Your CEO, exposed!

Paris Hilton’s wayward handheld can teach us all a lesson about the security of mobile devices

On a recent business trip with a couple of colleagues, I learned that my otherwise sober workmate had a special fondness for trashy tabloids like Star Magazine and Us Weekly. When offered a glance at these publications on a long cross-country flight, I firmed my grip on my New Yorker and kept my Harvard Business Review at the ready. I would have none of this Brad-and-Jen prattle. I sneered at celebrity garbage, resting comfortably in my superiority to “journalists” who depend on the antics of the rich and famous for their livelihood.

Thank goodness my weekly column focuses on the trials and tribulations of real IT professionals with real concerns instead of Paris Hilton.

That being said, with deep reluctance, I am obligated to extend coverage of Paris Hilton to the world of enterprise IT. If you missed the “news,” Hilton’s T-Mobile Sidekick handheld was compromised, and revealing photos as well as embarrassing text messages ended up being posted on the Internet, along with cell phone numbers and e-mail addresses of prominent celebrities. As expected, T-Mobile remains tight-lipped about exactly what happened while it investigates, but theories range from a malicious hacking job to the oldest approach in the book, social engineering (that is, she may have given someone her password). Based on my own experience with user-generated passwords, I wouldn’t be all that surprised if her password was “Tinkerbell,” the name of her treasured pet chihuahua. (Don’t ask me how I know the dog’s name.)

Paris Hilton’s Sidekick could have been your CEO’s BlackBerry or your vice president of sales’ Treo. Each of these devices and associated services is different in nature and would require unique approaches by mischief-makers intent on compromising them, but they all have one thing in common: lots of key personal information is flung far from the comforts of centralized IT management. By their very nature, mobile devices roam anywhere and everywhere a user goes, and no one would carry them around if they didn’t hold important data such as e-mail and phone numbers. For Paris Hilton, that critical data included Lindsay Lohan’s cell phone number, but for your CEO, it might be the terms of a highly sensitive business deal or the confidential details of a thorny employment situation. Mobile devices are critical business tools and their basic security must be integrated into IT management strategy.

At one time, IT managers could simply refuse to support mobile devices, but that genie is out of the bottle. Most business executives have compelling reasons to ask for handheld support from IT -- and frankly, if executives can’t get handheld support from their own IT departments, watch your back for the outsourcers who can and will do it.

Now that most IT managers accept that mobile devices are here to stay, they must educate users on basic security measures, because when it comes to mobile device security, users are the primary gatekeepers. For example, several members of the InfoWorld executive team use Treos. Until I started writing this column, I myself hadn’t gotten around to using its most basic security feature, one that’s disabled by default: a simple mechanism to lock the device when not in use that requires a password to unlock it. Mobile users must enable this level of security at the very least. Just don’t make your password “Tinkerbell.”