A holistic approach that protects the entire environment, from the PDA to the gateway, with a comprehensive antivirus strategy, is the surest way of managing risk to the business.

In an ever-evolving world of complex computer security risks, it's not surprising that one of the most common questions asked of any emerging platform is, "Should I be worried about viruses?" This has certainly been the case with wireless devices, such as PDAs and mobile phones, but unlike any other computing platforms before it, we appear to lack a clear-cut, "yes" or "no" answer.

Malware, short for malicious software, continues to remain one of the greatest digital risks affecting all computer users. Every computer system connected to the Internet, from global enterprise networks to your home PC, is a potential victim for a damaging computer virus, sneaky backdoor Trojan horse program, or a fast moving worm.

Does this mean our trusty PDA or feature-rich mobile phone is just as threatened? A quick review of recent history reveals there is little to be concerned about - on the surface.

In fact, a limited number of wireless device malware attacks are known to exist. For PDAs, the virus "outbreak" wave peaked in 2000, going from zero to three, when a few simplistic threats against Palm OS-based devices were discovered by the antivirus research community. In August of that year, technology press headlines proclaimed the discovery of the first "Palm virus" when a utility circulating on the Internet masquerading as a crack - a tool to avert the legitimate licensing of an application - for a popular GameBoy emulator turned out to be destructive, wiping the PDA clean.

This Trojan horse program, called PalmOS/Liberty.A, was quickly followed by the appearance of two more threats - PalmOS/Vapor.A, another Trojan, and a virus dubbed PalmOS/Phage.A. The trio of Palm OS-based malware made the traditional media rounds before disappearing promptly into the ether. Their impact was minimal, since none of the three propagated on its own and for many, repairing an infected Palm device was as simple as a trip to the HotSync cradle for an automatic refresh.

A side effect of all this was the rapid development and marketing of several new device resident antivirus scanners that could protect a PDA from viruses without the intervention of a companion PC.

Since then all has been quiet on the PDA malware front with other device platforms like Microsoft Pocket PC, Symbian OS, and BlackBerry escaping unscathed.

It has been even quieter for mobile phones. Yes, some of the provider networks suffered denial-of-service (DoS) attacks, but these were mostly comprised of malformed SMS (short message service) messages that exploited bugs in basic mobile phone operations versus being a "true" virus attack.

A 2001 incident on Japan's NTT DoCoMo i-mode network is among the few examples of a pseudo-virus outbreak that has affected mobile phones. That June, the mobile phone carrier issued a warning to 24 million of its subscribers regarding a particular e-mail message with the ability, upon opening, to command the recipient's phone to dial "110", Japan's equivalent to the U.S.'s 911 emergency services number. The damage was small, with only a few mobile phone users being questioned by the authorities for making false calls to the police.

Although the apparent risk is low, it's important to make sure we are not turning a blind eye to wireless devices just because there are a limited number of viruses that have been found targeting them.

According to a recent IDC report on mobile security software, the analyst firm forecasts secure content management (which is largely composed of antivirus technologies) as the largest growth space in this arena, reaching $576 million by 2007.

The reasoning behind this is as mobile devices continue to become more prevalent and packed with greater processing power and wireless capabilities, they will become a more enticing target of choice for virus creators. This can be especially true as more of these Swiss Army knife-type devices, those that combine PDA operating systems with mobile phones, become even more common.

For the vast majority of enterprises, wireless devices are infrastructural orphans in the eyes of security administrators, since few organizations have "officially" provisioned company PDAs for their user communities. For those that do, few have accounted for them in the creation and enforcement of corporate-wide security policies.

Information assailants seeking to leverage this reality will not necessarily attempt to infect or attack the wireless devices directly, but instead exploit them as a "back door" or "attack vector" into the enterprise. In essence, if an attacker can compromise a PDA, the corporate intranet can be nailed with a malware blast when that device "synchs" to the companion PC or establishes a VPN connection. The last thing a user wants to do is allow a wireless device to be the proverbial cannonball over the firewall.

Mitigating the risk of business interruption from a malware attack requires a holistic approach that protects the entire environment, from the PDA to the gateway, with a comprehensive antivirus strategy. By employing antivirus scanning at every tier of the network, you can immediately respond to an outbreak no matter where it rears its ugly head.

Adopting this approach, especially as an integral part of the corporate security policy, enables IT security administrators to be alerted when a rogue operation is attempted from a wireless device, instead of discovering it after the damage has been done.

However, security risks associated with wireless devices don't start and stop with malware. For enterprises to securely embrace and profit from the extensive capabilities of wirelessly enabled business, they must look at the larger process of wireless device security management. Otherwise, there's a risk of succumbing to a false sense of security by just installing an antivirus scanner on their PDA or mobile phone.

As mentioned earlier, for many organizations, wireless devices are still personal tools, acquired and maintained by the end users themselves. When looking at the bigger picture, wireless device security management needs to encompass not only protection against digital menaces like viruses and Trojans, but also the allocation of wireless devices and provisioning of user access; the security of the entire pipeline of access to wirelessly enabled business services; and a complete view of the part the wireless components play in the organization's overall security management process. In short, enterprises need to provision, protect, and monitor their entire wireless environment.

By incorporating wireless device deployment as part of the enterprise's provisioning practice, it will be much easier for IT security administrators to manage access from these devices to the network. Additionally, it will be possible to account for devices that are lost or stolen, reducing the risk of rogue access.

Next, by protecting the pipeline between the wireless device and the back-end services, a virus attack or other malicious intrusion seeking to sneak past the traditional boundary security mechanisms can be identified, contained, and removed before causing any harm. This holds true even if the attack vector is the synchronization process with the companion PC.

Lastly, enterprises need to monitor the activity between wireless devices and the rest of the network as part of the overall security information management practice. PDA and mobile phone access activities and security event data should be collected and correlated with the bigger enterprise security picture in mind. Then, IT security administrators can attain greater operational awareness and, more importantly, identify and respond to attacks in progress much faster.

By now there should be a more transparent answer to the question, "Should I be worried about viruses?" Are wireless devices the next major target for malware threats in your enterprise? Chances are the response is "yes," if we fail to apply the lessons learned at the other tiers of our infrastructures. Holistically securing these newest additions, from that ever-evolving complexity of computing threats, is the surest way of managing risk to the business. Only then will wireless technology be successful as the next killer app in today's enterprises.