Q

Managing BlackBerrys

My company doesn't provide its employees with PDAs, but a lot of the sales guys have their own BlackBerrys. There's been some concern about their accessing corporate data on their BlackBerrys. How much should we worry about this, and what steps should we take to minimize the risk?
The growing base of handheld devices within the enterprise, be they RIM Blackberrys, Palms, Pocket PCs or even Java-based mobile phones, is creating a new set of concerns for security professionals in nearly all industries. Corporate data on handheld devices is an issue certainly worth worry about because corporate data needs to be protected no matter where it resides and the physicality's of handheld devices means they are more easily lost than other mobile clients such as laptop computers. Traditionally, the smaller the device, the more it moves and the more susceptible it is theft or being misplaced.

Filling the security holes is complicated for enterprises that support handheld devices and nearly impossible for organizations that choose not to support them. In the context of a situation where devices are the personal property of employees, it is challenging to enforce some of the simplest but vital functions involving systems containing sensitive data, such as standard software installations, access rights, asset management, etc. Also, without the management responsibility that comes with clear corporate ownership, IT departments end up responding to mostly break/fix scenarios and problems that are anything but reasonably predictable, which eats away at IT productivity.

This is, however, a very common scenario for corporations in the face of pressures from a tight economy. The majority of enterprises continue to scrutinize the value of mobile solutions and the utility of handheld devices beyond their personal information management heritage. With only 27% of the U.S. device shipment in 2002 being purchased with enterprise funds, which is expected to grow to just 45% in 2006, the threats that come from individually owned handheld device will continue to plague security professionals for the foreseeable future. With that said, however, corporations can work to enforce a variety of policies to help minimize the threats, such as:
  • The installation of synchronization software on corporate systems must be approved by management prior to use.
  • Data encryption and/or password access controls must be used on devices that hold corporate data. Passwords must be used to power-on the device and to enable data transfers to and from the corporate network and the PDA.
  • Network systems passwords are not allowed to be stored on PDAs.
  • PDAs should be configured to power-off after a set period of inactivity, and a password should be required to re-power the device.
  • PDAs should not be allowed to hold simultaneous connections with the corporate network and non-corporate networks such as the Internet. Handheld devices that sync to corporate systems are subject to asset audits regardless of whether they are personally owned.
  • Mandate centralized synchronization, prohibit synchronization to local desktops.
This was first published in May 2003

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchConsumerization

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close