Small devices, big challenges: handhelds present insurers with an assortment of new risks. But new technology is now helping many of them protect against the worst were it to happen

Risk & Insurance, March 3, 2003 by Joan Herbig

Claims adjusters at the scene of an accident know there is nothing more important than recording data accurately and making sure it is communicated back to the home office quickly. More and more these days, field agents rely on their mobile devices to record critical information on the scene and to download forms and records from headquarters--often while events are still unfolding.

Although insurance companies have deployed mobile technology to keep field agents effective, the onslaught of mobile devices can be a headache for the unprepared insurance information technology professional. The question, therefore, is not whether data stored on mobile devices can be compromised or lost, but how insurance companies will prevent that from happening and how they will recover data when the worst happens.

Mobile technology has become an industry staple that is predicted to grow in the coming years. The Gartner Group estimates that by the year 2005, 40 percent of corporate data will reside on handheld devices. However, insurance providers must understand that keeping pace with mobile technology is far more involved than simply deploying and supporting devices. In the insurance industry, the security and confidentiality of customer data is paramount and, as a result, the responsibility for growing mobile deployments is immense. The cost of replacing a $600 device pales in comparison to the costs of leaked private insurance records.

Into the Wrong Hands

Until recently, handheld devices were little more than glorified address books. Loss or theft of the information they contained was inconvenient, but not disastrous. Now, however; personal digital assistants (PDAs) and smart phones! pagers-including devices by Pocket PC, Palm, RIM Black Berry and Symbian--boast enough computing power to run full-fledged corporate applications. Many can tie directly into the local area network (LAN) via a wired or wireless connection, freely exchanging business data with the server. They can then carry that data beyond the enterprise firewall-into the wrong hands. The risks are indisputable if not yet well publicized, and the wise system manager, vice president of IT or CEO would do well to prepare now to minimize those risks.

A new category of software makes this possible, allowing handhelds to be managed and protected just as LANPCs are. With this software, called mobile infrastructure technology, network administrators are able to:

* Defend handheld devices against unauthorized access;

* Deter or prevent intentional information theft;

* Recover lost data and make it possible for the affected user to get back to work.

By extending administrative oversight to handhelds, the enterprise is able to minimize data loss, as well as unpleasant side effects, should disaster strike.

Security Concerns

Because handhelds can be tucked into a purse or a pocket and carried everywhere a user goes, they often are considered "private" tools, outside the corporate purview. This is certainly the case as long as the device is used to play electronic solitaire or keep track of wallpaper samples. In the insurance industry, much of the data that field agents access is extended confidentially and raises concerns of security. But the moment a user downloads data from the corporate network, the company gains a vested interest in protecting that data. In fact, a company that does not take steps to do so puts its business at risk.

Take the case of the insurance agent who lost his PDA at the scene of an accident. What if he hadn't turned on the password feature? (Most people don't.)

Any passerby could switch on the device and gain complete access to everything in its memory. The fate of all that private information is literally in a stranger's hands.

But let's say the agent's company had implemented a mobile infrastructure solution. On his way to the office, the agent calls the IT administrator from the car and lets him know the device is lost. If the device uses a wireless connection to the network, the administrator can simply connect to the device and lock it down (i.e., turn on the password protection). He can also download a message to the lockdown screen explaining how to contact the device's owner.

For devices that depend on a wire-line connection (or if the device is located outside the wireless coverage area), remote lockdown is still possible, if not immediate. When an unrecognized user tries to connect to the Internet, the corporate server automatically detects the attempt and locks down the device.

In addition, if a device belongs to a wireless network, it is possible to determine the communication tower closest to its location. This information may jog the memory of a user who hasn't a clue where he left his device.

Preventing Information Theft Sending a lockdown command from a remote location effectively prevents the casual finder from viewing data on the device. But some "finders" may actually be savvy thieves who know how to hack a password or retrieve data via the infrared or serial port. As always, foiling determined hackers requires stronger measures than shielding data from random eyes.