Out-Law / Your Daily Need-To-Know

Out-Law News 1 min. read

Stolen PDAs provide open door to corporate networks


Businesses are being warned that all their information security measures may be worthless. For the second year in a row, a survey has found that their data could be compromised and their reputation damaged, as a third of employees are leaving business information and access details unprotected on their PDAs (Personal Digital Assistants).

This not only provides easy pickings for common thieves, it also provides an entry key to corporate systems for opportunists, hackers or competitors.

The PDA Usage Survey 2003 commissioned by Pointsec Mobile Technologies and conducted by Infosecurity Europe and Computer Weekly has found that PDA owners commonly download the entire contents of their personal and business lives onto their handheld computers - with many leaving the information unencrypted and without password protection.

Sensitive information commonly stored unprotected on PDAs includes corporate information, bank accounts, credit cards, social security numbers, inland revenue information, business and personal names and addresses, with a third also storing their personal passwords and PIN numbers without using the PDA's password function to protect this information.

Forty-one percent are using their PDA to access their corporate network with a quarter of them bypassing the password function. Fifty-seven percent do not encrypt the corporate data held on their PDA making it relatively easy for an unauthorised person to use the PDA to access a corporate network and assume the identity of the user.

The most notorious place for losing a mobile device such as a phone, laptop or PDA is a taxi (40%) closely followed by bars, restaurants and nightclubs (20%).

Over 40% of people have lost a mobile phone and a staggering quarter have lost a laptop or PDA or both and yet almost half of people don't bother insuring their PDA and just 2% insure the information held on them.

It also appears that 73% of companies still do not have a specific security policy for mobile devices.

Pointsec attacks this lack of a corporate policy as bad practice by IT managers: "is it any wonder that users are not aware of the risks and issues involved and a culture of 'who cares' develops?"

The company added in a statement:

"Even a cursory study of documents, such as the Data Protection Act 1998 and the BS7799 security standard, would hopefully see IT managers reaching for their pen (having just lost their portable), as they realise the legal and financial implications of not taking 'reasonable' security precautions, as per Principle 7 of the Act."

Magnus Ahlberg, Managing Director of Pointsec, added, "With the development of Wireless LAN technology, a competitor or hacker could just sit in the coffee bar next to your office and get access directly into your corporate network. Therefore it is imperative to encrypt all information held on PDAs."

The survey was conducted among 283 business personnel of whom 42% work for corporate organisations with over 1,000 employees.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.