We're constantly amazed at the type of sensitive information people store on devices that are as easy to misplace as a remote control. If you knew what walked around unprotected on your employee's mobile devices you might lose some sleep until you took steps to secure them.

With all of the time and money companies devote to securing their IT systems, a single unsecured PDA can poke a hole in a corporate security wall the size of Montana. Proprietary information that is otherwise under lock and key, can easily make its way across the world in planes, trains, and automobiles, and this means the information is just a single loss away from a potential corporate disaster.

Unfortunately, it is almost impossible to control what employees keep on their PDAs. Since most enterprises don't budget for the latest mobile wonders, many devices in an organization are purchased by employees and walk in the back door. With external cards, there's no telling what unsecured data is stored on a PDA and carried in hip pockets, glove boxes, brief cases, and back packs.

The same features that make handheld devices so useful make them a very serious security risk. Their portability, power, connectivity, and storage capacity add up to a ticking time bomb that is silently counting down as you're reading this article. Are you concerned yet? You should be.

We thought it would be fun and useful to put together a top 10 list, based upon feedback we've had from executives around the country as we compiled research for the writing of "PDA Security. Incorporating Handhelds into the Enterprise," our new book published by McGraw-Hill. With that, here are a few steps a company can take to get its handheld security in order:

1. Network Passwords. All of the hard work your IT security folks have done to secure your network can be thwarted with the stroke of a stylus. PDAs are a very convenient place for employees to keep those hard-to-remember items such as the 10-digit alphanumeric passwords they're forced to change every month. An unprotected mobile device can be the gateway into your entire network and all of the critical data and systems that it connects to.

2. Customer Data. Here's a lawsuit or PR nightmare waiting to happen. In the financial services industry, the loss of customer data could legally compel a company to contact every customer with the message that their personal information might have been compromised. Or consider this, wouldn't your competitor like to get hold of your customer list, along with sales history and contact information?

3. Press Releases. How would you like to see that strategic announcement that's scheduled for next month on the front page of your favorite business daily? Now, that your employees can view e-mail on their handhelds, as well as Word and Acrobat files, the probability of such documents being on unprotected mobile is quite high. Many busy executives use their handheld devices to view and edit documents when they're on the road or commuting. In short, that critical press release that your hard working staff member updated on the train, is a sitting duck to whomever finds it when it's left on the seat. And if you're a public company and this information gets released prior to public distribution you'll have the SEC knocking on your office door.

4. Credit Card & Account Numbers. Another item that should never be stored on a mobile device is the company credit card number. Guess what? It happens all the time. With so much ordering via the Internet, it's quite handy to keep credit card numbers a click-away by posting them on an Outlook Note. That's just a sync away from a mobile device and a cab driver's eBay shopping extravaganza.

5. Financial Data. What does SEC stand for again? Although handhelds aren't the best way to browse through large spreadsheets, they sure synchronize nicely and often find their way onto mobile devices. Whether it's an in-progress annual report or the internal projections for next quarter's sales, the inadvertent leak of financial data can have catastrophic consequences that could last a corporate lifetime.

6. E-Mail. There's no telling what proprietary information is to be found in your employees' in-boxes. With Wi-Fi, Bluetooth, and cellular equipped devices, downloading e-mail is a snap. An unprotected device can offer very interesting reading and present a great liability potential to your organization.

7. Intranet Access. Let's give your people the benefit of the doubt and believe that they're responsible enough to never store passwords in their notepad. Unfortunately, there's a good chance that they've checked the "remember user name and password" button on their mobile browser. Presto! Your son's tech-savvy high school friend (of course your own son or daughter would never do such a thing), who found your PDA sitting on your desk in your house can now stroll through your company's Intranet -it's more fun than an Xbox.

8. Price Lists. Your best salesperson just finished a great meeting with a top client. In all of the excitement, she left her handheld sitting on the desk on her way out. Unfortunately, curiosity got the better of your customer. Oops! Your client's competitor is getting a better deal than they are. You can tell the rest of the story.

9. Employee Information. Nice social security number! Aside from the litigation exposure, the loss of employee data such as payroll information can do great harm to your organization. Even if the mobile device is lost in your office, exposure of confidential information to unauthorized parties can cause great problems.

10. Medical (HIPPA) Information. Most companies don't have $50,000 to throw around for every violation of the new HIPPA privacy standards. Now that doctors, nurses, and medical staff have access to nifty new programs that run on their PDAs, this has become a very serious issue.

Feeling a bit queasy now? If your handhelds aren't secured you should be feeling a little bit nauseous. The good news is that there are relatively simple steps (and economically feasible) you can take to minimize the risk of data loss and secure your company's data from prying eyes and finders-keepers. On the next page you will find are some security measures to take

Here are some security measures to take:

1. Fact Finding. The first step is to get a handle on what you're up against. How many employees currently synchronize personal handhelds to company computers? Does your company officially supply or support PDAs? If so, do specific groups within the organization use particular OS or hardware platforms? What kind of sensitive information may be at risk? Are there industry-specific rules for the security of your data? Don't limit thinking to officially sanctioned information.

2. Create or extend your written security policy. Hopefully, your company has a written security policy. If so, it should be extended to handheld devices. If you deem necessary, include the right of the business to inspect and audit PDA contents at will. This will help to ensure maximum adherence to policies.

3. Track and tag the devices and display contact info on the opening screen. Gartner Group estimates that companies with more than 5,000 employees could save between $300,000 and $500,000 annually by tracking, tagging, and providing contact information on PDAs and mobile phones.

4. Establish a personal PDA policy. If employees have their own PDAs, will the business allow synching with work computers? Are there special security concerns for your organization regarding specific handheld devices such as Linux OS PDAs, smart phones, etc.? Chances are, many, if not most of the handheld devices in your organization are personally owned, rather than supplied by your company. It is crucial that you define policies that effectively define how they interact with your data and systems.

5. Define sync limits. Can all data get downloaded to PDAs, or only specific files and folders? Should you consider a network synchronization solution or limit connection to desktop PCs? Granted, this is very difficult to control. If someone has access to data, there are many ways to move it to a mobile device, ranging from copying to a memory stick or SD card, to sending a file via an instant messaging client. Nevertheless, by establishing limitations for synchronization, there will be much less inadvertent movement of prohibited information to mobile devices.

6. Consider firewall reconfiguration. If employees will use the PDA for wireless connectivity to the corporate network, consider installing extra protection. Reconfiguring or installing a firewall at the points where a PDA might upload or download information is critical. As part of a multi-layered security approach, make sure your employees know that storing user names and passwords on their mobile devices is prohibited. An occasional audit of handheld devices will help keep people on their toes.

7. Define standard security software. It is critical that security policies are enforced through security software that mandates appropriate security settings. A range of security solutions are available that will enable you to establish and enforce security policies on your employee's mobile devices.

Obviously, not doing anything is not the solution. If you have just one staff member currently storing confidential information on a handheld device, your company is at risk. PDA's are in your organization because they are unique in being able to make decision-making data available anytime and anywhere. However, convenience and efficiency must be available within a paradigm that does not unduly put valuable corporate assets at risk. There are simple and low-cost steps an organization can take to protect the corporation. At a minimum, you should immediately take steps to safeguard the information on your own PDA. For additional information on this subject, you can visit www.pdasecurity-book.com. If there are other items that you think should have made our "top 10 list," feel free to email the author at bob.elfanbaum@asolutions.com.

About the Authors:
Bob Elfanbaum is CEO of Asynchrony Solutions, Inc., the developer of PDA Defense security software www.pdadefense.com. Bob is also co-author of "PDA Security: Incorporating Handhelds Into the Enterprise," published by McGraw-Hill and available at fine bookstores everywhere.

Mark Dinman has served as the product manager of Asynchrony Solutions' PDA Defense product since its inception.