In order to protect information held on and communicated with mobile devices, your organisation need to consider several issues when operating in unprotected environments.

Mobile devices policy should consider registration as part of the information asset register, the physical protection of the device, restriction of installation of unauthorised software, patch updates, any restrictions to both internal information assets and external sources to prevent unauthorised use or 3rd party interference. Further consideration should be given to access control (both to the device and internal information assets), cryptography, malware protection, backups and remote controls for disablement, lockout or information deletion.

Employees should be made aware of the risks of operating mobile devices in public places and a policy should clarify any organisation specific processes to reduce / mitigate any potential threats of loss/theft of the device or interception both physical and logical locks should be considered for devices carrying business critical information. Training should be given, where considered appropriate by a risk assessment. Consideration should be given to use of privately owned devices to allow segregation of personal and private use.

Wireless connections (both Wifi and Bluetooth) are notoriously insecure especially in public places (coffee shops, airports, hotels, conferences etc) consideration should be given to this.