Many businesses are mandating password protection and software updates on mobile devices, but few have got as far as implementing anti-malware and anti-spyware as they would with laptops.

Maiwald says tools are available, but that until recently Apple rejected anything to do with anti-malware on its devices as they were seldom targeted.

There are more for Android and some companies urge employees to install some of the freeware anti-malware packages on their devices, but few are ready to deploy commercial grade anti-virus.

According to Maiwald there are lots of reasons businesses are not yet implementing anti-malware measure on mobile devices, including the fact that the technology is new, it impacts the performance of the device and is a cost that enterprises try to avoid.

In the meantime, businesses should look to enable passwords, educate users about malware on apps, and upgrade operating systems - bearing in mind mobile devices that are older than two years may not receive security updates and patching.

They also need to turn off discovery mode in Bluetooth, ban jailbroken phones from accessing company data or systems, and consider encryption and anti-malware, particularly on Android devices.

MDM option

How to enforce all of this in a BYOD world? Most experts recommend a balance of technology and policy. Mobile device management (MDM) platforms, once the preserve of big business are now an option.

"MDM is out there for small and medium sized business, as software-as-a-service," says Bob Tarzey, analyst and director at Quocirca.

"There are a number of ways to enable BYOD, but perhaps the best is to only enable it as an access device, then the on-device security is a matter for the owner, as corporate security issues are handled centrally."

There are so-called container products already in the market, where email and company information is held inside an app on the device and the enterprises can remove the app and all the information without impacting the rest of the device. "I expect that in the next five years they will improve and we will see some additional mechanism that allows us to separate business information from personal," says Eric Maiwald.

Of course, there are other questions around information ownership and responsibility for protecting a device. What can the enterprise do if the employee leaves the company or if the device is no longer in use? What happens if a company needs to wipe data from a device remotely?

These issues call for policies and protocols across the business. See part 2, IT security protocols for flexible working.