What’s not to like about a good bring-your-own-device (BYOD) policy? For most companies, BYOD is a great deal. Employees buy and maintain the devices, and the company gets the benefit of their off-hours availability and productivity while traveling. Nearly three-quarters of organizations with enterprise mobility initiatives have adopted a plan to establish a BYOD policy.

But BYOD can be a sinkhole from a security standpoint if users are unaware of the risks associated with carrying valuable business data around with them. Consumer Reports estimated that 5.2 million smartphones were lost or stolen in the U.S. in 2014, the most recent year from which data is available. Nearly 200,000 phones were left in taxis that year in London alone.

Mobile Device Management and Data Loss Protection

Many companies that adopt BYOD policies also install mobile device management (MDM) software. These enterprise mobility solutions provide great value, but they have their limits. Most work at the hardware, operating system and application levels. They’re great for remote software installation, configuration management, security and asset management, and they can be used to track the location of a device or wipe it clean in the event of loss or theft.

You can also apply certain MDM features to minimize the risk of data loss. For example, most providers will let you set up a password-protected secure area in which to store business files. Any data that comes into this sandbox is tagged and cannot be forwarded or downloaded. This area can also be remotely wiped clean in the event of loss or theft without disturbing personal data.

MDM solutions aren’t designed to manage data, however. That demands a different set of tools and procedures under the umbrella of endpoint data loss protection (DLP). While MDM manages the device, DLP works at the data level. It provides rigorous controls over who can access what data and what they can do with the data they have. DLP can specify, for example, that files in a certain directory with a particular name suffix or files that are password protected cannot be downloaded to local storage or sent across the network.

A Culture of Protection

But enterprise mobility technology alone doesn’t solve the problem. You also need procedures, policies and a culture that recognizes the importance of data protection.

If you have a BYOD program, you need a written policy that specifies what information can and can’t be downloaded to personal devices and the penalties for running afoul of the rules. Any employee who uses a personal mobile device for work should read and sign the policy. It’s not a bad idea to require some training, too. You can find a variety of actual policies and templates online.

DLP is useless without a classification scheme. In the same way that the federal government assigns security levels to information, such as confidential, secret and top secret, your company data should be classified based on its sensitivity. You can then apply a DLP solution to restrict access to specific people, departments and functions. The best protection against compromise is not enabling data to be downloaded in the first place.

Endpoint Management

If you’re considering MDM, you might want to broaden the possibility to include endpoint management. This increasingly popular toolset gathers rich information about each client, including hardware and operating systems configuration data and the status of installed applications. It can apply patches and fixes remotely and perform most other functions of a full-blown MDM solution.

Many endpoint managers now support intelligent agents on the endpoint, enabling security organizations to get a fine-grained view of how devices are being used. These agents can be configured to take actions, such as blocking downloads of information in .doc or .xls formats, automatically. They can prohibit the use of email attachments and alert IT of large file uploads and downloads. When choosing an endpoint solution, be sure to ask about support for these features.

Enterprise Mobility in the Cloud

Unfortunately, there is still no comprehensive solution to monitor or control what data employees store on mobile devices. The best approach is to combine education with selective access and remediation through capabilities such as remote wipe.

But you might also want to opt for a simpler solution, such as putting everything in the cloud. Cloud-based file-sharing services give IT complete control and can be configured to prohibit local file storage. Users can access and manipulate files just as if they were on a local drive, but everything is stored on the cloud server. Given the speed and coverage of today’s mobile networks, it’s hard to imagine why anyone would need to store data locally at all.