The continued anguish over encryption of Wi-Fi data, laudable though it is, carries a danger of blinding us to far greater security risks from mobile computing devices.

Sure, there is a risk that someone could catch packets on the move by sniffing wireless traffic at a hotspot and running decryption on it. But what about the fact that the mobile devices themselves probably contain quantities of corporate information - in a handy, stealable package? PDAS, particular, are now seen as a serious danger in and of themselves.

The problem has been known about since the dawn of laptops, PDAs and even mobile phones but has become more serious in the last year, as each class of device has added capabilities that make it much more of a risk.

  • Laptops are increasingly used to replace the office desktop, so IT managers can no longer demand that users keep all sensitive data off their portable PC
  • PDAs now pack a lot of memory and muscle, and routinely hold correspondence including sensitive files
  • Smartphones are now used for email and other tasks too

The only good side is that PDAs and smartphones now have sufficient processor muscle to support the security measures that their unbridled use makes necessary, such as VPNs and encryption.

Until 2003, the majority of PDA users only kept their diary up to date on the PDA, so there was little sensitive data on the machine. IT managers ignored or resisted their use, hoping that, offering no support would discourage all but technically competent people from using them.

Now, more people have them, and have sensitive data on board, such as presentations. Users are usually very scrupulous about keeping the devices synchronised, so they will still have the data, but many have not considered the possibility that others will get hold of it. Or the danger that a mobile device used outside the office can bring viruses into the system.

The danger with smartphones and PDAs is that many are bought with personal budgets, and are not managed by IT departments. Since the devices are becoming the norm, and are carrying corporate data, attempts to legislate against PDAs and smartphones are doomed to eventual failure. IT managers have to grasp the nettle, and impose a managed solution.

The first line of defence is always a password and all serious PDAs and smartphones have this as an option. However, far too many users simply do not turn the password on. Add to this the fact that many of them think it is a good idea to keep all their corporate passwords, and even bank-machine PIN numbers on the PDA, and you have the makings of serious problems.

This danger is so obvious, it is a surprise to find that a third of users leave themselves open to it, according to an annual PDA Usage Survey, carried out on by Pointsec Mobile Technologies. Most PDA thieves simply want the hardware to sell. If they find data they can use, they may well have a go, but a non-trivial password is usually enough to make them decide to do a hard reset and unload the kit for whatever they can get for it.

The IT manager can forbid PDAs, or demand that they are all password-protected, but this is futile unless it can be enforced. "If you tell people they can't use a device, they will use it clandestinely," says Jackie Groves, managing director of mobile security company Utimaco. "It doesn't work unless you have a very controlled environment. "

The best way to make sure a password is used, is to ensure that non-password protected PDAs can't use the VPN to access the corporate network. "Don't give them an extra password, replace a less secure password with a more powerful one," says Groves.

Passwords will keep out the opportunists, but someone who wants to get through them can, according to Groves. "The authentication that comes with a PDA is insecure - a two year old can get round it," she says. "Also there are very portable slot-in memory cards, which can get stolen or lost."

The answer is to encrypt all the corporate data on the mobile system. The aim is to make sure that anyone finding the PDA cannot get access to the data at all. To do this, you must encrypt the data. It has to be done transparently to the user, or the "awkwardness" overhead is too high.

The encryption should also apply to any form of portable storage, such as a USB RAM drive or an SD card. "You need to force-encrypt memory cards," says Groves. "The user should have no choice. Put in an unencrypted one, and the system requires you to fully encrypt it, so the user can't circumvent what you as a company have decided to do."

According to Pointsec, 57 percent of corporate PDAs are unencrypted, a figure that suggests a lot of companies have work to do here.

All security discussions eventually mention biometrics, and mobile devices are no exception. Signature recognition can be put on most PDAs, and the HP iPaq 5400 series is available with built-in fingerprint recognition.

There is little sign of biometrics taking over from password security here, as elsewhere in IT, because there are ways round it and it is still not trusted fully by IT managers. For now, keep an eye on it, as it becomes more suitable for large installations.

Management lockdown
All this has to come in a package that is easy to apply, and companies like Utimaco and Pointsec make much of their management tools. The thing is to make a policy and translate that into the workings of the chosen tools and, as with most security issues, the policy takes a lot more work than the technology. "Our consultancy to the customer is mostly based on best practice, not how to use the product."

Policy issues include preventing devices being synchronised with non-authorised computers, preventing smartphones working with other SIM chips and stopping non-company applications being launched.

Securing access to corporate applications has become easier, even across mobile devices, with the rise of VPNs. Traditional VPNs require a client to run on the device, but the SSL VPNs now in vogue allow standard web browsers (including those built into mobile devices) to connect to corporate applications using their built in SSL encryption. Neoteris, a hardware-based SSL VPN supplier has a version designed to work with the small screens of Pocket PC and Symbian devices.

The cost of securing a fleet of PDAs needn't be excessive, although they become proportionately higher the smaller the number secured. For 1000 laptops, the cost of Utimaco's Safegaurd would be £73 per machine, for 1000 PDAs, it would be £35 per machine, says Groves.

However, the ongoing administrative cost should also be factored in. Requiring heavier password use creates a burden on the support desk, although Groves says this needn't be too severe. Single sign-on means that users have fewer passwords to remember. However, enforcing a regime where passwords must be changed regularly, will inevitably mean more "I forgot my password" calls to the helpdesk.

The IT manager has to determine how the helpdesk will positively identify an employee when he or she phones up, and make these rules clear, Also, staggering the day on which people have to change their password is a good idea, as it prevents a big spike of helpdesk calls, when they instantly forget the new password. "Don't heap a load more work on the helpdesk," says Groves.

Conclusion: do it now
Mobile devices themselves are more of a risk than the wireless networks they use to communicate. There are many things IT managers can do to ensure such devices are not a corporate risk. The fundamental issue is to make sure that laptops and PDAs are within the control of the IT department.

This is a serious task, but is made easier by the fact that packages exist to do much of the work and the IT manager holds the keys to corporate access. Securing mobile devices is a job that can - and must - be done.