With the entry of consumer-grade smartphones, tablets and other devices in the workplace, employees increasingly access both personal and business information over a single mobile device. This presents serious security and compliance issues, particularly for hedge funds and other alternative asset managers.

“When you look at the internal workings of a hedge fund, they have a lot of different things that they do, from trading to reporting, to analytics and to risk management, and the challenge is how much to do in a mobile device,” said Shams Karim, founder of Nirvana Solutions, a provider of portfolio management software to hedge funds, prime brokers, and fund administrators. “We have clients that are coming to us, and saying, ‘How come we can’t do ABC on a mobile device?’ The first thing that we have to think about is, when you are talking about a mobile device, there are limitations.”

Whether mobile devices can have the same level of security depends on the context. Excellent cyber-security software is available for both mobile and desktop devices, although a broader array is available for desktop.

“In most cases, on balance, the mobile device is less secure than the desktop, but it is possible to close the gap between the two types through a thoughtful two pronged-approach of implementation of strong technical safeguards and education of users regarding their role in responsible security practices,” said Mason Weisz, counsel at ZwillGen, a law firm that specializes in information security issues.

The mobile nature of mobile devices is often viewed as a liability, since the devices can more easily be lost or stolen. It is possible to implement compensating controls, however, such as full device encryption, remote security administration through mobile device management arrangements, an automatic screen lock after a short period of time, complex password requirements, and the mandatory use of security features such as fingerprint scanners.

“Moreover, for some people, their mobile device is arguably more secure because they maintain uninterrupted possession and control of their device, as opposed to their desktop, which they abandon nightly and on weekends,” said Weisz.

There are several MDM (mobile device management) solutions available to hedge funds that are capable of securing phones, tablets and just about any other remote device.

“Having a solution like this in place is important to protect your sensitive data,” said James Russell, principal, Information Technology Group at advisory firm Rothstein Kass.

“Staff is a huge vector for data loss or theft, and people want to have access and work from just about anywhere,” Russell said. “This means they may have sensitive documents on laptops, phones and tablets, so if your business permits this it is important to extend the same security you have on the network to these devices.”

That is where an MDM program comes into play. “You can create policies that get applied to devices and make sure they meet your security requirements,” said Russell. “If the device meets your requirements then it can connect, if they do not then they are blocked. Many of the available solutions also allow you to remotely wipe a device if it is lost or stolen which is important since that is a recurring issue with mobile devices.”

The MDM should support a variety of devices and operating systems (Apple, Android and Blackberry). Additionally, it should restrict and monitor app downloads, manage content, provide seamless encryption and password management and log unusual behaviors.

“You don’t want to create a process which is too cumbersome for your client,” said Karim. “The more layers of security that you put in, and the more layers of authentication that you put in, the more cumbersome it become to use the mobile devices.”

The biggest security threat is people just going about their day to day work without having a security mindset. So taking time to train people is probably one of the easiest and most effective ways to reduce many security threats.

“It is imperative to train staff and clients to always have a security mindset and view every interaction through a data security lens,” said Russell. “This requires internal training, which should be done annually. It should also include a security conversation with your clients. While some may initially balk at being told they need to go through some extra steps to send you data, once you explain the reasons and how it is to protect them they tend to come around pretty quickly.”