Editor's note: Amy Gahran writes about mobile tech for CNN.com. She is a San Francisco Bay Area writer and media consultant whose blog, Contentious.com, explores how people communicate in the online age.
(CNN) -- Mobile devices are emerging as a key security risk, especially for companies. As a result, the vast majority -- 95% -- of companies have mobile security policies in place.
But two-thirds of employees aren't aware of their employers' mobile security policies, according to a new study by the online security provider McAfee and Carnegie Mellon University.
Furthermore, most of the 1,500 companies surveyed report that their employees don't understand how the permissions and other access settings on their mobile devices work.
These security issues are complicated by the report's finding that 63% of work-related mobile devices are also used by employees for personal activities. In fact, where companies do not provide mobile devices, many employees tend to use their personal smartphones and other mobile devices to handle work-related tasks.
This report also examined mobile security for laptops and netbooks, not just mobile phones and tablets.
Theft and malware
Both consumers and companies report being most concerned about security risks posed by lost and stolen mobile devices. Here, the greatest risk is access to sensitive data -- from contacts and phone logs to e-mail, documents, text messages, and more.
According to the report, 40% of companies surveyed have experienced the loss or theft of their mobile devices -- and half of these devices contained "business critical data." Over one-third of these device losses had a "financial impact" on the organization. The types of sensitive data lost include customer data, corporate intellectual property, financial data, and employment data.
In response to lost/stolen mobile device incidents, two-thirds of companies increased their device security afterwards. But 10% "did not implement further security after device losses because of a lack of budget."
Companies are also concerned that mobile devices might introduce malware onto their networks, or that employees might use mobile devices to share sensitive data in unauthorized ways.
User behavior is a key risk factor. According to the report, "Fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three keeps sensitive work-related information on their mobile devices."
Several vendors sell online security services, such as BullGuard, SMobile, Lookout, Norton, and others. (McAfee offers mobile security for enterprises, which is worth noting, since McAfee co-produced this study.) The study found that at most companies, administrators are unwilling to pay for mobile security products or services.
How can consumers protect themselves?
When it comes to being safe with your mobile device, the most important issue is how you configure and use it. The other important thing is choosing a good security tool. If you regularly download apps or media files, or access shared Wi-Fi networks via your phone, it's a good idea to purchase a mobile security package.
Many mobile security packages are available for $20-$30 up front, plus about the same amount per year. TopTenReviews.com recently published a comparison chart of 10 leading mobile security services for consumers.
In the article accompanying the chart, TopTenReviews explains the mobile security risks for consumers:
"Mobile malware can cause a number of serious problems. A mobile virus can drain your phone's battery extremely fast, delete your personal and important business information and even render certain features completely nonfunctional. Not only can a virus disable a function on your phone -- snoopware may also take control of it, turning your mobile device into a walking tape recorder. It can even turn your camera on, take pictures and display them online.
"But the nuisance of mobile viruses doesn't stop there. A virus on your smartphone may send infected files to your contacts or transfer them to your computer when you connect or sync. And what about sending mass messages without your permission, or making expensive calls resulting in unwarranted billing? Malware can do that, too."
How to choose a mobile security service
Key features should include real-time protection against viruses and spam, as well as working with firewalls. Additionally, secure remote backup of data from the mobile device that occurs at least daily (if not hourly) is very useful, as is the ability to locate a lost or stolen device via the security provider's website, and to lock or wipe all data from the device by remote.
Try the service out before you commit. Make sure the service you choose is easy to configure and use. Test that its features work well. Get your money back if you don't think it's the right tool for you.
Adopt good mobile security habits. For instance, you can configure your device to require you to enter a passcode or security pattern every time you turn the phone on or wake it up from its sleep mode.
Many users neglect take this simple precaution because it feels like a repetitive hassle. But if your phone got lost or stolen, how stupid would you feel for not doing it?
Also, be skeptical of apps that you download to your phone. Scrutinize the permissions an app requires before you download and install it. Check user reviews, keep your installed apps updated, and uninstall apps that you don't use or don't like.
Similarly, be careful of links included in e-mails, text messages, and instant messages that you receive on your mobile device -- they're a common phishing tool. Don't click links that you weren't expecting to get, especially from people you don't know or trust well or hear from regularly.
Remember, links can be spoofed, and your friends' phones can be infected to send scammers' messages. Also, it can be more difficult to spot a spoofed or untrustworthy link on a mobile phone than on a device with a larger, more fully featured display and browser.
Don't download to your phone pictures, videos, or other files on your phone that come from people you don't know, or that you weren't expecting. These can also contain viruses or malware.
If you're not sure whether someone you know really did intend to send you a link, photo, or file, call or text them first before you click. People usually respond quickly to such requests -- and if they don't, it's a possible red flag that their device or accounts may have been compromised.
The opinions expressed in this commentary are solely those of Amy Gahran.