Security in the palm of your handheld?

You've spent untold dollars on firewalls and network security, but are all your organization's secrets walking out the door every time a PDA leaves your office? All your security efforts may be in vain unless you bolster what could be your weakest link.

Practically everyone I do business with these days has a handheld personal digital assistant (PDA) of some sort. Even the vet who came to look at my miniature donkey last week had a brand new one, as his old unit had disappeared a few weeks earlier.

All your company's executives, and even the sales force, probably carry around PDAs. They're incredibly convenient, but have you ever thought about the information stored in those handy little electronic notebooks?

They probably contain PIN numbers, unlisted phone numbers, credit card and calling card numbers, your home phone number (as you’re the admin), and more. They may even contain sensitive client, sales, and pricing information—the kind of information users often store on these handheld electronic data managers.

How much do you want to bet none of them has network passwords stored in them?

Now, can you name someone in your company who has "lost" his or her PDA?

Whether it was actually lost, or more likely stolen, the loss of a PDA has little to do with the economics of replacing that relatively inexpensive piece of hardware. Nor will most users have much trouble restoring the data, because they should be keeping them synchronized with their PC on a regular basis.

No, the hardware loss is a minor problem. But what should send the chill down your spine is the thought that PDA data is rarely ever secured!

When an executive PDA is lost, you must assume that every bit of information it contained is now compromised. Thus, it's vital to immediately record the duplicate data on the PC that's synchronized to the PDA's database. You should review this information to determine just how big a security problem you now have, and you should keep a record in case of legal problems later.

Secure PDAs
This doesn’t mean you must surrender the convenience of PDAs. Most offer at least minimal security in the form of password protection. While this is a pain for users, and you're going to hear complaints, no PDA should ever be allowed out of the office without being password-protection enabled. This is true regardless of who purchased the PDA. If it connects to your network, it’s your risk.

If, as seems likely, most company PDAs pass through the hands of someone in MIS (if only because executives need to be taught how to synchronize PDA files), then enforcing password protection is relatively easy.

Unfortunately, passwords can be guessed, and cracking PDAs has become a cottage industry in some places. Fortunately, there are third-party encryption programs available for PDAs. For all but the most innocuous data, such as public information simply carried in a PDA for convenience, encryption protection should definitely be considered.

Want a few options?
JAWS Technology Inc. offers the XMAIL program, a 4,096-bit e-mail encryption tool free to U.S. and Canadian users. The company will also sell the $20 JAWS Memo encryption program, which replaces the Palm's Memo application.

This is especially useful because it lets you encrypt single messages, all messages, or just those in a selected category. This tool lets you select a password up to 512 characters long and makes use of a strong 4,096-bit algorithm.

Available for Palm III and Palm V devices, JAWS Memo occupies only 35K of your precious PDA memory. You can try a free trial version that limits you to three encrypted memos at a time, too.

Ilium Software has several different versions of its $30 40-bit RC4 eWallet encryption software for handhelds, as well as Windows and NT PCs. Developer One's $30 CodeWallet is similar and now available for Windows CE PDAs and desktops. It boasts a 56-bit key option.

Remember, too, that Handspring's wildly popular Visor line is Palm compatible (after all, it was developed by the inventor of the Palm). Thus, the same encryption software can be used with Handspring PDAs.

If you don't have a PDA, you may not realize just how much confidential information your organization’s employees store in them. Because it’s so easy to load information from your PC, PDAs tend to carry a lot more current data than paper notebooks—and you don’t want that kind of data traversing trade shows, airports, and local coffee shops without some kind of protection.

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years. Don’t be alarmed that he has a miniature donkey; he’s also the proprietor of a ranch far removed from the city.

Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.


Editor's Picks

Free Newsletters, In your Inbox