Sloppy PDA habits are compromising customer confidentiality and putting companies’ reputations on the line, it is claimed.
Sloppy PDA habits are compromising customer confidentiality and putting companies’ reputations on the line, according to the findings of the Mobile Vulnerability Survey 2004, commissioned by Pointsec Mobile Technologies and Infosecurity Europe. Two thirds of PDAs are used to store client details and corporate information, but without adequate protection.
PDAs are now entrenched as corporate communication tools, with almost half being used to receive and view corporate emails, and a third now doubling as a phone. The storage of the names and addresses of corporate customers is now common, yet despite the value of such information stored on these PDAs, a full two thirds of users do not use any kind of encryption to protect the data. The survey findings show that one of the fastest and easiest ways to access corporate data is through unprotected PDAs that are lost or stolen, as they contain business names and addresses, spreadsheets and other corporate documents. The survey found that a third of users do not even use password protection on their devices, leaving the information vulnerable to opportunists, hackers or competitors. As a result, a lost PDA could have a huge impact on customer confidence and do untold damage to a company’s reputation, the survey claimed.
Personal information
As well as using their PDAs to store company information, many users store valuable personal information such as PIN numbers, bank account details, social security numbers, credit card information and even lists of passwords, many of which can be accessed – ironically – without a password. Although more companies than ever have introduced a specific mobile security policy – over half have a policy compared with 27pc last year – very little has changed when it comes to enforcing the protection of data on mobile devices, say the survey organisers. For three years in a row, the number of people who are encrypting their data or using passwords to secure their PDAs has remained roughly static, in spite of the efforts of companies introducing mobile security policies. Despite the large amount of valuable and sensitive customer and corporate information stored on mobile devices, half of companies do not inform the police of the loss of their devices, as they believe there is nothing they can do. Similarly, almost half fail to inform their insurance company about the loss of a device. This is because few companies insure their mobile devices, let alone the data that resides on them, the survey found.
What they say
Magnus Ahlberg, Managing Director of Pointsec Mobile Technologies, said: "Clearly companies are under-estimating, or are totally unaware of the amount of valuable information which is being stored on personal and business mobile devices. Our advice is that companies should ensure that they have a mobile security policy and that all data is protected by centrally managed encryption and password protection. To do this you have to take the responsibility away from the users and make it the companies’ sole responsibility. Mobile security need not be complicated; it is simply a matter of having a blanket approach by centrally administering all devices with encryption and password protection which users cannot get around – this provides the company with the insurance they need which is inexpensive to administer."
Other findings
The survey also shows that:
13pc of respondents have had the misfortune of losing their mobile device, with the most likely places to lose a mobile device being in a taxi (30pc), car (20pc), the home (20pc), an airport (10pc) or a restaurant (10pc).
It takes a user an average of two days to recover, reconfigure and re-enter data onto a new PDA if their previous device has been lost or stolen.
Forty percent of users would not be issued with a new company mobile device in the event of the loss or theft of their PDA; while just 18pc said that they would be reprimanded for losing their device. Only 10pc believe that they should worry about the potential loss of their mobile device because it could result in the company inadvertently breaching the Data Protection Act.
About the show
April 26-28, 2005: Infosecurity Europe, Grand Hall, Olympia, London. Information and IT security conference and exhibition:
