Handheld risks prompt push for usage policies

Computerworld - SAN FRANCISCO -- The increasing security risk posed by handheld devices is creating a need for formal policies governing their use in corporate settings, according to IT managers and analysts who attended the RSA Conference 2005 here last week.

They added that a failure to pay attention to the threat posed by handhelds, many of which are personally owned by end users, leaves companies vulnerable to data losses and privacy breaches.

"Companies need to bite the bullet and address this problem now," said David Melnick, a security consultant at Deloitte & Touche LLP in New York. Driving much of the concern is the proliferating use of handheld devices for accessing corporate e-mail, storing sensitive data and running applications such as sales force automation and inventory management tools, Melnick said.

In a report issued two weeks ago, IBM's Global Security Intelligence Services team described mobile devices such as smart phones as "the next frontier for viruses, spam and other potential security threats."

IBM's Global Business Security Index Report, which offers a quarterly analysis of worldwide IT security trends, cited a growing number of viruses that target handhelds, including a recent one called Cabir. "It is likely that such worms will be used by copycats and may spur an epidemic of viruses aimed at mobile devices," the IBM report said.

Chuck Gilpin, a St. Louis-based network architect at The Boeing Co., said that such concerns have prompted the aircraft maker to require handheld and mobile users to use a virtual private network (VPN) to gain access to its corporate network. Boeing also mandates that users encrypt all sensitive corporate data stored on their handhelds, he said.

But implementing such measures has been a challenge, Gilpin added. The relative lack of client software for enabling protected access from handheld devices has made it hard for users to log in via Boeing's VPN, he said.

Similarly, it's hard to apply a consistent approach to securing the devices because they're made by many different manufacturers and come with various operating systems, he said.

Handheld-related security issues need to be made part of broader security planning processes for wireless LANs, said Djino Blanchette, director of telecommunications and IT at Ogilvy Renault, a Montreal-based law firm.

For now, Ogilvy Renault hasn't implemented any security measures for handheld devices, Blanchette said. Instead, the firm is focusing on deploying an intrusion-detection system to secure wireless access for lawyers using laptops. "Ultimately, though, it is all going to be part of the same problem," he said.

A good place to begin securing handhelds is to understand how they get into the enterprise, what kind of information is stored on them and how they're used to access corporate networks, Melnick said. Eventually, companies will need plans that provide auditing, monitoring and policy enforcement capabilities, he added. "This is a new, unbudgeted area of responsibility for IT," Melnick said.