In-Depth

Businesses Ignore Mobile PDA Threat

When it comes to mobile devices, why do so many companies avoid the security issues?

• By Mathew Schwartz
• 04/14/2004

As the power and portability of PDAs and smart phones has increased, including wireless networking capability, camera phones, and removable smart media able to hold over a gigabyte, so, too, have security worries.

According to a survey conducted by Bluefire Security Technologies, a mobile technology vendor, and survey firm TNS NFO, roughly four out of five companies permit employees to use mobile devices, yet about the same number fail to set either PDA or smart-phone usage guidelines. In other words, their security policies don’t mention them.

Employees don’t seem any more aware of the issues than their employers. According to the survey, 75 percent of workers don’t know whether their PDAs or smart phones include security features. So even if they exist, they don’t know how to use them.

“Businesses worry a lot today about front-end attacks from hackers and how to stop them,” says Tom Goodman, vice president of operations for Bluefire Security Technologies. What they’re neglecting, however, are “the equally dangerous back-end threats coming from employees connecting their high-powered handheld devices to their enterprise networks.”

The risk cuts both ways. Employees use mobile devices to store such sensitive information as network passwords, organizational charts, databases, and business directories. It’s easy: they just synchronize the device in a cradle or wirelessly via Bluetooth, and they can take it anywhere.

Unfortunately, it’s information that company competitors would love to get their hands on. With a valid username and password, an attacker could quietly and quickly infiltrate the corporate network or install software onto a user’s PC to siphon more information.

With their small form factor, PDAs and smart phones are easy to steal or lose. When that happens, beyond the threat of corporate information loss, users risk their personal information becoming public. In fact, 40 percent of users admit to keeping credit card numbers on their PDAs and smart phones. Remember, however, that at least three out of four users don’t know about their device’s security. The information stored therein is ripe for the taking.

The survey also reveals more than a quarter of users store their incomes on the devices, 19 percent have personal health information, and 17 percent keep e-mail love letters on the devices. Only one in 10 respondents, however, admitted that if any of that sensitive information made it onto the Internet, they’d be embarrassed.

Obviously there’s a disconnect. The result: a lose-lose situation. “Consumers are clearly storing personal information considered private on their mobile devices, while employees using these devices for business are very likely storing data that their employers would regard as confidential,” notes Goodman.

With many users indicating they store credit cards on their insecure mobile device, it’s a good guess corporate passwords, for starters, are also there. It’s just human nature to write things down where they’re easily accessible.

Security experts note organizations can take several steps to address the PDA and smart-phone security threat. First, detail whether the devices can be used at all. If so, ensure users receive training in security features, or else give them software vaults able to store passwords and credit card numbers using strong encryption. Even if the device is lost, such software lessens the risk sensitive information will escape.

Organizations can also invest in mobile security software to augment (or add) security to existing devices.

Goodman says the key is central management. “By centrally managing what these devices can access, store, and process, an organization can safely and effectively manage its mobile workforce.” Without a centralized viewpoint: security, technology, monitoring, keeping tabs on mobile devices—by their nature never in one place very long—is incredibly difficult.