If your enterprise relies on PDAs and smartphones to get business done, you may be paying too much to secure it, according to a report issued Monday.

An analyst at IT research firm Burton Group found that the cost of a complete set of security products (antivirus, VPN, device security and management) can be higher than the cost of the device itself.

In his research report, "Handheld Device Security," Eric Maiwald surveyed the market of business-ready devices including the HP iPAQ 6315, HP iPAQ hx2700, Palm Treo 650, Samsung i700, Nokia 9500 Communicator, Dell Axim X50v and the RIM BlackBerry 7100.

The analyst surveyed the various protections on the market and found that the average monthly cost of an antivirus subscription is $32, while an average VPN can run an enterprise as much as $280. Device security products were another high-ticket category, with plans hitting an average of $70 per device. Management devices topped out at $250, with the average around $90. When combined, a comprehensive plan that protects that $299 BlackBerry, $499 Dell Axim or $449 Palm Treo smartphone may not seem so smart, Burton found.

"Organizations should perform a risk assessment of any handheld device installation to determine the types of security mechanisms that should be installed on devices and whether the cost is justified by the risk to the organization," Maiwald said in his report.

According to the report, the latest classes of handhelds have a number of communication options, but not all of them may be necessary to secure. For example, a device that is used to take orders in a distribution company may not need WLAN or WWAN capabilities if the orders are synchronized later, when the employee returns to the warehouse. The same scenario probably means that the device does not need a firewall, Maiwald found.

Burton found most large organizations already have management systems and security mechanisms such as VPNs, antivirus software and file encryption products in place. According to the report, all of the antivirus vendors and most of the management vendors sell products for both desktop systems and handheld devices.

"If these products are able to manage and protect handheld devices, they should be extended by the organization instead of purchasing new products specifically for the devices," Maiwald said in his report.

Alternatively, rather than managing devices in-house, Maiwald recommended that organizations work with a network operator that provides device management as a service. In most cases, this option is only available for companies that use the WWAN capability.

Even then, as these devices become more prevalent, Burton said network operators are likely to offer greater services in terms of asset tracking, software management and configuration control.

Of the remaining security aspects, Maiwald's report said management products may provide sufficient protection for lost or stolen devices to make the use of additional security products unnecessary.

"However, device security products generally provide richer authentication and file encryption functionality than do management products, so the organization should determine the risk associated with the compromise of sensitive information on the device" he said.