Companies go to great lengths to protect their business data. But what happens when employees check their business email from their mobile while at a hotel on a business trip, or even at the café down the street? What security threats does this create and how can you minimize these risks? More importantly, do employees fully comprehend that their mobile devices could be exposing sensitive business data to serious risk?

We did some research on this issue and found some pretty interesting—and worrisome—information.

The good news is, there are concrete steps that employers and IT managers can take to minimize the potential threats associated with employee mobile device use.

As a long-time hosting provider of secure cloud-based business email and collaboration tools like Hosted Exchange 2013, and military-grade SkyNox online backup, keeping data secure is what we do best. With that in mind, we thought we’d pass on some helpful tips that you can put right to work.

Just How Much Risk Is Your Business Data Exposed To?

> 91 percent of employees use work-related smartphones for personal use

Businesses have little control mobile carrier networks. In other words, security threats are just a time bomb waiting to go off. Often it’s up to employers and IT managers to establish policies, and ensure employees adhere to them to keep data secure. No small task, but a vital one.

> 81 percent of employees with corporate smartphones use their mobile to check business email

Employees need to understand that they are responsible for ensuring their mobile device does not pose a serious security threat. Not just from theft or loss, but also from unsecured networks, malicious apps, etc.

> 62 percent of employees with corporate smartphones access sensitive business data with their mobile on business trips or vacations

With the holidays fast approaching, this might be the perfect time to think about business mobile security.

Bottom Line:

Employers can’t assume employees adequately protect business data during mobile use, or even know how to. Nor can they assume employees even fully grasp the severity of this issue. This means employers and IT managers have to develop, communicate and enforce mobile security policies to effectively minimize such risks.

7 Tips for Boosting Business Mobile Security

1. Create a strong security policy.

Yes, this one is obvious. But what’s not so clear is how to establish controls that are aligned with your type of organization and the corporate policies already in place. For example, businesses in highly regulated industries may have to encrypt all data stored on all mobile devices and all removable media; other businesses may not have to go to such lengths. You should also establish policies regarding patches, updates and apps, and provide employees with security software.

2. Apply your existing security policies to mobile devices.

For example, if employees have to enter a password that’s 15 characters of uppercase, lowercase and symbols on their desktops to access the corporate network, then the same rule should apply to all mobile devices that connect to the corporate LAN.

3. Communicate and enforce your policy.

Most businesses provide employees with security software for work-related smartphones, but less than half of these employees know this. Why? Only 51 percent of companies bother to tell employees about their work-related smartphone policies. Employees that clearly understand the importance of security policies will be more likely to adhere to them, so educating them on potential risks may be necessary. It also goes without saying that employees will only adhere to a policy over the long-term if it is enforced. A mobile device management (MDM) solution can help.

4. Make an inventory of devices.

To better understand your company’s exposure to risk, you need to create and maintain an inventory of all mobile devices that have access to your network, especially if you have a “bring your own device” policy.

5. Proactively wipe devices.

A good policy will go beyond simply requiring devices to be locked with passwords; it should also specify when devices should be automatically wiped. For example, you can set devices to delete all content after 10 failed login attempts. There are also security tools that will automatically wipe any device that hasn’t connected to the corporate network within a certain number of days, or after it has been reported lost or stolen.

6. Enforce app whitelisting/blacklisting.

You can also restrict employees from installing specific apps install on their devices. However, be warned: if your in-house process for getting new apps approved requires weeks or months of waiting, employees will rebel.

7. Identify any applicable breach notification laws.

Almost every state now has data breach notification laws which require sensitive data involving state residents be publicly disclosed. Some states even require data to be encrypted. Security managers need to know if and what customer data needs to be encrypted on mobile devices. Your mobile security policy can go even further and only allow devices that support encryption. That way, should a device be stolen or lost, your business and its data will be protected. And instead of facing a serious and potentially costly data breach, you’ll only have to worry about replacing equipment.

And at the most basic level, make sure your business is using an email program designed to protect business data, like Microsoft Exchange, which is significantly more secure than Hotmail or Gmail.

Our highly affordable and customizable Hosted Exchange plans are designed for boosting security and productivity. They come with free A-to-Z migration, free 365/24/7 support by chat, email and phone, sophisticated data encryption and anti-spam filters, and email synchronization so that employees can keep their emails, calendar, contacts and tasks at hand—and safe.

Next time we’ll talk about some of the specific steps employees can take to further increase data security on their mobile devices, so follow us on Twitter or subscribe to our RSS feed.

*Update 17 Sep 2014: SkyNox now goes by a new name. Details

Written by JP Mercier Employee @ SherWeb

JP is SherWeb’s community manager. He has been working for IT companies since 2010, in both the software and cloud computing industry. JP has a degree in communication and specializes in online marketing. As a good Canadian, he is (overly) polite and loves hockey.