If the car you purchased two weeks ago were stolen because you failed to update the lock and key system, you would surely feel angry. Preparing your workforce for mobility is equally frustrating: even if a product has built-in security, it is often insufficient for your business needs, or you find that its expert configurations are unsuitable for home users.

Fortunately, the motor industry has learned from its customers that security is not an optional add-on. Veteran cars used to have starting handles and open sides. But the industry responded to consumer needs with secure ignition mechanisms, door locks and immobilisers.

Now that networking has become vital for mobile workers, IT is facing a similar situation, in that it must address the needs of its consumers.

In its Teleworking the Quiet Revolution report, analyst Gartner says that by 2008 41 million corporate employees globally will telework at least one day a week, and almost 100 million will work from home at least one day a month.

"Organisations that do not account for virtual work styles on business processes will waste IT dollars and employee productivity," says the report. "A failure to align processes and services to distributed work will degrade the viability and performance of 75 per cent of businesses."

But mobile working is not without its dangers: sensitive data can easily be left behind on public transport; malware infections are aggravated by obsolete software; insecure connections encourage eavesdropping; unauthorised portable devices collect information from behind firewalls; intruders masquerade as legitimate users; and the theft of devices loaded with passwords is common.

While risks will always exist, the vulnerability when data passes from one device to another can make matters worse. Viewers, browsers, storage technologies and networks each create a unique environment that presents a security product opportunity.

Each niche is populated by specialised products and services, thus complicating the picture: intrusion-prevention, virus scanners, cache cleaners, authentication managers, disk encryptions, topology analysers, firewalls, PKI, WEP, WPA, etc.

This leads to the typical defence when device vendors are asked why products cannot be plugged in and used securely without configuration or additional security products - complexity.

"Asking vendors to ensure that their products are secure out of the box is probably asking too much," said Glenn Stephens, company founder and vice president of Centennial Software, a supplier of network discovery systems.

"No vendor can predict every network permutation or use of its product. Each separate element in a network can have a big impact on other areas, and one setting alteration can hang an entire network."

Stephens explained that the complexity this creates means that vendors must make certain their products work - even insecurely. After that, the purchaser becomes responsible for making it safe.

"Vendors are driven to ensure that their products sell to the widest possible audience and so must avoid making them too difficult to use," he said.

"We're seeing an increasing number of products marketed with a better choice of optional security functions, but that is what they're likely to remain - options."

Andy Barker, head of mobility at Fujitsu Siemens Computers (FSC), suggested that configuring this mass of products is the role of the sales channel. "The reason we sell to the end-user via the channel is so they can get exactly what they want," he said.

He cites customer choice of accessories, support and integration of multiple-vendor components as reasons the channel approach is successful for companies such as FSC, which are not geared to support specific solutions across the UK. "It is the core competence of the channel to provide this support," he said.

Paul Simmonds, ICI global information security director and spokesman for the Jericho Forum user group, believes that the proliferation of products causes companies to ignore security. "A lot of companies shrug their shoulders and turn a blind eye," he explained.

But if networking is too complicated for vendors to pre-configure their devices, and too complicated for users to set up properly, then we can only ever look forward to specialist configurations created by the sales channel or the IT department. This solution is hardly optimum for a mobile workforce largely absent from the office.

"People want solutions, not technology," said Butler Group senior analyst Mark Blowers. "It has to be end-to-end security that is invisible to the user, manageable and easy to administer."

Blowers believes that the security landscape is, in essence, flat. "All the same principals apply in each new environment: authenticate, encrypt and verify," he said.

And because these principles apply, there is some hope that standards, or at least a minimum security requirement, will make installation and configuration easier, according to Bill Pepper, director of security risk management at CSC.

Pepper believes that it isn't easy to create a standard because the "requirements and risk appetites of organisations differ", but said that, as formal certification to the information security standard BS7799 becomes prevalent, it is possible to link these minimum requirements into BS7799. "It would help move the industry forward," he said.

And there is some optimism that mobility will ease complexity through inevitable device convergence. Pepper suggested that this will help the development and take-up of standards.

"We are already seeing convergence of PDAs and phones. And, as technology matures, some organisations are looking at replacing low-end laptops with a single device," he said.

Blowers agrees. "Since we are entering an era of diverse devices on different operating systems, a consistent tool and approach to security on each device will help reduce holes and the risks of a breach," he explained.

But in the end, he warned, the devices must be usable and not drowned in security, otherwise the security options will be turned off or not used at all.

But a revolution is brewing. Jericho is a collaboration of IT user organisations dedicated to developing open standards for secure information flow. The group believes that complexity makes it impossible to secure a network. And with new devices and technologies appearing constantly, a rethink is needed.

Simmonds maintains that we should secure the data rather than an imaginary enterprise perimeter. "A boundary does not really exist as a control point," he said. In his world there is no distinction between internal and external; just users with varying access to assets depending on their authentication and client device.

Reggie Best, chief executive of virtual private network (VPN) vendor Netilla Networks, explained that times are changing.

"An increasingly nomadic workforce, coupled with a growth in partner extranets, has made it nearly impossible to segregate the internal network from the outside world. Attempting to adhere to traditional security conventions that establish trust boundaries is fruitless because the network perimeter is disappearing," he said.

Jericho's members include ICI, BBC, HSBC, Royal Dutch/Shell and BP, making it certain that Simmonds's three essential steps to securing the mobile workforce are noticed by vendors:

• Inherently secure protocols that are encrypted, authenticated and repudiated
• Federated identities to enable seamless authentication across businesses
• Inherently secure system design, where additional software or configurations are not required for products to be secure.

These ideals are difficult to deliver and Simmonds admits that the concepts are more "a change in emphasis and thinking" to get the debate moving.

Stephens cannot envisage fully secure plug-and-play network devices in the foreseeable future. "Users need to take a generalist approach and welcome the opportunity to lock-down security problems as they arise, rather than as a standard," he said.

And it's true that the industry frequently creates security risks that need 'locking down'. The Google desktop search is a case in point: unencrypted data is cached on machines, even if that data comes from, for example, encrypted secure socket layer (SSL) VPNs.

Some say that SSL VPNs represent the state-of-the-art for mobile security and many come with a cache cleaning product that is run after each session. The Google tool circumvents this security option.

"Security managers beware. While users would definitely cherish the power of desktop search on their computers, its use on remote devices would expose huge amounts of confidential information to unauthorised viewing," warned Dana Hendrickson, president of SSL VPN Central, an analytical research portal of the Breakaway Marketing Group.

Despite the problems, Blowers is optimistic for the future. "Security solutions will take care of switching networks boundaries in and out of the office," he said. "Wireless and wired will blur until there is no distinction. Eventually, users will do nothing different, whether working from home or working at the corporate headquarters."

It took the motor industry a century to ensure that security features in cars are standard, not something which needs to be installed or configured. Let's hope there is not another 60 years to go before IT can look forward to the same facility.

In the meantime, we must know the enemy and prepare. As Edmund Burke, MP and 18th century critic of the excesses of authority, said: "Better be despised for too anxious apprehensions than ruined by too confident security."