If a company allows users to purchase their own PDAs, however, IT should at least establish a short list of supported models and standardize the way they interface with the network. Mark Margevicius, a Cleveland-based research analyst at Gartner, recalls one incident where a student hired to do network administration decided to synchronize the address book on his PDA with the one on the company network and replaced the e-mail directory with his own, affecting thousands of users. "Even if you can't control the device, you can control how it accesses your data," says Margevicius, adding that CIOs may also require users to acknowledge that some of the information on the device belongs to the company. Synching PDAs through the network also lets IT track what has been downloaded where.
A statement regarding PDA usage can be incorporated into existing security policies, which often consist of commonsense advice along the standard lines -- change passwords often, don't leave them on sticky notes near your computer, watch your laptop while going through airport security, remember that others can see your screen if you use your laptop in a public place. The policies are usually given to employees who have just received a mobile device or to new hires. Users may be required to sign them and perhaps acknowledge that adherence is considered during evaluations. As RFG's Braunstein points out, "The organization has the right to say, 'This is your device, this is what you are allowed to access, and you are not allowed to do anything else. Failure to follow this will result in termination.'"
Some companies, however, are looking for ways to make security awareness more ongoing. EDS, a Plano, Texas-based global IT services provider -- where about 80 percent of the company is considered mobile -- is in the process of implementing a security awareness course that all employees will go through each year, says Terry Milholland, CIO and CTO at EDS. Rather than having the information filed away in an employee handbook, "you'll have to go to a website and acknowledge the fact that you've read the material," Milholland says. "It gets rid of the argument that 'no one ever told me.'"
The main challenge for CIOs, however, is creating an environment where people want to exercise caution, never mind the rules. It's not easy. After all, even Secretary of State Madeleine Albright, embarrassed over security problems in her department, including the disappearance of a laptop containing sensitive data, had to lecture her staff about the importance of safeguarding the nation's secrets. "We cannot and should not suggest that those responsibilities somehow interfere with the performance of our jobs," she told employees last May. "Security is an inherent, inextricable and indispensable component of all our jobs."