One way to think about the risk is to compare how people treat wallets as opposed to mobile devices; it would not be acceptable to lose a wallet as commonly as mobile devices are lost.

Rapid change, lagging security

Since mobile security is already lagging by a decade or more compared to PCs, it now has to do double duty: catching up with technology already in use, while simultaneously anticipating and outpacing popular new technologies. For example, "mobile wallets"—smartphones with near field communication (NFC) chips that enable fast, easy point-of-service sales—are poised for explosive growth.

With the landscape changing so quickly, it's important that risk and insurance professionals mitigate mobile security risks through a comprehensive strategy that includes preventative actions, ongoing vigilance and privacy-data breach insurance.

Major tasks for risk professionals include:

Creating companywide policies

Securing devices

Controlling apps and other non-business-related add-ons

Preparing for mobile wallets

Securing data collected and transmitted for sales purposes

Having the right insurance in place.

Creating companywide policies

Many people have one device for personal and professional uses. They may find themselves asking, "Is this my fun phone or my work cell?" Increasingly, the answer is both, with one device used for multiple purposes.

A majority of people use their mobile devices for business and personal e-mail, social media, document creation and storage, web browsing, e-commerce and other purposes.

To help maintain the security of data, it's desirable to equip each employee with one type of device from a single manufacturer. Admittedly, this could be challenging, since most people already have a smartphone or cell phone they like. However, it's much easier to track and monitor data and deploy an emergency response if control and access is centralized.

Employees should also use strong passwords that are unique to their work devices, and companies should mandate that they change them at least monthly.

In one instance, thieves hacked into Trapster, which alerts drivers to police speed traps, and stole email addresses and passwords. That incident pointed up a common security mistake and vulnerability: many people use the same password for several accounts or sites, making it easier for criminals to access their information.

Securing a mobile device

Simple carelessness can lead to loss or theft of a mobile device. There have been plenty of data breaches because laptops have been misplaced or stolen—and mobile devices are similarly vulnerable.

The McAfee and Carnegie Mellon CyLab report found that four in 10 organizations have had mobile devices lost or stolen; half of those devices contained business critical data. More than a third of mobile-device losses have had a financial impact on the organization, according to the report, Mobile and Security: Dazzling Opportunities, Profound Challenges.

Security needs to start with the device itself. There should also be an instant-response plan in place in the event the device is lost or stolen.

Controlling apps and other non-business-related add-ons

It's also essential to take control of apps, restricting their use and establishing a policy of mandatory notification if apps are added or removed.

Browsing non-work sites or loading lots of non-essential apps increases the likelihood of introducing malware. The number of apps on mobile marketplaces contaminated with malware grew to 400 from 80 during the first half of 2011, according to a study by Lookout Mobile Security.

Preparing for mobile wallets

"Mobile wallets" using NFC technology are expected to become quite popular in the near future. Companies may deploy NFC to make payment easier, or employees may have NFC technology on their mobile devices.

Any NFC-enabled phone should have all the standard security measures, such as strong password protection and encryption, but there are additional risks and precautions. There is the danger of a "walk off"—accidentally leaving behind a phone where an application has not timed out quickly enough, enabling a thief to misuse the previously opened access. One simple fix is an alarm that activates when the phone is too far away from the user.

NFC-enabled devices can also be subject to eavesdropping and data disruption. While the solution for both would be to use SSL-encrypted tunnels, like those used in Internet transactions, it's not clear that the mobile phones used for these transactions will be SSL enabled.

Securing data collected and transmitted for sales purposes

Retailers and service providers taking payments with NFC-enabled phones will have their own security issues. Customers could have their credit card and payment data intercepted at the place of business. This could result in minor annoyances, such as unwanted advertisements, or more serious problems like loss of customer trust, reputational damage, identity theft and legal liability.

With NFC, there is a complex web of responsibility. Sorting out what happened could be difficult, requiring time-consuming and expensive forensics to determine whether the problem was caused by the phone, chip supplier, phone operator, customer, reader supplier or shop. Legal costs could add up quickly.

Actions such as ensuring that the reader is secure and also PCI compliant can help to manage risk. Encryption or an equivalent protection measure can help protect the transaction data.

It's also critical to understand and get the most favorable terms in the contract with the reader's supplier. The reader should be secure as supplied, and the contract should specify who is responsible for a security problem. While none of these methods are foolproof, they can reduce the likelihood of a data breach.

Data breach insurance essential

While prevention and risk management can help reduce data breaches, insurance is essential to protect against the costs and liabilities associated with a breach that compromises personal information. Many policies typically cover notification costs, forensic services, credit monitoring, legal assistance, identity restoration and public-relations services. They will also cover specific exposures, such as personal health-data breaches.

Staying ahead of risk

As several trends converge—the explosion of mobile communications, the collection and storage of vast amounts of personal and commercial data, and more mobile commerce—the risk landscape has become more complex. Mobile communications are accelerating quickly. Although it's challenging, security needs to be one step ahead of those accelerating risks.