While smartphones and other mobile devices are increasingly usedlike personal computers and require the same security now standardin PCs—such as antivirus software and encryption—most mobiledevices have the same lack of security as a 1998 PC.

But because mobile technology has revolutionized the way welive, work and communicate, it's easy to focus on the convenienceand versatility of mobile devices, without giving much thought tosecurity.

Users can be careless, adding to the problem. In fact, abouthalf of users keep passwords, pin codes or credit card details ontheir mobile devices, and one-third keep sensitive work-relatedinformation, according to a 2011 report by McAfee and CarnegieMellon CyLab, which surveyed 1,500 respondents in 14 countries.

As a result of these security weaknesses, data that is storedand transmitted on mobile devices is at risk. As the value of datarises and mobile devices begin outselling PCs—as Morgan Stanleypredicts will happen in 2012—the need for risk-management andsecurity measures becomes even more acute.

One way to think about the risk is to compare how people treatwallets as opposed to mobile devices; it would not be acceptable tolose a wallet as commonly as mobile devices are lost.

Rapid change, lagging security

Since mobile security is already lagging by a decade or morecompared to PCs, it now has to do double duty: catching up withtechnology already in use, while simultaneously anticipating andoutpacing popular new technologies. For example, "mobilewallets"—smartphones with near field communication (NFC) chips thatenable fast, easy point-of-service sales—are poised for explosivegrowth.

With the landscape changing so quickly, it's important that riskand insurance professionals mitigate mobile security risks througha comprehensive strategy that includes preventative actions,ongoing vigilance and privacy-data breach insurance.

Major tasks for risk professionals include:

Creating companywide policies

Securing devices

Controlling apps and other non-business-related add-ons

Preparing for mobile wallets

Securing data collected and transmitted for sales purposes

Having the right insurance in place.

Creating companywide policies

Many people have one device for personal and professional uses.They may find themselves asking, "Is this my fun phone or my workcell?" Increasingly, the answer is both, with one deviceused for multiple purposes.

A majority of people use their mobile devices for business andpersonal e-mail, social media, document creation and storage, webbrowsing, e-commerce and other purposes.

To help maintain the security of data, it's desirable to equipeach employee with one type of device from a single manufacturer.Admittedly, this could be challenging, since most people alreadyhave a smartphone or cell phone they like. However, it's mucheasier to track and monitor data and deploy an emergency responseif control and access is centralized.

Employees should also use strong passwords that are unique totheir work devices, and companies should mandate that they changethem at least monthly.

In one instance, thieves hacked into Trapster, which alertsdrivers to police speed traps, and stole email addresses andpasswords. That incident pointed up a common security mistake andvulnerability: many people use the same password for severalaccounts or sites, making it easier for criminals to access theirinformation.

Securing a mobile device

Simple carelessness can lead to loss or theft of a mobiledevice. There have been plenty of data breaches because laptopshave been misplaced or stolen—and mobile devices are similarlyvulnerable.

The McAfee and Carnegie Mellon CyLab report found that four in10 organizations have had mobile devices lost or stolen; half ofthose devices contained business critical data. More than a thirdof mobile-device losses have had a financial impact on theorganization, according to the report, Mobile and Security:Dazzling Opportunities, Profound Challenges.

Security needs to start with the device itself. There shouldalso be an instant-response plan in place in the event the deviceis lost or stolen.

Controlling apps and other non-business-relatedadd-ons

It's also essential to take control of apps, restricting theiruse and establishing a policy of mandatory notification if apps areadded or removed.

Browsing non-work sites or loading lots of non-essential appsincreases the likelihood of introducing malware. The number of appson mobile marketplaces contaminated with malware grew to 400 from80 during the first half of 2011, according to a study by LookoutMobile Security.

Preparing for mobile wallets

"Mobile wallets" using NFC technology are expected to becomequite popular in the near future. Companies may deploy NFC to makepayment easier, or employees may have NFC technology on theirmobile devices.

Any NFC-enabled phone should have all the standard securitymeasures, such as strong password protection and encryption, butthere are additional risks and precautions. There is the danger ofa "walk off"—accidentally leaving behind a phone where anapplication has not timed out quickly enough, enabling a thief tomisuse the previously opened access. One simple fix is an alarmthat activates when the phone is too far away from the user.

NFC-enabled devices can also be subject to eavesdropping anddata disruption. While the solution for both would be to useSSL-encrypted tunnels, like those used in Internet transactions,it's not clear that the mobile phones used for these transactionswill be SSL enabled.

Securing data collected and transmitted for salespurposes

Retailers and service providers taking payments with NFC-enabledphones will have their own security issues. Customers could havetheir credit card and payment data intercepted at the place ofbusiness. This could result in minor annoyances, such as unwantedadvertisements, or more serious problems like loss of customertrust, reputational damage, identity theft and legal liability.

With NFC, there is a complex web of responsibility. Sorting outwhat happened could be difficult, requiring time-consuming andexpensive forensics to determine whether the problem was caused bythe phone, chip supplier, phone operator, customer, reader supplieror shop. Legal costs could add up quickly.

Actions such as ensuring that the reader is secure and also PCIcompliant can help to manage risk. Encryption or an equivalentprotection measure can help protect the transaction data.

It's also critical to understand and get the most favorableterms in the contract with the reader's supplier. The reader shouldbe secure as supplied, and the contract should specify who isresponsible for a security problem. While none of these methods arefoolproof, they can reduce the likelihood of a data breach.

Data breach insuranceessential

While prevention and risk management can help reduce databreaches, insurance is essential to protect against the costs andliabilities associated with a breach that compromises personalinformation. Many policies typically cover notification costs,forensic services, credit monitoring, legal assistance, identityrestoration and public-relations services. They will also coverspecific exposures, such as personal health-data breaches.

Staying ahead of risk

As several trends converge—the explosion of mobilecommunications, the collection and storage of vast amounts ofpersonal and commercial data, and more mobile commerce—the risklandscape has become more complex. Mobile communications areaccelerating quickly. Although it's challenging, security needs tobe one step ahead of those accelerating risks.