"When it comes to tackling device security, organisations should resist the temptation to create a separate policy for every new form factor," he says. "That will inevitably lead to cross-over, contradictions and gaps between policies.
"Instead, create one over-arching policy and then tailor the implementation and the systems management technology for the varying device types."
Assess risks
Before setting up a series of security protocols addressing every known risk and attempting to address unknown risks, businesses could save themselves some time and money by sitting down and working out what risks they really face.
The ISF's Durbin recommends taking a pragmatic view: "As far as SMEs are concerned it is about focusing on the areas that are absolutely business critical.
"It is about trying to understand where your critical information sits, who has access to it, who needs to have access to it and from where, then reaching an agreement as to how that information may be accessed."
He adds: "Most organisations probably only have in the region of 10-15% of their information that is really highly sensitive. The problem is that often that information tends to pop up in about 15 different places on average, based on recent surveys."
Look for weaknesses in the supply chain, advises Durbin. "It is about considering who else you are sharing your information with in the supply chain; other organisations, departments or individuals. If you are sharing your information with a third party, have you asked the question as to where they store their information?"
He believes that if a business is going to allow people to access corporate systems using their own smartphones or iPads, it has to get employees to agree to steps such as maintaining upgrades, and that one of the most effective ways is through peer pressure.
"You want people to be talking about 'Have you seen the latest version of iOS?' or whatever. It is about sharing that culture of how you are making use of these tools that has a number of different benefits not just on the security side but also increasing effectiveness."
There are also challenges specific to the security of mobile devices used in businesses. See Protecting information on mobile devices.
