I’ve been speaking quite a bit lately with journalists about the risk of smartphones/PDAs/Blackberrys, etc. (I think F-Secure’s hype machine is working). My general response to their questions about "whether smartphones are risky or not" is, "it depends." (I know, I know – pretty analytical).
This is actually sort of an annoying question, in the same vein as talking about the significance latest virus/worm (check out my MadLib on that). The point is that of course these devices may be significant, but mileage (and significance) varies based on usage. If there is significant data or important use to the enterprise, then this becomes important. If not, then not. So evaluate the data, evaluate the usage, come to a conclusion about whether you care.
My inclination today is to believe that these devices are worth being aware of, but not that important to most enterprises. When you factor in relative measures, I think it is even less significant, except perhaps, for those folks who have extremely mature security organizations and a very low risk tolerance.
One of the issues here is that convergence leads us to all sorts of devices that are similar but not the same, and the corresponding smokescreen that comes from "new product categories" that basically aren’t new. Smartphones are basically PDAs, as are Blackberries and other two-way messaging devices. So you’ve probably already done the risk assessment (good to redo it, of course).
Here is an interesting article on Blackberrys where apparently the users of the system didn’t do a proper risk assessment and didn’t realize that their messages were being archived.