WASHINGTON-Personal digital assistants and two-way pagers can be security hazards since they lack necessary protections or are built in with risky, albeit convenient, default software, said a leading researcher at a wireless security conference last week.
“You can’t think of these devices as toys or devices. They have become an integral component of the workstation and they have the same risks to your company as the desktop. … You have to think about these issues and be paranoid about them,” said John E. Girard, vice president & research director of the Gartner Network Research Center.
Girard gave examples of security risks on two different commonly used devices-PDAs loaded with Windows CE and two-way pagers like Research In Motion Ltd.’s popular BlackBerry device. On Windows CE-functioning PDAs, there is a password default feature that allows users to sign on without using a password, but it means that the device does not know who is using it. BlackBerry devices can be set up to forward all e-mails automatically to a third party, but this also means that an unwanted third party can use this feature to forward all e-mail to an unauthorized user without the owner’s knowledge.
One method of security is to prohibit the use of mobile devices, but policies like that must also include how companies are going to ensure employees do not use them.
“Even if you are not going to allow PDAs in your organization, then you have to have a policy about not having them. If you are going to allow them, you need to have a policy,” said Girard. This policy should mandate under what circumstances the devices can be synced into the corporate or agency network and what software must be pre-loaded.
An informal survey of participants at the Computer Security for Mobile & Wireless Business Applications in Government conference sponsored by the Potomac Forum Ltd. showed that few had a PDA policy. One participant asked how many had an effective PDA policy, which elicited a chuckle from the audience, indicating that government agencies and corporate information technology departments are aware employees use personal PDAs for work but have yet to establish an effective security strategy.
An executive from Palm Inc., not surprisingly, called for an effective policy that would allow employees to use PDAs, not a policy that prohibits them. “Security is often thought of as locking down or shutting out. Please think of it as the right person getting the right data at the right time at the right place,” said John Inkley, federal manager of Palm Inc.
Inkley said the Pentagon’s top brass allows classified material to be used and stored on PDAs, but the PDAs come pre-loaded with security software and at-home syncing is not allowed.
People who would not store personal data on a corporate laptop should use the same policy for PDAs, said Inkley. The same goes for corporations that prohibit employees from using corporate or agency laptops at home on an unsecured network. They should have the same policy for corporate or agency PDAs, he said.
Both Inkley and Girard believe the security risks and problems now being recognized in the mobile world are the same that existed in the early days of the personal computer. Inkley noted, however, that laptops were built with minimum-security protections that had been discovered lacking on the desktop, but for reasons he did not identify these same protections were not built into the early generation PDAs and have had to be added later.
