Mobile workers are more productive than ever. For this, they can thank not just notebook PCs, but smartphones that offer instant access to e-mail and applications, and portable storage devices with capacity that surpasses the average disk drive of just a few years ago.

"To call smartphones ?phones' really is a misnomer," says Mont Phelps, CEO of NWN, a multibranch solution provider. In reality, smartphones act more like notebook computers every day. Consider a recent InformationWeek online survey of 1,139 business technology professionals: Thirty percent of smartphone users said they use their devices for enterprise connectivity, and 37 percent either occasionally or frequently leave their notebooks behind and rely solely on their smartphones.

Such usage will only grow over time, according to market researchers, who expect smartphone sales to surpass those of notebooks -- if they haven't already. And where business users take their computing, attacks that jeopardize the confidentiality and integrity of data are soon to follow. "As with most technologies, smartphones and mobile storage were initially designed to be easy to use for widespread adoption," says Hector Carveth, technology solutions engineer at Ingram Micro. "Today, with business usage growing on these devices, security starts to matter."

That equates to a market set to soar. Although most enterprises go to great lengths to secure their notebooks, the same isn't true for smartphones and mobile storage media. "My risk management studies tell me the exposure is very high," says Charles T. Wilson, risk management consultant at RiskSmart Solutions. "I strongly believe hackers are a lot smarter and more motivated than small to midsize businesses. And security protections for these firms are far from cutting-edge in quality and timeliness of implementation."

Guarding Against Malware
The growing number of vulnerabilities on smartphones suggests the need to prepare for attacks. No platform has gone unscathed. There's the vulnerability found, and since patched, in the new Google Android platform that enabled hackers to execute commands by sending text messages. A recent iPhone update from Apple fixed a dozen security vulnerabilities, including one that made attacks possible as users viewed TIFF images. And vulnerabilities within Safari could be exploited when users visited malicious web sites.

To date, virus writers have created several hundred viruses designed to infect smartphones. Fortunately, most of these have been so-called proof-of-concept designs, in which the authors used the code to demonstrate the viability of an attack, but didn't design the applications to actually harm users. That, most experts agree, will change.

In response, leading security manufacturers have released products to protect smartphones from spam, viruses, spyware and Trojans. These include Symantec's Norton Smartphone Security, Trend Micro Mobile Security, McAfee VirusScan Mobile and F-Secure Mobile Security. While specific capabilities vary, they all include firewalls and the centralized management that enterprises need to handle a swarm of mobile devices.

Hardening smartphones is only half the security equation, however. Portable storage devices also require attention. Countless breaches involve mobile USB storage devices, ranging from small businesses to the U.S. Armed Services. Consider a recent breach in the U.K., where the British Department for Work and Pensions had to shut down a government computer system because a USB drive was found in the parking lot of a pub. The drive contained the passwords of about 12 million residents for a government web site that helped residents manage everything from parking tickets to taxes.

Locking Down Access
With millions of USB-enabled storage devices in circulation on smartphones, MP3 devices and full-fledged hard drives, the need to lock down and control access has never been higher. A number of security manufacturers, such as Lumension Security, Safend and Credant Technologies, offer solutions that do everything from denying access to unauthorized devices to creating detailed audit trails of information transferred to them.

An example of the opportunities open to solution providers comes from Robert Pittman, Los Angeles County's chief information security officer. L.A. County is in the midst of a three-phase attempt to lock down sensitive data throughout its 38 departments, which operate in more than 70 separate geographic locations. But with laws surrounding regulatory compliance growing more complex, and the number of publicly disclosed breaches through lost USB drives escalating, Pittman decided he would pursue a long-term strategy to lock down all sensitive data.

The first wave got under way about a year ago, when the county encrypted the information on roughly 11,000 of its workers' laptops across all departments. Next Pittman and his team turned their sights to locking down the mobile storage devices used by those systems.

"We started that initiative with the Department of Mental Health because it is regulated by HIPAA," explains Pittman. Part of the Health Insurance Portability and Accountability Act requires organizations to keep patient information private and secure. This means when workers copy patient information to a CD or a thumb drive, it must be encrypted. "Not only does the information have to be encrypted," Pittman says, "but we have to be able to demonstrate that it's encrypted."

For these capabilities, the county deployed applications that can enforce detailed security policies for removable storage devices, which range from having data encrypted to allowing or denying the use of specific USB drives.

Selling the Solution
Experts advise starting the sales process by educating clients about the threats to confidential information stored on mobile devices, and the probability that hackers will start crafting more attacks. The devices that most need protecting are those carried by management and senior executives, as they are likely to contain the most sensitive data. "You want to ask about the sensitivity of the data and the e-mails the executives are managing on these devices," advises David Mortman, chief security officer at security research firm Echelon One. Also, consider selling mobile security to heavily regulated organizations, including publicly traded firms and those in healthcare, finance and government. Regulations such as Sarbanes-Oxley, HIPAA and the Federal Information Security Management Act for federal agencies all require that certain types of information remain confidential wherever it's stored.

"Smartphones will be targeted increasingly as the quantity of devices grows and the complexity of the OS continues to change," says Arlin Sorensen, CEO of Heartland Technology Solutions. "As we store more sensitive data on our mobile devices, the bad guys will come after them just like everything else we have to protect today."