<div class='os_post_top_link'><a href='http://www.mobilemag.com/content/100/333/C2768/' target='_blank'>http://www.mobilemag.com/content/100/333/C2768/</a><br /><br /></div>Mobilemag have posted a interesting article about PDA security: "PDAs have become a daily productivity tool for millions of business users. A new study of PDA users, however, points to a significant risk to companies, as large numbers of employees store company-sensitive information on the small, easily lost or stolen devices with virtually no security protection of any kind." <br /><br />You don't say? Is the term 'Secure Corporate PDA' an oxymoron? :? I am always surprised by the number of folks that don't secure the information on their PDAs, but according to this survey, I shouldn't be……. <br /><br />"Among the study's key findings: <br />- Half of all respondents did not have any kind of security features on their PDAs other than standard power-on password protection; <br />- 81% of respondents carry "somewhat valuable" or "extremely valuable" information on their PDA;<br />- 24% of respondents have experienced a loss or theft of at least one of their PDAs;<br />- 38% access their corporate networks or multiple networks using their device; and<br />- 60% of all executive-level respondents say their business would be "somewhat" or "extremely" affected if the data on company-issued PDAs were lost."<br /><br />How does this tally with your attitude to PDA security? Have you had a PDA lost or stolen, do you store company sensitive information on your device? Do you use the built in Pocket Pc security, a more secure add-in program or none at all? Enquiring minds want to know. :wink:

I like the military's method of data security, each file has a security rating, each compter also has a security rating, if the device has a lower security rating than the document, you arn't supposed to attempt to access it from the device.

My attitude towards security (not just for PPC) is as follows: If it is info that I would feel uncomfortable losing or falling into the wrong hands, I don't store it on the device. As such, I do keep my schedule on it, and I do have the odd school document - but no phone numbers except my own, no mail addresses except my own, no passwords, credit card or bank account info. Nothing. I feel totally secure and comfortable handing my PDA to someone. Hell, I don't even have a password on it. If it gets nicked or I lose it for real, then it's lost all the same.

Having said that, this survey shows that people in general know ****-all about security. Imagine a doctor who keeps patient info on it. Would you like that device falling in the wrong hands? Or how a relative, wife, girlfriend who carelessly wrote down your bank account details / email / birthdate / ICQ on their PDA?.... I would feel very uncomfortable, knowing that sort of info is unprotected, sitting in someone's non-secure PDA out in the open...

I've been writing this up as an issue in audits for nearly three years now. Of course, even after I write them up, they don't really do anything to fix this issue.

I like the military's method of data security, each file has a security rating, each compter also has a security rating, if the device has a lower security rating than the document, you arn't supposed to attempt to access it from the device.

More correctly, if the device has a lower security rating than the document, it isn't capable of accessing the document. If that's not the case, then the person who designed the system, or at least the security aspects of the system, violated several NSA regulations to the contrary. When it comes to military computers, the rules quite a bit less flexible.

My attitude towards security (not just for PPC) is as follows: If it is info that I would feel uncomfortable losing or falling into the wrong hands, I don't store it on the device.

The way I see it, that's a somewhat naive way of looking at it (please don't take offense at this, none was meant). By and large, the same people who won't store credit card information on their PDA, where it can be encrypted and locked behind several types of password or biometric security, will gladly carry those same credit card numbers in their wallet with no security whatsoever.

My point here, is that we carry around information every day that we wouldn't want to fall in the wrong hands. Our address, social security number, credit card numbers, etc. are usually kept in our pockets or purses somewhere with no thought of security. Given the choice, I'd much rather migrate this information to my PDA, where it can be at least somewhat secured. My PDA does contain all of my credit card numbers, which enables me to only carry around the one or two I use on a daily basis, while giving me access to the rest, in case of an emergency. The end result is that I've actually lessened the chances of this information being compromised.

Granted, I would agree that migrating everything over to your PDA and not having any passwords or encryption methods protecting it provides for "one stop shopping" for any thief, but my PDA has biometric security (thumbprint), and my "secret" information is encrypted at the file level, with the application accessing it having password protection. This is much more security than my leather wallet offers.

I take security seriously, but that doesn't mean I don't keep sensitive information on my Pocket PC. Any public information (such as phone numbers and addresses) are not password protected. However, any private information, like credit cards, procurement cards, insurance cards, etc are stored in eWallet in RAM. I feel safe using eWallet since it encrypts the wallet files.

However, any information that isn't publicly available or that can't go in eWallet doesn't ever go into my PDA.

I do keep company and private data on my PDA. I use the Ipaq H5555 biometric finger opton, a pin password, and Flex Wallet for encryption of data.

We push Flex Wallet tp all our employess for use on their PDA.

I like the military's method of data security, each file has a security rating, each compter also has a security rating, if the device has a lower security rating than the document, you arn't supposed to attempt to access it from the device.

More correctly, if the device has a lower security rating than the document, it isn't capable of accessing the document. If that's not the case, then the person who designed the system, or at least the security aspects of the system, violated several NSA regulations to the contrary. When it comes to military computers, the rules quite a bit less flexible.



True, if the device dosen't respect the security levels it should be barred by the servers if it dosen't have clearance for a certain document, but the user can be punished for knowingly violating this is what I was reffering to because the scope of this article was in responce to the PPC (I didn't read the link so it truely only relates to the PPC).

My attitude towards security (not just for PPC) is as follows: If it is info that I would feel uncomfortable losing or falling into the wrong hands, I don't store it on the device.

The way I see it, that's a somewhat naive way of looking at it (please don't take offense at this, none was meant). By and large, the same people who won't store credit card information on their PDA, where it can be encrypted and locked behind several types of password or biometric security, will gladly carry those same credit card numbers in their wallet with no security whatsoever.


Well, *I* don't, but you're right - most people will still carry their plastic. But I can understand that - you never know when you'll need your card, and it doesn't do you much good if you left it at home. And if your wallet gets stolen, well, then you have a good excuse if something happens to your card info. But how do you explain to your credit card company that you kept your info on an unprotected PDA, knowing full well the risks of that?

You have a good point about all the other cards we carry - I only carry the ones that aren't sensitive or pose a security risk (I don't carry any ID, no credit cards, nothing except my ATM card, my OV card and a customer loyalty card of my favorite DVD pusher, and about $20 cash - that's really all you need.

(I don't carry any ID ...

8O what if a cop pulls you over? or is that a dutch? thing?

I dont drive a car. Actually, carrying ID is sort of a grey area over here. Since June 1st, 1994 we have a new law that states that 'you have to be able to identify yourself in certain situations'.

Basically what this means is: you are only required to show your ID in certain situations - like opening a bank account, signing notary contracts, when applying for a job etc. Outside of those situations, I don't have to show my card to *anyone* - which includes the police. Police here have much less rights then in other countrys. They can't search me or ask me to show my ID for no good reason.