With all of the time and money that companies devote to securing their IT systems, a single unsecured PDA presents a huge potential hole in a corporate security wall. Unfortunately, it is almost impossible to control what employees keep on their PDAs. Since most enterprises don’t budget for the latest mobile wonders, many devices in an organization are purchased personally by employees. With external cards capable of storing two megabytes of data, a variety of unsecured or proprietary data can be downloaded onto a device.
Check out these concerns
Here are a few common concerns that a company should address in getting their handheld security in order, based on feedback from executives around the country compiled while researching the subject for a future novel:
Check out these concernsHere are a few common concerns that a company should address in getting their handheld security in order, based on feedback from executives around the country compiled while researching the subject for a future novel:
1. NETWORK PASSWORDS. PDAs are a very convenient place for employees to keep password information – like those hard-to-remember, 10-digit alphanumeric passwords that they’re forced to change every month. Passwords stored on an unprotected mobile device can be the gateway into a company’s entire network and all of the critical data and systems that it connects to.
2. CUSTOMER DATA. Here’s a lawsuit or PR nightmare waiting to happen. In the financial services industry, the loss of customer data could legally compel a company to contact every customer with the message that their personal information might have been compromised. There is also always a danger of a competitor gaining access to a customer list, along with sales history and contact information.
PRESS RELEASES. Picture that strategic announcement that’s scheduled for next month on the front page of the latest issue of a favorite business daily. Now that employees can view e-mail on their handhelds, as well as Word and Acrobat files, the probability of such documents finding their way onto an unprotected mobile is quite high. Many busy executives and sales staff use their handheld devices to view and edit documents when they are on the road or commuting. Legal troubles can also arise for public companies if the U.S. Securities and Exchange Commission learns that future press information was released prior to public distribution.
4. CREDIT CARD AND ACCOUNT NUMBERS. Another item that should never be stored on a mobile device is the company credit card number. With so much ordering via the Internet, it has become quite handy to keep account numbers a click-away by posting them on an Outlook note. These subsequently get downloaded onto the PDA when receiving e-mail or by other means.
5. FINANCIAL DATA. Although handhelds are not the best way to browse through large spreadsheets, they synchronize nicely and often find their way onto mobile devices. An in-progress annual report or the internal projections for next quarter’s sales is harmless enough so long as the data cannot leave the company. But an inadvertent leak of financial data can have catastrophic consequences.
6. E-MAIL. Employees’ in-boxes are often filled with their companies’ sensitive and proprietary information. Wi-Fi, Bluetooth and cellular equipped devices can download e-mail in a snap. An unprotected device presents a great liability potential to an organization.
7. INTRANET ACCESS. Even if most employees are responsible enough to never store passwords in their notepad, unfortunately, there’s a good chance that they checked the “remember user name and password” button on their mobile browser, leaving their company’s internal communication system exposed.
8. PRICE LISTS. This one is best told by an anecdote. A company’s best salesperson had just finished a great meeting with a top client. In all of the excitement, she accidentally left her handheld sitting on the desk on her way out. Unfortunately, curiosity got the better of her customer, who discovered a database of sales and prices for various customers. She returned home in triumph, only to find that her client was furious that their competitor was getting a better deal than they were.
9. EMPLOYEE INFORMATION. This specifically, but not exclusively, presents a danger to Social Security numbers. Aside from the litigation exposure, the loss of employee data such as payroll information can do great harm to an organization. Even if the mobile device is lost within a company’s office, exposure of confidential information to unauthorized parties can cause great problems.
10. MEDICAL (HIPAA) INFORMATION.
Most companies don’t have $50,000 to throw around for every violation of the 1996 Health Insurance Portability and Accountability Act privacy standards. Now that doctors, nurses and medical staff have access to nifty new programs that run on their PDAs, this has become a very serious issue.
Feeling a bit queasy?The good news is that there are relatively simple and economically feasible steps that a company can take to minimize their risk of data loss and secure their data from prying eyes.
Here are some basic security measures that a company can take:
Fact finding. The first step is to assess what exactly is at risk. How many employees currently synchronize personal handhelds to company computers? Does the company officially supply or support PDAs? If so, do specific groups within the organization use particular OS or hardware platforms? What kind of sensitive information may be at risk? Are there industry-specific rules for the security of the data? Don’t limit thinking to officially sanctioned information.
Create or extend a written security policy. If a given company has a written security policy, it should be extended to handheld devices. If deemed necessary, business can enforce the right to inspect and audit PDA contents at will. Although invading an employee’s privacy is not always easy to stomach, even used sparingly the practice can help to ensure maximum adherence to policies.
Track and tag the devices and display contact info on the opening screen. Gartner Group estimates that companies with more than 5,000 employees could save between $300,000 and $500,000 annually by tracking, tagging and providing contact information on PDAs and mobile phones. Not every person who finds a PDA full of contact, supplier or financial information works for the owner’s competition, although once lost, a company must assume the worst. This could be avoided, however, by adding enough contact information to allow the finder to get the PDA returned unspoiled.
Establish a personal PDA policy. If employees have their own PDAs, will the business allow synching with work computers? Are there special security concerns for the organization regarding specific handheld devices such as Linux OS PDAs, smart phones, etc.? Chances are, many, if not most of the handheld devices in any given organization are personally owned, rather than supplied by the company. It is crucial that policies define how, and to what degree handheld devices interact with the company’s data and systems.
Define sync limits. Can all data get downloaded to PDAs, or only specific files and folders? Should a company consider a network synchronization solution or limit connection to desktop PCs? Granted, this is very difficult to control. If someone has access to data, there are many ways to move it to a mobile device, ranging from copying to a memory stick or SD card, to sending a file via an instant messaging client. Nevertheless, by establishing limitations for synchronization, there will be much less inadvertent movement of prohibited information to mobile devices.
Consider firewall reconfiguration. If employees will use the PDA for wireless connectivity to the corporate network, consider installing extra protection. Reconfiguring or installing a firewall at the points where a PDA might upload or download information is critical. As part of a multi-layered security approach, make sure employees know that storing user names and passwords on their mobile devices is prohibited. An occasional audit of handheld devices will help keep people on their toes.
Define standard security software. It is critical that security policies are enforced through software that mandates appropriate security settings. A range of security solutions are available that will enable a company to establish and enforce security policies on their employees’ mobile devices.
PDAs are finding their way into a number of corporate activities, mainly because they are unique in being able to make decision-making data available to employees virtually anytime and anywhere. Advanced mobile devices can increase productivity and connectivity for many companies. However, convenience and efficiency must be available within a paradigm that does not unduly put valuable corporate assets at risk.