May 29, 2003, 2:43 PM — John in marketing went out on Saturday and spent his bonus on a shiny new handheld computer. He has spent the weekend playing with it, and now he's trying to install the handeld's back-up software on his work PC.
Should his IT manager stop him? Company policies range from laissez faire to completely banning outside devices, for fear of opening the network to the risk of attack. With virus companies offering firewalls and virus scanners for PDAs (personal digital assistants), do companies need to worry or is it all hype to sell more security software?
Users, analysts and even security companies agree that the threat of PDA viruses is low to nonexistent right now. First, the devices themselves aren't yet sophisticated enough to execute very complicated code, including malicious code. Second, at the moment, there isn't a large enough number in use to make it worth a hacker's effort. But perhaps this is the time when companies should start looking at how they will manage when PDA viruses do, inevitably, start to appear.
There have, so far, been very few instances of PDA-focused malware or malicious code, Laura Garcia-Manrique, a Symantec Corp. group product manager said.
"In August 2000, we saw the first examples: three trojans written for the Palm operating system (OS). Since then, there's been one virus, written for Windows with a combined payload that got delivered to the Palm when it was synched. But that's it. That's everything we've seen," Garcia-Manrique said. The combined virus was found in October 2001 and nothing has been seen since, she said.
But that doesn't mean management or users can be complacent, Garcia-Manrique said. Malicious code will be written for handheld devices as soon as the installed base of devices is big enough, "and I can see that happening probably within two years," and as the communications capacity of the devices grows, she said.
The concern about PDA viruses has changed, said Garcia-Manrique, in that in 2000 most of the concern was from users themselves, worried about what could happen to personal devices they had bought for themselves. Now many companies provide them for staff, and IT managers are looking at the effect they have on the network.
Mervyn Eyles, U.K. infrastructure manager at Honda Motor Company Ltd., said his company used to supply PDAs to staff, but stopped doing so some 18 months ago. Since then, he said, they just manage whatever devices staff choose to buy.
While Eyles recognizes the risks posed by viruses, "any mobile device brings the same risks. As do disks. We have a fair degree of confidence in our virus protection software, and it's already saved us from some big viruses," he said.