Mobile Devices Pose Huge Risk to Company Data

Rethinking security is key to accommodating wireless computing.

Now is truly the dawn of the golden age of mobile computing. Cell phones incorporate more and more true computing features while leveraging faster and faster wireless networks. As you can see from the wireless data network stories that lead off the Labs section this week, true enterprise business applications can be logged in to and used effectively from PDAs and many phones. Workers can be productive no matter where they are.

And, as a result, your sensitive company data is in serious, serious trouble.

Im not talking about viruses and security holes in mobile devices and software. Its definitely worth watching out for these vulnerabilities, but, right now, theyre not a significant issue. Although the occasional mobile virus gets some media attention, most to date have been mainly annoying or DoS-type problems and havent targeted data.

/zimages/2/28571.gifClick here to read about the latest mobile malware.

Im talking about these devices being used by workers in ways that seem sensible and timesaving but, in effect, are endangering your companys assets and compliance with government mandates.

For your consideration: A prominent doctor at a major hospital fancies himself something of a gadget geek. He purchases a top-of-the-line cell phone with many PDA capabilities. The doctor starts using the device at work to make his life easier. This includes copying to his way-cool cell phone the data he uses all the time—data that may include patient information. So, as soon as the doctor walks out of the hospital, a HIPAA violation occurs.

The scenario just outlined is bad, but it would be worse if the doctor used the phone/PDA device to log on to an insecure network, accidentally forwarded sensitive information, loaned the device to a friend or traded it in for a new phone without wiping stored data.

Similar very realistic, very likely scenarios could be developed for almost any industry. For example, just substitute a CEO for the doctor, financial information for patient data, and Sarbanes-Oxley for HIPAA.

Even worse, short of banning cell phones and PDAs, there is pretty much nothing you as an IT administrator can do to make this problem go away.

As I wrote in a previous column, its almost impossible these days to get a cell phone that is just a cell phone. And there are few, if any, tools currently available that allow IT departments to lock down and secure the capabilities of these powerful new communications devices.

Even if there were such tools, they would become obsolete the minute the next generation of phones was released—and we all know how often that happens.

/zimages/2/28571.gifClick here to read about Avocents Mobile Sentinel software, which allows IT administrators to send real-time commands over the air to delete sensitive data on a devices memory in cases of theft or loss.

Maybe youre thinking your company will be OK because it has invested a lot of time and money into controlling how sensitive data moves inside and outside the company—on document management systems, regulatory compliance tools and digital rights management products.

Think again: When it comes to next-generation super-cell phones, these products might as well not exist.

One of the only ways to prevent data leakage from mobile devices is to try to lock down all the desktop tools that can link to them. But to do this, youd need to strip down Outlook and other Microsoft Office tools to the point where you may be better off just using Notepad and a POP mail client from 1992.

And, really, no technology tool will ever completely prevent data drains. Deterred by technology, the doctor from the scenario I outlined earlier would probably enter sensitive data directly into his device by hand. And your high-priced data security systems wouldnt have a clue.

The best tool for preventing sensitive data from being downloaded to mobile devices is user education. Indeed, the only way to cut down on company information making its way onto insecure cell phones and mobile devices is through company policies and regulations.

Users need to know that these devices present serious risks to company data and that careful consideration should be made to what goes on—and doesnt go on—cell phones and PDAs.

But good luck enforcing these policies with high-level executives at your company, who wont appreciate your limiting their use of these new toys. It kind of makes you long for the days when managing mobile workers meant dealing with beepers, phone cards and slow dial-up connections.

Labs Director Jim Rapoza can be reached at

To read more Jim Rapoza, subscribe to eWEEK magazine.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.