Mobile security is a big concern among organisations at the moment, especially as research companies seem to be increasingly fond of throwing out statistics on the number of laptops and handsets that keep being found in wine bars or the back of taxi cabs.

But while the security of mobile devices – especially smartphones – has its own set of specific issues, companies shouldn’t forget that it is basically an extension of security policies that they should already have in place.

I attended a roundtable on mobile security recently where a participant from Microsoft commented that workers can buy any smartphone or mobile device that takes their fancy, then bring it into the office and synchronise it with their desktop PC.

However, to call this a mobile security issue is missing the point. The failure in this example surely lies with the desktop security policy that allows a worker to connect any device they choose to their computer and copy information to it from the company network. If they can synchronise their smartphone, then they can just as easily plug in a USB hard drive and walk out the door with gigabytes of information.

The issue demonstrates the fact that companies can no longer regard security as a perimeter issue, something that can be dealt with at the internet gateway by firewalling the corporate LAN off from prying eyes. Instead, all systems that are used to store or access company information need to be assessed for potential security weaknesses.

What this means is that any endpoint device needs to be locked down to a greater or lesser degree, whether it is a Windows desktop or a smartphone. Obviously there will be differences in the level of security applied; very few desktop PCs are likely to require full disk encryption, for example, while it would be wise to apply this to laptops and handsets that might have sensitive information on them.

Clearly, a lot also depends on what your definition of “sensitive information” is. As another participant in the roundtable noted, an inbox file with a year’s worth of company email messages could prove just as damaging in the wrong hands as a spreadsheet full of finance figures.

But equally clearly, security needs to be made much simpler than it currently is if it is to extend across all areas of business. It must be strong enough to prevent a

thief from accessing confidential information, without the user constantly having to verify their credentials, or else the same worker will find ways to avoid using the security altogether.

For me, the key point from the roundtable was the need to educate employees about security risks. How many workers regularly copy vital files onto a USB Flash drive in good faith, so they can take them home and work on them in the evening? It probably doesn’t enter their heads that they could be costing their employer dear if they were to lose that USB stick outside the building. And compared with deploying comprehensive all-encompassing security tools, a little user training is surely a more cost-effective option.