As CIO you think that computer security is looked after, intrusion tests have been completed, security patches applied, and the auditors gave you a passing grade. But wait a minute! Did you know that the quickest way to access your organization’s confidential information is not by hacking the system or breaking through your firewall, but through a rogue BlackBerry? It gives instant, unauthorized access to the company’s e-mail system, contact information and calendaring.
Most IT organizations treat PDAs the same way they treated PCs 20 years ago, as toys or a fad. They let users connect their personal PDAs to the network and download and update enterprise data. You’d think we’d have learned from our experience with PCs.
According to Gartner Group, less than 30 per cent of PDAs are “sanctioned or managed at any level”. The majority of devices fail against even a mild security attack because users either never activate or in fact disable the security features of their PDAs! But, you say, all of our PDA users have passwords on their devices and if they misplace them they notify us immediately. You are kidding yourself! The first chance a PDA user gets, he or she will disable the password feature and unless there is a strict policy in place, the PDA user will be too embarrassed to let you know about a misplaced PDA until days, sometimes weeks, after it is lost. One of the many challenges in managing PDAs is that a user will generally consider it his or her own (until something goes wrong with it) and carry it around day and night.
So what is a CIO to do?
At a recent CIO Association of Canada (www.ciocanada.net) e-forum, CIOs discussed some of the best practices for managing PDAs. Here are some highlights:
- Standardize on a couple of device types and supported platforms so that you don’t end up supporting and maintaining a variety of mobile devices and service plans that come in as many flavors as Ben and Jerry’s ice cream.
- Don’t allow the connection of privately owned PDAs to your corporate network. There will also be an issue with having proper back-ups and generally adhering to standards.
- Budget money for managing the devices. Make it understood organization-wide that supporting PDAs costs money and puts demands on IT resources. These devices are often used by managers and executives who usually demand instant attention when there is a problem.
- Establish clear policies on PDA use, targeting items such as business versus personal use, playing games, downloading inappropriate material or using it to share family pictures.
- Make sure users know what to do when the PDA breaks (do not send it to a repair shop with corporate data on it, but to IT) and how to get a replacement.
- The user misplaces or loses the PDA for more than e.g. two hours. This is easiest to manage with BlackBerries as they can be erased (and restored when the BlackBerry is found) remotely.
- The employee leaves the company. We’ve all heard the example of the Morgan Stanley ex-employee who thought he’d erased all the information before putting his device up for sale on E-Bay, but he did not and all the corporate information was available for everyone to see.
Statistics show that employee productivity increases through the use of mobile devices, However, the old adage, the (security) chain is as strong as its weakest link, fits PDAs all too well.
Catherine Aczel Boivie is senior vice-president, IT for Pacific Blue Cross.
