Walking Disasters

Handhelds are everywhere, but they carry a lot of sensitive data and are easy to lose. So how do you keep these devices and their data from getting into the wrong hands? IT managers offer advice, from policies to passwords.

As an IT manager, Charles Novak never thought he'd be worrying about something called "promiscuous synchronizing." And despite warnings from some security experts, he's putting off the day he considers whether to recommend full-body searches for workers who could be hiding sensitive data on handheld computers or smart phones.

But Westinghouse Savannah River Co. in Aiken, S.C., makes weapons-grade plutonium and stores hazardous waste for the federal government, so the need to protect critical data from walking out the door is paramount, he says. Conceivably, a terrorist group could use the information to locate and steal secrets or deadly materials.

The coming flood of handheld computers and smart phones has made Novak, a technology planner at Westinghouse, rethink his assumptions about security. In 2003, there will be 1 billion smart devices connected wirelessly, and 600 million of those will be Web-enabled, say analysts at Gartner Group Inc. in Stamford, Conn.

"Setting a policy for use of handheld computers is the hardest part," Novak says. "Handhelds and smart phones are different creatures from laptops and other computers."

Many Risks

"It's terrifying when you think seriously about the security risks posed by handhelds," because there will be so many of them, says an information technology planner at a soap manufacturing and distribution company in the Midwest, who asked to remain anonymous.

"Anything network-connected is a security risk, and just about any PDA (personal digital assistant), cell phone or pager is on a network sooner or later," says David Gerstenlauer, director of network development at Ikon Office Solutions Inc. in Norcross, Ga.

Analysts and some IT managers worry that a disgruntled worker or corporate spy could quickly download data to a device with memory as big as 128MB, and the act might go unnoticed partly because synchronizing between handhelds can become so commonplace that experts call it "promiscuous." Plus, some devices are so small they're easy to hide and can even send data packets wirelessly or via an infrared port.

The greatest risk might come from loss of a device. For example, an innocent user carrying important information might accidentally leave a phone or handheld device in an airport without having set up sufficient password protection to block malicious use, analysts say (see story above).

Managers at a large pharmaceutical company once called Gartner analysts for advice because they wondered what to do about a salesman who had loaded on his handheld information on patients involved in an oncology study. In another case, a client lost a handheld with his online trading password easily accessible; luckily, it was returned with no unauthorized trades.

Analysts say Novak is like many IT managers who are struggling to find out all the security vulnerabilities of handhelds and then to determine whether the risk of losing data is serious enough to warrant expensive protections. The risks he's confronting are greater than those at many companies. "Handheld security concerns are not on the Top 10 list of IT worries right now, but they will be next year," when more devices will be brought to work, says John Pescatore, a Gartner analyst.

The security problems associated with handhelds require legal, administrative and technical precautions, analysts say. Simple steps matter. For example, the company, not individual workers, should pay for the devices. Moreover, the employer should install common synchronization software on a server and set higher standards for use of passwords and for encryption when the devices are used on a wireless or other type of network.

Westinghouse has 15,000 employees. Some of its labs have outright bans on using handhelds, but others don't. So Novak is helping set policies that apply to labs that allow handhelds. "People bring them in all the time, but we are trying to contain them," he says.

Westinghouse is developing a usage agreement for handhelds. Similar to the one that covers the use of laptops, the agreement would basically require a worker to surrender the data on a handheld, even if the device is his personal property. The company's laptop policy states that a security officer suspecting a breach might return the laptop minus a hard drive. But Novak says he has yet to find a way to scour clean the read-only memory (ROM) in a handheld device so he can return it to a user.

Another problem Novak has found is that it's hard to identify some handhelds reliably. Novak bought a dozen of Handspring Inc.'s new Visor handhelds but found they have no ROM identification number, which means there would be no way for a security guard to check whether a worker was walking out with the same device he had when he entered the building.

Novak's problems could be solved fairly simply if the company could require that company data be kept only on machines that the company purchased, analysts say. Yet, so far, less than 3% of the more than 3 million handhelds deployed in the U.S. and used by employees are purchased by companies, estimates Gartner analyst Ken Dulaney.

Experts say companies can begin to control the cost of supporting handhelds -- and also security risks -- by purchasing the devices and narrowing the choices from dozens of products to several. Next, corporations need to push their users to use the approved synchronization software that IT puts on a corporate server instead of the software that comes with each machine. That way, an IT shop can find synchronization software that works with several operating systems, and IT managers can monitor who is downloading corporate data.

"We have standardized on the cell phones people can use, but not the pagers or PDAs, and we have to come up with some policies for PDA usage and synchronization," says Ikon's Gerstenlauer.

Secure Transactions

Some companies that have raced to enter the consumer market for selling products and services via handhelds and the Web say security must be their top concern, or customers will stay away.

"We won't launch any application if it's not secure," says Joseph Ferra, a senior vice president at Fidelity Investments in Boston, which launched InstantBroker in 1998 to bring stock trades to customers via pagers and wireless handhelds.

Fidelity is working on digital certificate security to allow online wireless check-writing. The company has set a 128-bit encryption standard for all transactions.

Gartner analysts say some early experiences with wireless transactions weren't as secure as they should have been. Pescatore says he and another Gartner analyst, Bob Egan, ordered a book from Amazon.com Inc. via a Sprint PCS Group wireless phone last December and noticed that the phone allowed a user to insert a previously registered Amazon user name and password, but didn't hide the password with X's, as would be done on a PC. "That violates Security 101," says Pescatore (Technology, April 3).

Sprint PCS officials say the company decided it must keep the password visible as it's typed on a small, 10-button phone keypad. That practice will continue as a "technology trade-off," says Billy Stephens, director of product management and development for wireless data services at Sprint PCS. He urges phone users to keep their online phone e-commerce transactions as hidden from view as possible.

Also, the December transaction allowed Amazon to automatically bill a Pescatore purchase to one of his old credit cards without his authorization. Amazon.com says this wouldn't have been possible unless Pescatore had turned on the authorization via his PC.

And the transaction resulted in the Amazon password being cached on the phone's memory, something that Sprint officials say could be changed.

Joseph Baron, communications architect at Prudential Property and Casualty Insurance Co. in Holmdel, N.J., says agents are already using heavy-duty laptops and cellular phones in the field to respond to emergencies and have been trained to understand the security and privacy needs of customer data.

More handheld computers are expected, says Baron. "We would not want agents downloading sensitive data about a customer's policy from a corporate server to a handheld that some third party could see," he says.

But Alan Reiter, an analyst at Wireless Internet & Mobile Computing in Chevy Chase, Md., says companies setting up mobile workforces and consumer applications with handhelds aren't being careful enough. "Vendors and carriers need to be more worried about security and a lot, lot more worried about privacy," he says. "If they don't get on the ball, they are going to be surprised."

Analysts aren't as worried about data being sniffed or stolen from wireless transmissions in a company's wide-area network as they are about constantly connected devices such as PCs attached to a LAN. "Wireless sniffing is not a Top 10 worry," says Peter Tippett, vice chairman of ICSA.com in Reston, Va., a security consulting firm.

Egan says the threat of eavesdropping is greater over wireless LANs than WANs, where a hacker could find a wireless LAN router and try to hack into it from near a company's headquarters. But vendors are developing ways to protect wireless LAN routers from hacking.

Tippett says he believes a very cheap way to reduce security risks with handhelds is to require that passwords be six to eight characters long, using upper- and lower-case letters and punctuation marks. The passwords should also be assigned by a manager and changed monthly, he says.

The information security headaches from handheld devices may turn out to be even greater than the headaches caused by laptop PCs, because handhelds are smaller and thus easier to lose or steal.

"Everything that was a laptop security issue will be a serious issue for PDAs," says Robert P. Campbell, a security expert and managing director of Peak Consulting in Woodbridge, Va. "This is going to be a very serious problem, especially because senior executives will be using them for sensitive corporate information."


Copyright © 2000 IDG Communications, Inc.

Shop Tech Products at Amazon