PDA Hell

01/01/2012

In the fourth of a new weekly series for Cambridge Network members, IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at Personal Digital Assistants, or PDAs.



The Problem


Your business information is only as secure as your weakest link.

Over the last seven or eight years, PDAs – Palm Pilots, Treos and, more recently, BlackBerries and SmartPhones – have become that weakest link.

PDAs are small, relatively inexpensive, and often owned by the employee, not by the employer. Almost everyone who has a PDA uses it for both business and personal records. Personal data includes confidential, sensitive stuff like PINs, bank account and credit card details, user names and passwords. Business information includes contact lists, confidential information about employees, customers and suppliers that may be subject to privacy and data protection legislation. You only have to lose one to realise exactly how valuable it is.



The Risks


And, of course, if it’s valuable to you, it’s valuable to someone else. That’s one area of risk; the other is that your PDA probably has a wireless communication capability. This makes it an interesting target for cyber-criminals. PDAs have four specific areas of risk:

1. Theft or loss of the device

2. Theft of confidential information, including identity theft

3. Viruses, worms, Trojans and other malware

4. Denial of service or network attacks



The Impacts


Losing a PDA-full of data, when you’re on the road or some way away from base, can make life a bit difficult. And confidential corporate information can be copied, changed or destroyed and data (customer lists, staff lists, etc) that is subject to data protection, human rights and privacy legislation can be stolen. Identity theft is also easy if a villain can access all the sensitive personal data on your PDA. Unsecured wireless PDAs also allow PDA-vectored, airborne viruses, worms, Trojans and other malware onto corporate networks.



What do we do about it?


The first thing employers have to do is recognise that, whether the PDA belongs to the employee or not, it is a very real vulnerability. Even if it is not used for wireless communication, it is under threat. Once this is recognized, the steps to take are straightforward. You need a specific PDA-related policy, which prohibits employees from using PDAs, or connecting them to corporate networks, unless the PDA is:

· password protected

· has PDA-level anti-virus software

· has a PDA-level firewall

· has PDA-level software patching and updating

· is accessing the corporate network through a PDA-level VPN

· has any confidential corporate information encrypted

· is regularly backed up/synchronized with a PC



What else?


The two simplest steps to take are:

1) show the user’s name and contact number prominently on the outside of the device – if the contents are password protected and encrypted, you might get it back, and

2) don’t allow PDAs to be left unattended in their charging cradles – why make it easy, and tempting, for a passer-by to steal it?

 

Next week: The wireless ghost



Alan Calder’s company provides businesses with consultancy support and advice on governance and business security. Visit www.itgovernance.co.uk/page.service, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750

 

 

 

 

 

PROTECT YOUR
BUSINESS
THIS WINTER