the benefits of supporting and enabling legitimate business use of mobile devices even if they can’t dictate which mobile devices their employees are going to buy and where or how they use them—or lose them. The best and most reasonable way to achieve data security in the face of this new wrinkle in the technology and communications landscape is to monitor, audit, and control user behavior and to ensure that data that does end up on smartphones from the corporate network is properly encrypted.