Insight: Security – Get a grip on PDA Security.

Personal digital assistants (PDAs) are no longer seen as an electronic toy for a minority of gadget-obsessed technology freaks. Extended memories, processors, diary synchronisation and wireless connection to internet portal links for enterprise data have given the PDA a place in the corporate network.

It is estimated that the use of handheld computers will grow by more than 50% in the next few years. The Gartner Group forecasts that more than one billion handheld computers and mobile telephones with wireless network connectivity will be in use around the world by 2003.

Industry analyst IDC predicts that the PDA portion of this global market will explode, from 13 million units in 2000 to some 64 million by 2004.

As PDA sales increase, so does the number of connections to corporate networks posing a potential security breach.

The first, simple generation of PDAs was more or less protected from abuse through limited capacity, which could not hold complex viruses or store large amounts of sensitive data.

But newer PDAs will soon reach 128Mb in size, which is sufficient to store 10,000 personal or company addresses, 400 emails and 3,000 documents with notes.

After a boost in PDA sales last Christmas, Psion carried out a survey about their affect on company networks. The research revealed that 70% of network managers were concerned about how to integrate devices and applications without compromising existing IT systems.

Nick Martin, corporate sales director at Psion, warned companies to put policies in place for PDA use in the workplace to stop them from becoming a security and management nightmare.

The company advised network managers to audit employee PDAs and said a policy should include essential security measures, guidelines on connection, and specifications about which applications can or cannot be used.

‘Now is the time to set the standards before mobile devices are so pervasive that offices no longer have control. Companies should know what equipment their staff are using, and thus be able to promote better ways of working with them,’ said Martin.

‘Policies should be based on the potential for both harm and creativity, not the purchase price. Laptop use and abuse has been pretty much taped up, but this is a new phenomenon which must be acted on,’ he added.

Magnus Ahlberg, managing director of mobile security company Pointsec Technologies, said a handheld computer with the sort of power available today, containing huge amounts of corporate information, was easy to use away from the office, but was just as easy to lose or have stolen.

‘The surge in use of mobile devices means that companies need to make sure their growing mobile workforce uses devices that are secure, so that handhelds do not become the weakest link in their security system,’ Ahlberg said.

He points out that more people are working on the move and using powerful laptops and PDAs to store increasing amounts of valuable and confidential data. If this equipment is lost or stolen, it could put a company at serious risk of sabotage, exploitation or damage to its professional integrity.

‘Take the case last year of the jet fighter pilot who lost his laptop allegedly containing hundreds of unencrypted top-secret diagrams. It was brought to the world’s attention when a national newspaper handed the laptop back to an embarrassed Ministry of Defence representative. This case highlights the importance of securing information held on mobile devices if it is of a sensitive or confidential nature,’ he said.

Ahlberg argues that the internet has changed the way we do business, and has left traditional methods of communicating and trading behind forever.

In order to be efficient, companies should allow staff to use mobile devices such as laptops, notebooks, PDAs or internet phones. But passing confidential client information or carrying out transactions of any kind over the internet has considerable security implications and legal ramifications, and cannot be ignored by network professionals.

‘If handheld computers become as popular as mobile phones, the number of thefts could be astronomic,’ said Ahlberg.

‘The Federation of Communication Services states that more than 15,000 mobile phones are stolen every month in the UK alone. Personal digital assistants are low in price and simple to use, which makes them appealing to buy privately and use for company business. Increase in PDA use is directly relative to the number of handheld computers that are lost.’

Companies spend billions of pounds a year on IT security systems for desktop computers, but very little is invested in securing the mobile workforce. Ahlberg said companies should have this area covered within their security policy but, in reality, very few have the necessary security tools to ensure protection against breaches.

According to the Department of Trade and Industry’s Information Security Breaches Survey, 60% of organisations have suffered a security breach in the last two years, but only one in seven has a formal management security policy in place.

Only a third have carried out a risk assessment to identify security risks through a systematic approach.

There are few security devices available for PDAs and internet phones because companies are only just beginning to recognise the real need for them for the new equipment being used by their mobile workers. Last month, Pointsec released a security product for Palm OS, which included password access control and data encryption.

Psion has issued corporate PDA policy guidance, which touches on issues such as integration and security, including viruses, backup and securing of data.

It advised companies to lock out devices from the network if they are lost, use password protection and define security levels for data accessed remotely. Virus policies should reflect the variety of devices and remain flexible enough to deal with future changes.

‘But even when PDA and laptops do have a security device automatically installed, users often try to circumvent this to avoid hassle. Once security is turned off, these devices become easy pickings for anyone to get confidential information or to get through the firewall and into the main corporate network,’ said Ahlberg.

Network News is a sister title to Accountancy Age


– Establish a workable security policy. Explain the risks to staff and tell them what action will follow if they ignore the policy.

– Install fast and easy access control systems and encryption devices on mobile devices that users cannot circumvent.

– Use dynamic passwords or certificates for secure remote access.

– Carry out an audit of who is using a mobile device and whether they are personally or company owned.

– Forbid downloads of customer and company information to devices. without the company security system

– Use a centrally-managed security product that is compatible with all mobile devices and software versions.

– Avoid using products that leave security decisions to users – they will ignore or find a way around the system.

– Update software to ensure that PDAs are protected against known security loopholes.

Related reading