Remember the TJX security debacle stemming from a poorly protected Wi-Fi network at one of the retailer's stores? Given the result--45 million credit and debit card numbers compromised over an 18-month period and fines and settlements of at least $50 million--you'd think the flawed security mechanism that enabled the attack would be stomped out by now, a full five years after the story broke.

You would, however, be mistaken. Our InformationWeek 2012 Mobile Security Survey shows that 24% of respondents' companies are still using WEP, the technology at the root of T.J. Maxx's problems. And these are people who should know better--every one of the 322 business technology professionals responding to our survey is involved with mobile device management, policy development, and/or security.

The good news is that bring-your-own-device programs have helped push this topic to the fore: 90% of the 946 respondents to a separate survey, our InformationWeek 2012 Strategic Security Survey, believe mobile devices pose a threat to their companies' security now (69%) or that they will (21%). The No. 1 and No. 2 concerns: loss of a device containing sensitive data or an infected personal device connecting to the corporate network.

Mobile security as a focus area is here to stay. But what if we're going about it the wrong way? Smartphones are just computers that fit in our pockets, and ultrabooks are poised to blur the line between tablet and laptop. Most end users don't differentiate between Wi-Fi and 3G/4G access, and carriers want it that way because they see Wi-Fi as critical to combating spectrum shortages. Today, mobile security is end user security is data security. Maintaining two or three separate policies is a recipe for confusion and noncompliance.

Let's delve into the (sometimes disturbing) findings from our survey, then look briefly at ...