Personal digital assistants (PDAs) have reached the stage in popularity and development where companies cannot afford to ignore the potential business benefits - or the security risks - they represent.
Recent increases in functionality and storage capacity have enabled handhelds to outgrow their role as glorified electronic personal organiser, with applications such as performance management, remote training and inventory augmenting personal information management tools like calendars, diary synchronisation and e-mail now available.
Following the launch of Microsoft's PocketPC 2002 last year, a growing number of enterprises have introduced mobile strategies or pilot schemes using handhelds. Enterprises are now driving sales of PDAs, where once it was only individuals, resulting in rapid growth. According to IDC, worldwide shipments of handhelds will increase from 13.6 million in 2000 to 70.9 million by 2005. However, to reap the benefits of mobile devices like PDAs and make sure that the business benefits outweigh the potential pitfalls, companies need to draft a mobile strategy and address key issues such as security, interoperability and legal liability.
To start with, a business can standardise the platform and the PDAs in use within the organisation. In most cases this will come down to a choice between Microsoft's Windows CE/PocketPC, Symbian's Epoc or the Palm operating system. One organisation that has just gone down this road is the BBC, which recently began an 18-month programme to standardise on a single PocketPC PDA platform for staff to improve security, increase central control and better protect sensitive material held on the PDAs such as journalists' contact databases. However, this approach will not suit everyone and may not be practical for your organisation.
Forcing users to have the same platform - even if there is a strong business case for doing so - can create problems. Different users have different needs. Some may like the simplicity of the Palm, while others will prefer the extra functionality of PocketPC-based devices such as the Compaq iPaq. As Johan Lisnell, business director at IT services giant EDS, says, "There are personal opinions based on things other than pure business value."
Then there is the problem of logistics. Val Rahmani, general manager for IBM's wireless division, for one, doubts that a one-type-suits-all approach can work in reality. "Companies will not be able to dictate which devices people are going to use," she says.
Gartner Group analyst Thomas Reuner points to another problem. "People do not always report their PDA use if it is unofficial, so companies should encourage users to be more open," he says. The next step, says Reuner, is to do an audit of what PDAs staff are using and what they're using them for.
These devices are generally used for personal information management purposes, office applications and Internet access. However, as the power of PDAs increases, other applications such as voice and picture capture, navigational aids and remote access to corporate data are becoming more common.
According to Paul Williams, senior consultant at business consultancy Andersen, companies should consider segmenting users into meaningful groups to work out which applications would be most suitable. "It may be worth considering applications that would be useful for specific job roles or certain employees such as those who work away from the office," he says. "Performing an analysis should make it easier to produce a business case for the applications you wish to deploy."
Defining how the PDA is used will allow a company to fully exploit the business benefit of the devices. Lisnell says, "In seeking industrial value, one will soon see that it is, of course, not the PDA itself that creates this, but how it is used and what it is used for."
For those companies which are unwilling - or simply haven't considered - standardising on a single platform there is a range of software available to increase interoperability between different operating systems. Palm's Documents To Go software, for example, allows users to access Microsoft Word, Excel and Powerpoint files.
And management framework solutions such as Tivoli Handheld Device Manager can be used to distribute software and manage device configurations. Other packages, including e-mail synchronisation packages like Multimail, can limit the length of downloaded messages and attachments.
Addressing the logistics of how PDA users access corporate systems, information and applications is another important consideration. Most users dial in via a Pop3 (Post Office Protocol) server, an Internet service provider or through a thin client provided by application software suppliers such as Citrix. Security is a key issue here. As well as the basics, like password systems and automatic lock-out after three incorrect password attempts, there is a range of bolt-on products available. PDAs can now be fitted with similar levels of access control and 128-bit encryption to desktop PCs and laptops.
Applied Biometrics, among a number of companies, produces a clip-on fingerprint recognition device that can either lock your PDA or bar access to specific applications. Future versions of Palm's operating system will even feature voice recognition security. And software firms like Borderware offer virtual private networks for handhelds like the PocketPC and the Palm to encrypt the connection from the PDA and protect the transmitted data.
Education should underpin any mobile policy. IT managers need to raise user awareness of the key issues and stress the importance of security safeguards. A good idea is to manage control centrally so that security is as intuitive as possible and users cannot alter or circumvent settings.
Magnus Ahlberg, managing director of security software firm Pointsec Mobile Technologies, recommends that IT security managers adopt a three-point security plan.
- Ensure that systems are physically secure, using methods such as encryption and access control
- Put legal safeguards in place within the company to govern how employees access and use data
- Address financial issues and insurance to safeguard against potential financial implications resulting from the loss of data.
Ahlberg points out that, on top of the danger from theft, the PDA's owner and the directors of the company may be liable under the Data Protection Act for failing to take reasonable steps to protect the personal information.
The positioning of PDAs as a tool for corporate users poses "a big problem", says Ahlberg, as PDAs can present a security threat to the corporate network and become a time-bomb in staff hands. However, he maintains that, as long as companies put appropriate security and policy controls in place, mobile devices can be a cost-effective option and provide similar freedom and advantages to the laptop.
- Conduct an audit to see exactly how many and what PDAs are being used
- Analyse how the devices are being used - is the business getting the most benefit?
- Decide how PDA users will access corporate information
- Choose between standardising on one platform or managing various platforms
- Make security a priority - both in terms of technology and user education.
Users' reactions to PDAs
Corporate IT user group The Infrastructure Forum carried out a survey on the role of the PDA via the Q&A session on its Web site in February. The results were:
- 45% of respondents said privately-owned PDAs should not be permitted on a corporate network and just 30% said they should
- 50% favoured the Compaq iPaq over any other model of PDA
- 60% recognised the need for security arrangements to be made, including password protection, document management, encryption and anti-virus measures but only 20% said they had put these plans in place or felt they could be enforced
- 75% of respondents used cradle or cable links to the network, although many also use infrared connections. One member commented that "using infrared is OK to exchange data with a colleague or when you must, but it's a pain to do a few times a day", whilst another said, "Infrared has been a great success as the need for cables is unpopular among users."
Not to be forgotten
- Usefulness - PDAs have limited functionality and should be seen as an additional tool, rather than replacing lap- or desktops
- Support - involve technical support staff in planning and ensure they have the training and resources available to meet demand from PDA users
- Hidden costs - make sure you budget for support, replacement of lost and damaged units, upgrades, peripherals and network enhancements.
Eight steps to securing your handheld
Magnus Ahlberg, managing director of security software firm Pointsec Mobile Technologies, offers the following advice:
- Include mobile devices in the company security policy and educate staff about the security implications of mobile devices and what will happen if they fail to observe the rules
- Use access control systems and encryption devices on all mobile devices, which cannot be circumvented by the user
- Use dynamic passwords or certificates for remote users
- Do an audit to find out who is using a mobile device and whether they are owned by the company or the employee
- Ban staff from storing customer and company information on their own mobile devices unless they have adequate security provisions in place
- Use security products that are compatible with all mobile devices and software versions and can be controlled centrally
- Make security intuitive: don't use products that let the user alter the settings
- Use up to date software.
Case study: Scandinavian Airlines
Airline staff can dock on anytime, anywhere
Scandinavian Airlines (SAS) rolled out a PDA-based system last year to give its staff remote access to corporate data and internal applications, as well as personal information like e-mails and diaries. The system, developed by Scandinavian IT Group (SIG), an associate company of SAS, is based on the Microsoft PocketPC and runs on Compaq iPaq handhelds.
Users connect to the network using docking stations located throughout SAS premises, such as staff rooms and lounge areas, or via a GSM module. An additional program allows users to make telephone calls on the Compaq iPaq using a Nokia Phonecard.
Thorbjörn Odsjö, product manager at SIG, explains that a large number of SAS staff are constantly on the move, sending e-mails from temporary locations like hotels at unusual times, and the PDA-based system represents an effective means of keeping staff updated on important information like changes to airport scheduling information.
Users enter a Pin code, which has to be changed every three months, and the iPaq is verified before it can be used to access the company's network. Standardising the PDAs used by its staff means that the company can ensure its security regulations are met. And choosing the Microsoft option had the twin advantages that staff are familiar with the Windows environment and it is interoperable with the existing network which runs on Window's NT 4.0.
The company estimates that it will have about 7,000 mobile devices in use by 2003.
Case study: Carlsberg Tetley
Keeping field engineers topped up
Last summer brewing group Carlsberg Tetley implemented a PDA-based system to automate tasks, cut costs and increase efficiency by providing two-way real-time communication between two call centres and its 140 field engineers.
The system is based on mobile data supplier Three X's Mobile Engineer application and runs on Microsoft's Windows CE platform. Carlsberg Tetley's engineers - who install, service and maintain beer dispensing equipment in more than 37,000 outlets nationwide - tap into the company's central SAP enterprise resource planning system via Vodafone's GSM network.
As well as standard functions such as job progression, notification of schedule changes and messaging, Mobile Engineer has auditing and inventory management functions.
The brewery's engineers also download a site inventory automatically when they visit an outlet, which enables them to check the number of taps owned by Carlsberg Tetley against the number currently dispensing Carlsberg Tetley beers. Any discrepancy between these figures will trigger an alert to the engineer to create "buy" or "sell" instructions for the SAP system, with the production of an invoice or credit note.
Case study: Astra Zeneca
Handhelds speed up process of drug trials
Pharmaceutical giant Astra Zeneca announced last October that it was planning to roll out handheld devices for use in its clinical drug testing trials in a bid to improve the quality of the information it receives and speed up the time to market of drugs for treating serious illnesses. The developing and clinical testing of a drug can take up to seven years.
As part of a pilot scheme, Astra Zeneca said it would give Compaq iPaq PDAs, based on the Microsoft PocketPC 2002 operating system and running an application from software firm Conchango, to about 20 people trialling the latest medical drugs. Jill Glover, technical architect at Astra Zeneca, says the devices could eventually be rolled out to up to 3,000 users.
Currently, people taking part in clinical drug testing trials use traditional diaries which they fill out at the end of each week but this proved unreliable and time consuming. With the new system, Astra Zeneca will preload the PDA with relevant questions to be answered at certain times of the day within selected time slots. Notifications will appear if any of the areas of the questionnaire have not been correctly completed and answers will be immediately transmitted to the company.
Astra Zeneca is now considering using PDAs in other parts of its business.