Padlock Your PDA

Photo: Jay Carlson

Ed Leffler, Director of Technology at Wayne Automatic Fire Sprinklers Inc.

Personal digital assistants, or PDAs, have been around for a long time. Over the years, the rise of the Palm, Windows CE — renamed Windows Mobile — various forms of “smart” cellphones, plus the proliferation of wireless connections — Wi-Fi, Bluetooth or the various broadband offerings of the cellular wireless carriers — have given PDAs the ability to be useful mobile nodes on your company’s network, offering significant productivity gains but carrying comparable security risks.

At Wayne Automatic Fire Sprinklers, one of the largest fire protection companies in Florida, we use third-party software that allows our Service Department to update service tickets directly in our dispatch and accounting systems. We’ve seen a boost in revenues and profits in the departments using the remote-access application. Things don’t slip through the cracks as easily, when service technicians can charge the customer for parts and equipment on the spot, as they are taken from stock on the service truck.

Such widespread remote access to our company data is not without risks. But there are relatively simple ways to secure the point of connection and keep company data and networks safe. For starters, make sure that virus protection programs and spyware detectors are installed and up-to-date, along with the latest security patches to all operating systems and applications. In our case, PDAs connect to company data through Microsoft’s Internet Information Services (IIS) running on a Web server behind the firewall. When we need to allow the PDAs and remote PCs a more direct connection to the data, we pass the connection through a VPN with encryption.

Companies using IIS should make sure to use the latest version. Until recently, the default installation enabled all sorts of options that can pose security risks. Now Microsoft ships IIS with most options disabled by default.

Disable the default Web site on IIS and store your Web site in a different location than the default. Make sure to use both network security as well as share and Active Directory security functions. Where appropriate, create roles and assign individual users to those roles. That way, when an employee leaves the company, or loses a PDA, the permissions don’t have to be completely rebuilt.

Make sure that the ODBC (Open Database Connectivity) data connections use strong passwords and run the IIS services and data access with service-level accounts, not a domain administrator account.

These are the minimum steps companies should take to secure their networks and data, while still making remote PDA access practical for the users who need it. There are more stringent approaches to consider. Yet there is a trade-off between tight security and ease of use. The goal of security measures is to minimize risks, so companies should carefully weigh the risks of a breach against the productivity gained by deploying PDAs for remote access.

And don’t forget to make and test your backups. I also recommend having at least one spare PDA on hand, in case it’s the CEO who leaves his or hers in a taxicab.