Once upon a time in the corporate kingdom, laptop computers were chunky, clunky, heavy and improbably portable. With limited memory and hard disk capacity, they were considered innovative devices that were expensive, limited in capabilities, and highly unpopular.
Now laptops are relatively small, lightweight, and have tremendous disk capacity and memory, and it seems that every corporation provides them to some employees. But while portability is the greatest attribute of the laptop, it is also its greatest weakness. With the increase in portability and capacity of the laptop has come an increase in loss and theft of both the computers and their data.
Gartner claimed in 2002 that the chances of a laptop being stolen were one in 10. The Privacy Rights Clearing House reported last month that 40% of reported private-sector data breach events in 2006 were due to laptop theft. The smaller laptops get, the easier they are to slip into a handbag, briefcase or shopping bag unnoticed. They are also easy to leave behind.
In addition to thieves, companies face human nature. Roy Stephan, director of cyber security for IT solutions provider Intelligent Decisions, warns corporations to remember that employees' negligence can be as big an issue as theft. “Even if devices aren't stolen, people lose stuff,” he said. “The smaller and more portable devices become the greater the chances of them getting left behind and lost.”
The Cost of Loss
To the corporate entity, laptop theft and loss become fiscal problems. FBI statistics show that 97% of stolen or lost laptops are never recovered. That means one loss probably amounts to between $400 and $1500 down the drain, just in cost of the physical device. But corporations need to worry about more than the laptop itself. They need to address the security of the data on the device.
Gary Bradt is an IT professional and a military veteran whose personal information was on a laptop stolen last year from the U.S. Department of Veterans Affairs . As vice president of the biometric division at Silex Technology, Bradt was acutely aware of the significance of such a loss. According to him, a biometric solution such as a fingerprint reader could have secured the data on the laptop. However, the government had not invested in that type of solution.
“Cost is always a big factor in making security decisions,” said Bradt. “Too often companies and agencies try to cut corners and economize by not spending the money necessary to secure their laptops. They frequently wind up suffering losses that are much more expensive than the security measures would have been due to the value and significance of the data being compromised or lost when their laptop disappears.”
Eric Hay, director of worldwide engineering for Credant Technologies, said, “Security has always been a nice thing, but not an essential requirement. Once the VA's stolen laptop became headline news item, the federal government reevaluated its situation and decided that appropriate security is a necessity.”
Corporations should learn from the government and implement protections before their information can be compromised. So how can corporations and their modern road warriors protect their laptops and vital company data from clever, sticky-fingered, fleet-footed thieves?
Educate and Equip Employees
One crucial step in protecting mobile data is educating laptop users on how to care for their portable machines. Companies should request or require, to the extent possible, that users take appropriate care to physically protect their laptops when out of the office. Recommended measures could include the following:
- Store only essential data on laptops.
- When sitting with the laptop not in use, wrap the laptop case strap around one ankle.
- Use a brightly laptop case, briefcase or handbag to carry the laptop. This will make it more noticeable and more difficult to steal quietly.
- Never leave a laptop locked in a parked car. If for some reason it's absolutely necessary to do so, lock the laptop in the trunk.
- Look for and use devices such as laptop cases with built-in motion detectors that can be armed when the user puts the case down.
- In a hotel room, use a cable lock to tether the laptop to a strong immovable and unbreakable object. Most laptop manufacturers are including a universal security slot in their laptops to accommodate this. Another option is to leave the laptop in the hotel safe.
- Eject and lock up PCMCIA NIC cards.
- Store flash drives and backup media separate from the laptop.
- Assign a complex password to thwart anyone who finds or steals a laptop from accessing the data.
- Encrypt the data on your flash drive, removable media and external devices.
Use Due Diligence
By implementing physical and application security measures in all corporate laptops, your company can do its part to protect data even if theft does occur. We've compiled some options:
- Document, publish and implement comprehensive laptop security policies.
- Give access to data only to individuals who actually need access.
- Purchase and install biometric fingerprint readers for corporate laptops, or purchase laptops that come equipped with such readers as a standard feature.
- Alternatively, use a token that requires non-biometric two-factor authentication, such as RSA or Privaris.
- Use a hardware/software solution like the Caveo Anti-Theft Card from Caveo Technology. It consists of a hardware motion detector that fits either directly on the motherboard or in PMCIA slots. Once tripped, the motion detector sounds a loud alarm while the software section of the piece makes the hard drive inaccessible.
- Use a permanently affixed docking station, anchor pads or anchor plates in the office to anchor the laptop securely on a desk or table.
- Use the laptop manufacturers' BIOS protection schemes that involve setting a password to provide some protection of the data on the hard drive.
- Use separate software application packages that require additional passwords for application-level access.
- Enable data on the file system, the hard drive, and/or corporate servers.
- Utilize antitheft tracking software from companies like Absolute, SecureIt, Xtool and ZTrace. These products enable a laptop to regularly use a trace signal to check in with an agency tracking center.
- Disable the Guest Account.
- Rename the Administrator Account. Amateur thieves won't know what to do and professionals will at least be inconvenienced.
- Create a dummy Administrator Account with an extremely complex 10-character password.
- Disable the Infrared Port on the laptop.
- Configure laptops on the corporate network to back up onto a corporate or rented server.
Solutions for securing the laptop computer and data are plentiful. Success depends on security being taken seriously and flexibly integrated with existing hardware and software while allowing for future expansion. As the technology front changes, security policies and procedures need to be modified and workers educated about dealing with security threats and breaches. Currently, the difficulty of securing data in motion appears to be driving the industry in the development of new products for the business arena. Functional and successful security for the laptop is a combination of alertness, astuteness and awareness of the accessibility and applicability of applying new solutions aggressively to evolving security problems.
D.E.Levine, CISSP, CFE, FBCI, CPS, is a contributing editor to ST&D, co-author of several security books and can be reached by e-mail at firstname.lastname@example.org.