| Randy Johnston
has been involved in computing for over 25 years. In addition to being a top-rated and entertaining speaker presenting technology seminars worldwide for K2 Enterprises (www.k2e.com), he is also Executive Vice-President and Co-owner of Network Management Group, Inc., a full-service computer networking and service company. Randy recently published Technology Best Practices for Wiley Publishing. You may contact Randy by e-mail at randyj@nmgi.com, or by phone at (620) 664-6000. |
Computers & Software
2002-08-01 11:48:00
PDAs
: I am able to access our company's computer with my PDA. We do not use any encryption software. What are our risks and what can we do about it?
Randy Johnston
Question: I am able to access our company's computer with my PDA. We do not use any encryption software. What are our risks and what can we do about it?Answer: Personal Digital Assistants (PDAs) have made my life easier, and it sounds like that may be true for you, too. There are many risks, and your PDA can put your company's information at risk. We think that most companies are not worried enough about the loss of confidential or proprietary information through PDAs. The risks we will outline are true whether you are using a Palm-OS based device (Palm, HandSpring, etc.) or a Pocket PC (iPAQ, Jornada, etc.). Let's look at some of the issues.First, you state that you have access to your company's computer. If you are fortunate enough to have wireless access built into your PDA and access your company's Local Area Network and servers as well as the Internet with your PDA, the data that you are transmitting is exposed unless your Information Technology department or technology consultant has secured the PDA at a hardware level using MAC (Media Access Control) addresses. We see very few wireless applications secured properly.A much more common implementation is to simply synchronize your company information between your PDA and other software at your company. Common software that contains information that can be synchronized includes Outlook, ACT, GroupWise, Notes, and many other products. The synchronization is usually done with Intellisync or ActiveSync software. These products allow you to coordinate your calendar, to do lists, as well as contact names, addresses and phone numbers. This allows you to conveniently carry all of this information with you. I do this myself by synchronizing all of these items, including approximately 4,000 contacts, and their complete histories. If my Palm Phone (the Samsung I300) was lost, there is a lot of confidential information that someone could synchronize into their system. Even with a password set in the Palm or PocketPC OS, this security is so weak that it is easily broken. This risk is so large that some organizations have banned the use of PDAs. Additional software can be added to secure the device further, and these password or encryption software add-ons do help.An additional risk occurs when your PDA can be accessed even for a few moments in a restaurant or on a plane. Assume for a moment you leave your PDA at your seat to do something else for a moment. A person sitting near you can electronically transfer your data ("beam it") in a matter of seconds. Further, while you are using the PDA, your information is visible from quite a large angle, making the information less confidential. Having at least a password will prevent some of this unauthorized access, but it is painful to enter the password every time you want to use your PDA.More sophisticated applications on PDAs can put even more of your company data at risk. A wonderful application available from Best Software for their accounting product, MAS90, allows a salesperson to carry all of their customer's information to the field, along with inventory information and actual pricing to the customer. The capacity in an 8MB Palm allows for 3,000 customers and 80,000 items. Orders can be entered on the PDA, and synchronized with the accounting system when you return to the office. But, as you can perceive, you are now carrying all of your customers and products with their prices to the field on a device that can be easily lost. You need to have a company policy controlling access to these devices, but mistakes will still occur.With all of these situations causing risk, the value of having access to the data is so great, that we think it is still acceptable to use PDAs assuming that 1) a password is set, 2) the PDA is synchronized regularly, 3) Additional encryption or password software is used.