According to Our Mobile Planet, the United States is currently experiencing 31% smartphone penetration, second only to Australia at 37%. And they also state that 53% of Americans get online via smartphone multiple times per day, second to Japan at 68%. Okay, we get it, we\u2019re addicted. The first step is to admit you have a problem, right?\n\tSeemingly everybody has a smartphone and these devices are obviously used while in the workplace. Tablets are brought in, as well. These consumer devices present a security risk \u2013 no doubt about it. What are you going to do about it?\n\tYou first have to know what you\u2019re up against, and then what stance your company is going to take.\u00a0 I spoke with three experts on this subject: Don Gray, chief security strategist for Solutionary, Jon Heimerl, director of strategic security for Solutionary, and Mike Dillon, CTO for Quest. Here\u2019s what they say you need to be doing in order to not lose control of your company\u2019s security when it comes to personal mobile devices.\n\tTop Security Concerns\n\tCIOs have the brunt of the challenge when it comes to security for personal devices brought into the workplace.\u00a0 According to news announced yesterday from International Data Corporation (IDC), \u201cCIOs are struggling with the growing number of devices infiltrating their enterprises and must balance the acceptance of these devices with securing and managing corporate assets and keeping user in compliance, while respecting privacy issues.\u201d The news report states, \u201cWhile more than 80% of enterprises surveyed are planning to spend the same or more on mobility in the next 12\u201318 months, surprisingly few companies have developed effective mobile policies to address BYOD (Bring Your Own Device).\u201d\n\tJon Heimerl lists the following as top security concerns for enterprises:\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Influx of malware and viruses:\u00a0 \u201cRegardless of how alert an employee is about their own privacy and security, they are not worried about HIPAA or PCI (Payment Card Industry) compliance on their personal portable devices.\u00a0 The introduction of personal devices into an organizational network will be accompanied by an associated influx of viruses, Trojan horses and other malware.\u201d\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Company information being downloaded on personal devices:\u00a0 \u201cInvariably, organizational information makes its way onto personal devices.\u00a0 This can be as simple as a phone list, or could include email and company files that contain sensitive corporate information, or cached information from the internal organizational network. Data can easily leave the organizational network en masse.\u201d\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The potential to compromise company audit and compliance requirements:\u00a0 \u201cSince the organization may not have control over the device, and the device can include private corporate information, the devices can quickly compromise organizational audit and compliance requirements. CIOs need to think about if private healthcare information or credit card information has migrated onto a personal device.\u00a0 And if so, do they have a way to ensure that it is properly protected to meet compliance requirements?\n\tWhat\u2019s Your Official Stance?\n\tHeimerl states that companies need to have an official stance on mobile devices.\u00a0 Three options to consider are:\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Personal Device:\u00a0 \u201cEmployee buys it and supports it, and is fully responsible for complying with organizational policies and requirements.\u201d\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Approved Device:\u00a0 \u201cEmployee buys a device that has been approved by the organization.\u00a0 The employee gives up administrative control and the organization manages security of the device.\u201d\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Organizational Device:\u00a0 \u201cOrganization buys and provides the mobile device, and authorizes the user \u2018appropriate personal use\u2019 of the business device that is owned and managed by the organization.\u201d\n\tEach option comes with its own set of headaches, bureaucracy, conformity or lack thereof and compliance from the employee.\n\tEnsure Compliance\n\tSo you have an official stance on mobile devices \u2013 how do you make sure employees are adhering to it?\u00a0 Don Gray and Mike Dillon offer these suggestions:\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Thoroughly train employees:\u00a0 \u201cTrain everyone in your policy and appropriate controls.\u00a0 This should include the employee\u2019s right to privacy, as well as the organization\u2019s right to protect information, and the employee\u2019s responsibilities and obligations to protect organizational information, regardless of what form it takes or where it resides,\u201d said Gray.\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Control mobile data:\u00a0 \u201cTo ensure security compliance, an organization will need to control what data a mobile device can access. All connectivity is included in this process including work email, applications, CRMs, shared drives and data policies between an organization\u2019s partners and customers,\u201d suggests Dillon.\n\t\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Find tools that fit your business:\u00a0 \u201cJust as you shouldn\u2019t rely on mere policy and training, carefully evaluate the actual capabilities of mobile device configuration and management tools. Find tools that best fit your organization\u2019s technical capabilities, controls and employees.\u00a0 Strongly consider partnering with a 3rd party provider that can help with the evaluation, configuration and on-going monitoring and management,\u201d said Gray.\n\tIf a company is aware of the risks that threaten them, they can better protect themselves from security threats.\u00a0 Your company is unique, and so are your needs in mobile security. There isn\u2019t a once-size-fits-all answer to this fairly new phenomenon. I\u2019d love to hear how you\u2019re addressing this issue in your company.