UK firms may be putting their business at risk by being complacent about mobile technology, particularly when staff purchase their own PDAs or smartphones and load them with corporate data.

A recent study of 600 IT leaders, drawn from readers of IT Week and its sister publication Computing, found that two-thirds of those questioned knew that personally-purchased handhelds were used within their organisation.

But the research, sponsored by mobile provider O2, also showed that most IT leaders did not see this as a cause for worry. Only nine percent of IT leaders in affected firms said renegade handhelds were a serious concern.

Overall, 84 percent expressed confidence that they had enough control over mobile devices - despite the fact that only 37 percent of firms had a strategy of any kind covering mobile technology.

Even among those with a policy, four-fifths felt that mobile technology was covered by general IT measures. Only seven percent of companies overall had a specific policy for mobile devices.

Firms increase their exposure to a range of risks when they do not control the way mobile devices are used. Staff who store contact and customer data on PDAs could fall foul of the Data Protection Act, for example, while business data that may be subject to non-disclosure agreements or similar contracts could be at risk when pocket devices are lost or stolen.

There is also the general risk of losing competitively sensitive information.

"IT must take hold of mobile now, otherwise businesses are going to expose themselves to a lot more risk," said Hugh Griffiths of O2. "These include unquantified levels of support for unauthorised devices, cost and project duplication, and long term security risks."

IT managers should assess such risks and consider bringing handhelds under central control. Products from firms such as Utimaco and Pointsec can be used to encrypt data carried on handhelds.