A statement regarding PDA usage can be incorporated into existing security policies, which often consist of commonsense advice along the standard lines—change passwords often, don’t leave them on sticky notes near your computer, watch your laptop while going through airport security, remember that others can see your screen if you use your laptop in a public place. The policies are usually given to employees who have just received a mobile device or to new hires. Users may be required to sign them and perhaps acknowledge that adherence is considered during evaluations. As RFG’s Braunstein points out, "The organization has the right to say, ’This is your device, this is what you are allowed to access, and you are not allowed to do anything else. Failure to follow this will result in termination.’"

Some companies, however, are looking for ways to make security awareness more ongoing. EDS, a Plano, Texas-based global IT services provider—where about 80 percent of the company is considered mobile—is in the process of implementing a security awareness course that all employees will go through each year, says Terry Milholland, CIO and CTO at EDS. Rather than having the information filed away in an employee handbook, "you’ll have to go to a website and acknowledge the fact that you’ve read the material," Milholland says. "It gets rid of the argument that ’no one ever told me.’"

The main challenge for CIOs, however, is creating an environment where people want to exercise caution, never mind the rules. It’s not easy. After all, even Secretary of State Madeleine Albright, embarrassed over security problems in her department, including the disappearance of a laptop containing sensitive data, had to lecture her staff about the importance of safeguarding the nation’s secrets. "We cannot and should not suggest that those responsibilities somehow interfere with the performance of our jobs," she told employees last May. "Security is an inherent, inextricable and indispensable component of all our jobs."

Across the pond—where last March a British spy left a laptop with top-secret information in a tapas bar and another agent’s laptop was snatched in a London train station—an executive at BG Group echoes Albright’s statement about security awareness. "It’s a cultural thing," says Tom O’Connor, head of knowledge management systems at the U.K.-based energy company, where 220 senior executives around the world have been issued PDAs to supplement their laptops. "We tell people, ’Treat it as if it’s your personal piece of property. Look after it as if it’s your wallet.’"