Personal digital assistants (PDAs) are no longer seen as an electronic toy for a minority of gadget-obsessed technology freaks. Extended memories, processors, diary synchronisation and wireless connection to internet portal links for enterprise data have given the PDA a place in the corporate network.

The use of handheld computers is estimated to grow by more than 50 per cent in the next few years. The Gartner Group forecast that more than one billion handheld computers and mobile telephones with wireless network connectivity will be used around the world by 2003.

Industry analyst IDC predicted that the PDA portion of this global market will explode in the next three years, from 13 million units in 2000 to some 64 million by 2004. As PDA sales increase, so do the number of connections to corporate networks posing a potential security breach.

The first, simple generation of PDAs was more or less protected from abuse through its limited capacity, which could not hold complex viruses or store large amounts of sensitive data. But newer PDAs will soon reach 128Mb in size, which is sufficient to store 10,000 personal or company addresses, 400 emails and 3000 documents with notes.

After a boost in PDA sales last Christmas, Psion carried out a survey about their affect on company networks. The research revealed that 70 per cent of network managers were concerned about how to integrate devices and applications without compromising existing IT systems.

Nick Martin, corporate sales director at Psion, warned companies to put policies in place for PDA use in the workplace to stop them from becoming a security and management nightmare. The company advised network managers to audit employee PDAs and said a policy should include essential security measures, guidelines on connection, and specifications about which applications can or cannot be used.

Adhering to standards

"Now is the time to set the standards before mobile devices are so pervasive that offices no longer have control. Companies should know what equipment their staff are using, and thus be able to promote better ways of working with them," said Martin said.

"Policies should be based on the potential for both harm and creativity, not the purchase price. Laptop use and abuse has been pretty much taped up, but this is a new phenomenon which must be acted on," he added.

Magnus Ahlberg, managing director of mobile security company Pointsec Technologies, said a handheld computer with the sort of power available today, containing huge amounts of corporate information, was easy to use away from the office, but was just as easy to lose or have stolen.

"The surge in use of mobile devices means that companies need to make sure their growing mobile workforce use devices that are secure, so that handhelds do not become the weakest link in their security system," he said.

Ahlberg pointed out that more people were now working on the move and were using powerful laptops and PDAs to store increasing amounts of valuable and confidential data. If this was lost or stolen, it could put a company at serious risk of sabotage, exploitation or damage to their professional integrity.

"Take the case last year of the jet fighter who lost his laptop allegedly containing hundreds of unencrypted top-secret diagrams. It was brought to the world's attention when a national newspaper handed the laptop back to an embarrassed MoD representative. This case highlights the importance of securing information held on mobile devices if it is of a sensitive or confidential nature," he said.

Ahlberg argued that the internet has changed the way we do business, and has left traditional methods of communicating and trading behind forever.

In order to be efficient, companies should allow staff to use mobile devices such as laptops, notebooks, PDAs or internet phones. But passing confidential client information or carrying out transactions of any kind over the internet has considerable security implications and legal ramifications, and cannot be ignored by network professionals.

"If handheld computers become as popular as mobile phones, the number of thefts could be astronomic," said Ahlberg. "The Federation of Communication Services states that over 15,000 mobile phones are stolen every month in the UK alone. PDAs are so low in price and simple to use, which makes them appealing to buy privately and use for company business. Increase in PDA use is directly relative to the number of handheld computers that are lost."

Mobile security

Companies spend billions of pounds a year on IT security systems for desktop computers, but very little is invested in securing the mobile workforce. Ahlberg said companies should have this area covered within their security policy but, in reality, very few have the necessary security tools to ensure protection against breaches.

According to the Department of Trade and Industry's Information Security Breaches Survey, 60 per cent of organisations have suffered a security breach in the last two years, but only one in seven have a formal management security policy in place. Only a third have done a risk assessment to identify security risks through a systematic approach.

There are few security devices available for PDAs and internet phones because companies are only just now beginning to recognise the real need for secure devices for their mobile workers. Last month, Pointsec released a security product for Palm OS, which included password access control and data encryption.

Psion has issued corporate PDA policy guidance, which touches on issues such as integration and security, including viruses, backup and securing of data.

It advised companies to lock out devices from the network if they are lost, use password protection and define security levels for remotely-accessed data. Virus policies should reflect the variety of devices and remain flexible enough to deal with future changes.

"But, even when PDA and laptops do have a security device automatically installed, users often try to circumvent this to avoid hassle. Once security is turned off, these devices become easy pickings for anyone to get confidential information or to get through the firewall and into the main corporate network," said Ahlberg.

SECURING PDAs