Why is security ignored when it comes to the personal digital assistant (PDA)? They may have been marketed as personal consumer tools but people use them at work. And IT departments often see them as a personal device not a corporate issue. Yet in a survey of 332 IT professionals who regularly use a PDA, 89% use their PDA as a business diary and 77% synchronise the data on their PDA with their company PC or laptop.
The survey, carried out for Computer Weekly and PDA security software supplier Pointsec, revealed more worrying statistics. Poor password protection and a lack of data encryption has created a potential loophole in the otherwise secure infrastructures of corporate employers.
Perhaps not unsurprisingly given the "personal" in PDA, 77% of respondents used their own devices rather than company-owned units, creating the nightmare of how to manage PDAs. If an employee is using a PDA of their own specification, running software that they have installed themselves and over which the IT department has no control, it raises considerable security risks, especially if they synchronise data on the PDA with information on a corporate workstation - or worse still, on a corporate network.
All this could lead to a heap of trouble, according to Pointsec managing director Magnus Ahlberg. "We have been working with a few companies on this. We recommend that organisations take a decision quickly to ban the general usage of private PDAs," he says. Instead, they should choose a standard PDA specification via their purchasing departments, and force staff to use only this.
The problem is that different employees have different needs. One worker may be happy with the more lightweight Palm OS, for example, while another might need a meatier PocketPC device, with its larger memory and greater processing power, for heavy-duty tasks. "What we recommend is to choose maybe two alternatives that are common in the marketplace," Ahlberg says.
But the idea of having corporate-owned PDAs is useless if they're not corporate-managed. Sixty-five per cent of survey respondents who were using company-owned PDAs either said their companies had no official usage policy for the devices, and a further 12% simply didn't know whether their company had one or not.
How can an organisation manage its employees' PDAs? Centralisation has always been the key to good management in the PC world, and it's the same for PDA users, according to Ahlberg. He likes the idea of abandoning data synchronisation via the workstation (using a cradle), and instead forcing employees to synchronise data directly with the server. Public access points using infrared workstations or wireless Lans is an option, he says, as is Bluetooth. The idea is that your devices would communicate with the network seamlessly as soon as you walk through the door in your building and turn them on.
"By doing that you can add policy-based security," he explains. "If everyone is installing their own sync software it's very difficult to keep control over it from an organisational point of view."
Still, this method of centralised, non-cable based synchronisation has its own problems. For example, wireless Lans are notoriously insecure, so you would have to buy expensive virtual private networking software, which also eats up PDA processing power, to be sure of your data security.
Both wireless Lans and Bluetooth require expensive add-in cards for most PDAs, and there are also potential loopholes in Bluetooth's security according to Gunter Ollman, European manager of X-Force security assessment services for security consultancy Internet Security Systems. It's possible to misconfigure Bluetooth for low-or-no encryption, he says, adding that key management also becomes an issue when you're using lots of devices. Clearly, the world of PDA security management is far from simple.
Unfortunately, the most simple security mechanism - password protection - is being ignored by a lot of corporate PDA users. Nearly a quarter of those people who access their corporate network using their PDA do not bother to secure their devices with a password. This percentage rises to 29% among those people who do not access their corporate network using their mobile devices.
This latter group may have a false sense of security, imagining that they do not need to use password protection because they are not accessing company network resources using a mobile device. In reality, if they synchronise corporate information from a PC or laptop, then it is still at risk if their device is not password protected.
More than two-fifths of PDA users who bothered to use passwords never changed them, and a further 26% only changed them once every few months. This leaves 16% of PDA users who change their password once a month, and many network managers would argue that from a corporate standpoint, even this isn't often enough. And 23% of those people who stored passwords or PIN numbers on their PDAs did not bother to password protect the device itself, making it easy for anyone who found or stole a device to potentially gain access to bank details and corporate data via network accounts.
People soon realise the importance of password protection when they lose their devices. This happened to 6% of the survey's respondents, and some lost more than the cost of a new machine. "I had to change all my online and banking account passwords. Now they're encrypted," said one. Another had the same problem. Most telling was the fact that only six of those that lost their PDAs had secured it with a password, and the same number had encrypted the information held on the mobile units.
Encryption is a good idea anyway in the PDA world, because of the number of back doors in mobile device architectures that allow you to bypass password protection, according to Pointsec's vice-president of strategy Kurt Lennartson. He explains that it is possible to dump the whole memory of some PDAs to a PC by entering debugging mode using certain key combinations. If data isn't encrypted, your password won't help you in that instance.
One of the problems with data encryption is that it isn't particularly easy to do on some devices. Encrypting all of the data on a Palm device would drastically affect usability, according to Lennartson, because of the unit's slow processing power. This is thankfully getting better with later models, but the most realistic solution for the majority of Palm users is to use a specific encrypted folder into which you can put sensitive information. This localises the processor overhead so that it is incurred only when opening certain files.
Perhaps the difficulties associated with encryption are why only half of the respondents in the survey encrypted information stored on their PDA, leaving 50% with information stored as plain, easily accessible text. In reality, the most likely reason is a lack of awareness.
The need for password protection and encryption will be partly dictated by the type of job that you do, and therefore the information that you store. Although only 6% of respondents worked in sales, half of those people did not password protect their PDAs, and none of them could say definitively that they encrypted their information - most of them didn't, and 15% of respondents who are in sales did not know whether they did or not.
This raises particular concerns, because sales people are most likely to store customer information, and if this information is not stored in a secure fashion, employers could be contravening the seventh enforceable principle of data protection as defined by the UK Information Commissioner. It wasn't just sales people who stored customer information on their PDAs; 28% of respondents did so, and of these, 15% didn't use password protection. At this point, IT directors and privacy officers should be growing very pale.
Clearly, a lot of work needs to be done in the area of PDA protection. Working closely with the purchasing department to reach a basic standard specification for such units, and creating a standard software build, will go some way towards alleviating the problem. Password protection clearly isn't enough, and data encryption should be considered, as should guidelines for the sorts of information to synchronise to these portable devices.
It may not be necessary for all users to synchronise customer details and passwords to these devices. Building user profiles into your synchronisation policy will help you to control the information that ends up going outside your walls.
When you've tackled all these tasks, there's still physical security to consider. For example, making sure that people either don't use CFlash memory cards or mini-hard drives in devices (or if they do, encrypting them to protect them against being stolen and scanned) should be high on your agenda. Until all these things are considered, you should consider PDAs to be a weak link in your infrastructure.
Click here to view graphs as PDF >>
Top 10 uses for PDAs
1. Store personal names and addresses
2. As a business diary
3. As a personal diary
4. For entertainment - games, music etc
5. To store passwords/PIN numbers
6. To receive and view e-mails
7. To create documents/spreadsheets
8. To store corporate information
9. To store bank account details
10. To store information about customers.
This was first published in May 2002