For Users, Its Back to Basics

Experts say it managers need to get the message out on security.

As third-party developers and vendors of handheld devices beef up encryption and password management technologies, Palm OS, Pocket PC and other handhelds are becoming more secure.

But, experts say, IT managers should not rely on the availability of improved software alone to secure handheld devices. To be sure, users should be required to install anti-virus software and keep it up-to-date, authenticate with user names and distinct passwords, and use encryption software to safeguard confidential data. (Click here for recommended best practices.) But, because many handheld devices still make their way into the enterprise through the back door, IT managers also need to go out of their way to communicate to users that the same policies used to secure PCs should be applied to handheld devices.

"Various technologies are very much safeguarding mechanisms so that damage can be kept to a minimum," said Bill Jaeger, an analyst at Meta Security Group Inc., in Charlotte, NC. "But because the hand-to-hand proliferation of handheld devices is so great, you really have to back up the technologies with policies to protect your organization and to keep people honest."

One thing is clear: The trickle of handheld devices into the enterprise has grown to a flood. Last year, the global handheld PC market grew to roughly 12 million units worldwide, according to Gartner Inc., in Stamford, Conn.

Unfortunately for handheld users—and for their organizations—most handheld operating systems such as Palm OS still lack built-in encryption and strong password management features, said David Pollino, managing security architect at security consultancy @Stake Inc., in San Francisco. While Palm OS and Windows CE devices come with security software installed by their manufacturers, analysts say they are often insufficient for enterprise users.

"Security that comes on these handheld devices are the equivalent to having a lock on the screen door to your house," Metas Jaeger said. "Any information found on a handheld could be considered mission-critical if it supports business functions and should be protected as such." (See eWEEK Labs analysis of security improvements on tap for future mobile operating systems.)

Experts agree that even if the devices supported strong security technologies, many users would likely ignore them. Thats because, in most organizations, handheld devices are purchased and deployed not by enterprise IT organizations but by individuals who often see passwords and other security steps simply as productivity inhibitors.

As a result, @Stakes Pollino and others say, IT managers need to work harder to encourage individual PDA (personal digital assistant) users to adhere to some basic security best practices. Users should be discouraged from storing sensitive enterprise information on their PDAs in the first place, said Pollino, since these devices are so frequently lost and difficult to secure via passwords. Indeed, Gartner estimates that as many as 250,000 mobile phones and handheld computers will be lost at airports this year.

Second, said Pollino, individuals should make use of the default password capabilities built into PDAs, even though most are not robust. When PDAs are stolen, thieves are most often after the hardware itself, not the possibly sensitive data they store. So even a password thats easy to crack or bypass will discourage some thieves.