I will probably be the last person in North America to acquire a personal digital assistant. But Im clearly bucking the trend. Many people are increasingly relying on PDAs, palmtops, two-way text pagers and Internet-ready cell phones to do business and to keep in touch with friends and family. Theyre becoming de rigueur in many hospitals, replacing paper charts and prescription pads. In some well-off suburbs, schools are distributing PDAs to middle school students. These devices are used to store phone numbers and address lists, meeting notes, and business and personal schedules.
So why am I holding out? As handy as these devices may be, unfortunately they are regularly lost, left in bars or taxis, stolen, or dropped on the floor. And dont put your ultrathin PDA in your back pocket and then sit down.
Think about it—not only do you risk losing data, you may not realize just how useful your phone list or those meeting notes might be to a competitor. Schedules can provide clues to new business partnerships or impending merger activity. Cellular phone logs can yield business intelligence, too, not to mention interesting personal details. The situation will become even more complicated when 3G wireless technologies really take off and a wave of new services begins bypassing the corporate firewall.
This poses a real problem for companies that are trying to protect information assets. Potentially confidential corporate data is being stored on devices that, in many cases, are owned by the individual employee, not the company. (For the moment, I am not going to address the security problems inherent in wireless protocols for data transmission—thats another headache altogether.) Very few companies have security policies or standards that address the use and management of wireless devices, but there is definitely a need to raise awareness about the potential risks.
The first step is to determine what types of company-owned and—if possible—personal devices your employees are using. Next, evaluate the risk in your environment, and draft policies to address it. For example, decide whether users will be responsible for backing up data and see that necessary tools or facilities are provided. Check logs for syncing operations to make sure there has been no unauthorized activity. Consider encryption software to protect data stored on handheld devices—dont rely on passwords alone, as methods for cracking them have already been published. Provide “approved” software and discourage downloads of untested software from the Internet. Finally, begin training and other awareness activities to make sure employees understand the risks and what is or is not acceptable use within your organization.
The proliferation of personal wireless devices is a quiet but growing information security issue. Nows the time to address it before someone else does, to your disadvantage.
