Governance the key if you don't want mobile workers escaping your control

Lost property

If you have a device connected and secured sensibly, the risk of the contents going astray is small. The more usual problem is devices being lost or stolen, and nine times out of 10 when this happens the device's screenlock is already active. That means anyone who nicks or finds the device can't do anything without knowing the complex unlock password.

Even if the screenlock is off, they shouldn't be able to change the settings so that it doesn't auto-lock after a set number of minutes. They will quickly get either bored or locked out.

The cupboard will be bare by the time the new owner of the phone manages to get in

And because you can disable the unit with a simple tickbox on the central server the moment the user notifies you of the loss, the cupboard will be bare by the time the new owner of the phone manages to get in.

We've talked mostly about phones and tablets, on which you will mainly be doing fairly basic applications such as email, calendars, office-type applications and browser-based operation. But what about laptops?

Firstly, a corporate laptop is merely a normal corporate machine that happens to be portable enough to be operated outside the office as well as inside. So it will be part of the corporate directory structure, will have the corporate anti-virus suite on it and so on.

Taking a tightly-controlled device out of the office and using it remotely poses a minimal risk so long as (a) you ensure that it authenticates and encrypts strongly when connecting into the network; and (b) you equip it with software that prevents data being read if it falls into the wrong hands.

If you are a Windows house, my view is that you simply need to use DirectAccess. It is brilliant and enables your corporate PCs to link securely to the organisation's network without farting about manually dialling a VPN link.

Locks and keys

There is only one downside: in my experience configuring DirectAccess from scratch is just a tad harder than, say, putting a man on the moon. Happily, there are companies out there that can do it for you, and I gather that modern versions require rather less rocket science. If you are not using Windows, well, you are back in traditional VPN territory.

You must, of course, enforce two-factor authentication on corporate laptops in case they are lost. My favourite addition to the username/password challenge is to add fingerprint identification: it is easier for users to forget their 2FA dongle than their hand (and laptops with fingerprint sensors are no longer stupidly expensive).

To ensure that the PC can't be booted when lost or stolen, packages such as BitLocker and a bazillion others on the market combine with special on-board hardware in the laptop to encrypt the on-board disks. Again, you need strong authentication at boot time, but with this caveat you can make your portable computers super-secure.

There is one other thing you can look at: what data the users access when laptops are outside the corporate network. This is particularly relevant to internet access: you of course have perimeter controls that intercept unwitting attempts by users in the office to access www.please-give-me-a-virus.com, but how do you control that when they are at home?

Easy: you buy one of the products (I really like WebSense's offering) that plonks an extension on the laptop to enforce the corporate policy when the device is outside the network.

Sounds bonkers, but since you have prohibited users from de-installing software from their machines (you have, haven't you?) there is nothing they can do to get around it, and they can't whinge about you controlling what they can do with a corporate device.