How secure are mobile phones? It is a question that will become ever more pressing as the new 2.5G and 3G phones take over in the next few years, providing their owners with powerful internet facilities and full access to their corporate intranets while out of the office. But there is also the risk that they will be vulnerable to attack from hackers.

More and more businesses, especially those with itinerant sales forces, such as insurance companies, have 'virtual private networks' (VPNs), allowing employees to view their corporate intranets from anywhere.

But the new mobile phones will multiply the number of people logging on. And with so much sensitive commercial information suddenly hurtling through cyberspace, a big concern will be to keep it out of the hands of saboteurs and corporate spies.

Security breaches are already thought to cost US businesses $500m a year, and safeguarding sensitive information is at the top of many 'to-do' lists in the IT departments of large companies.

'The true potential for generating revenue from mobile data services will only be realised if network operators guarantee delivery of the level of security their customers demand,' said a recent study by Lucent Technologies.

But Mark Blowers, an analyst at the Butler Group, fears that an industry-wide accepted strategy to combat security breaches is many years away.

'The new phones from Nokia, Siemens and others are basically little PCs. They are based on Java, or on the Symbian operating system, and they transport data around in "packets". So they're vulnerable to hackers or viruses in a way that phones never were previously,' he said.

Of course, internet technologies have their own security features, many with a good record. Secure socket layer (SSL), the encryption facility originally designed by Netscape, allows surfers to make credit card payments over the net. But it doesn't always work. And with new mobile technology bringing large volumes of sensitive corporate information on to the web, even one major leakage could be disastrous.

As it happens, the new mobile phones will use not SSL but newer security standards such as IPsec (short for IP security), which provide easy access to a greater variety of applications and folders on the corporate server and also transmit data faster.

But however effectively confidential information is encrypted, there is still no guarantee that the right person is receiving or sending it. Sometimes all a hacker has to do is get hold of the right password.

'Authentication is the biggest problem,' says Blowers. 'How do you really know who's logging on to your corporate system? Are passwords really the way forward? Maybe we should be focusing more on authentica tion technology. There are sophisticated voice-recognition and biometric identification systems out there, but the mobile industry hasn't shown much interest.'

At least mobile phone users are usually more easily identified than PC users, because of the SIM cards in the handsets. But there are still a thousand ways in which a phone and its Pin number could fall into the wrong hands.

In the absence of any more futuristic alternatives, businesses are being urged not to forget an old-fashioned system of passwords and usernames to give added layers of protection to their VPNs.

The likes of McAfee and Texas Instruments are busy developing security-enhancement products for mobile operators and the manufacturers of mobile phone devices, as well as large businesses with highly developed remote access systems.

But ultimately, the next generation of mobiles will offer no absolute guarantees of security from hackers, and it will remain the responsibility of companies to decide how much money they want to spend on keeping their systems secure.

Mike Gerdes, research director for the security firm Red Siren, has expressed a fear that unwise skimping might even extend to certain network operators reluctant to pay for the extra servers required to safeguard their clients' security.

On the other hand, the added security benefits of 3G and 2.5G phones are designed not only for phone users, but for the mobile phone companies themselves. Second-generation mobiles have always been vulnerable to hackers who set up their own transmitters, known in the trade as 'rogue base stations', to intercept or misdirect traffic or hop on to a carrier network for free.

Few, if any, mobile phone operators admit how much money they are losing through this practice, but many experts estimate that 'piracy' is costing them more than 10 per cent of total revenues. The new technology is designed to thwart it.

With encryption becoming ever cheaper, more powerful and more difficult to crack, a halt to progress may come from an unlikely source: our intelligence agencies. Correspondence between the British and US governments, obtained recently by the Guardian under America's freedom of information laws, reveals concern about encryption at the highest levels.

In May 1999, Janet Reno, then US Attorney General, wrote to Jack Straw, then Home Secretary, saying: 'I believe that the difficulties that encryption will pose for law enforcement are among the greatest challenges we will face in the coming years.' Straw replied: 'I fully share your concern at the threat posed by criminal use of encryption.'

Since then, the 11 September attacks have added urgency to official eavesdrop ping, and new laws make it easier for law enforcement agencies to confiscate encryption codes. They are unlikely to countenance any technology that makes it more difficult to catch terrorists.