Convergence Q&A

Jan. 27, 2009

Laptop security definitely qualifies as a convergence topic. Laptop theft continues to be a periodic topic in the news with regard to high-profile losses relating to proprietary or privacy-regulated information. The theft is a physical action — the physical removal of property. The impact to organizations goes far beyond the replacement cost of the laptop, due to the consequences of the information loss.

Staggering Laptop Loss
A recent report from the Ponemon Institute (www.ponemon.org) discovered that more than 12,000 laptops are lost (not stolen but left behind) per week in U.S. airports. What is more surprising is that out of the 637,000 laptops that are left behind at airports in a year, just 33 percent are reclaimed by their owners. For the majority of the 426,790 unclaimed laptops, airports have no way of contacting their individual or corporate owners. A simple “if found call this number” sticker would enable airports to notify laptop owners.

I’m not recommending the taping of business cards to laptops for obvious security reasons. I’m just pointing out that thousands of companies are unnecessarily losing laptops and the data they contain, when simple measures could facilitate recovery. This situation also means that implementing laptop security is probably far more important than many companies realize.

The report theorizes that some employees report lost laptops as stolen, to avoid embarrassment and possibly being charged or otherwise penalized for the loss. Thus, it is important that policies regarding lost or stolen data devices be crafted with full thought of their possible consequences, to avoid creating a conflict that pits self-interest against corporate security interest.

Many organizations do not yet have a strong laptop and PDA phone security program. Today there is no reason to take chances with company data, given the technologies are available at reasonable costs.
I remember when one of my consulting colleagues enabled the police recovery of a brand new laptop purchased for a senior executive. It was recovered by the police within 24 hours of its theft, and the insider thief arrested, because the consultant had the client install LoJack for Laptops from Absolute Software, available from many sources including, Dell and Amazon.

Q: Who addresses laptop security in your organization, physical security or IT?

A:

 The IT department handles the configuration of laptops from an approved company disk image, which includes anti-virus and related security software. Investigation of laptop theft from on site is handled by the (physical) security department. For overseas travel, executives and sales personnel sign out special laptops that have no data on it, and which are checked for malware after they return. By policy, no sensitive data is to be stored on the laptops, but I think some of our people are more lax with that when traveling domestically using their personal laptop.
— Security manager, global high-tech company

A:

 Many of our personnel use their own personal laptops when traveling or working from home. The IT department checks the laptops initially to make sure that Windows is being updated, and that the anti-virus software is up to date. Network access is provided for a specified interval and then expires until the laptops are checked again. We are a small company with only a few dozen people who have laptop access to the network. IT seems to be on top of this pretty well.
— Security manager, U.S. manufacturing company

A:

 We are a private school whose teachers and some administrative staff have laptop and PDA access to our systems. We have the ability to wipe a PDA phone or laptop when it is turned on after a loss. I can’t imagine not having that kind of control over critical data.
— CISO, private secondary school

A:

 Our corporate executives and sales personnel leave their personal and corporate laptops and cell phones at home, and the company provides them with special cell phones and laptops for their trips that do not contain any corporate or personal data. These devices are configured with strong security, and are wiped clean immediately upon return.
— Corporate security director, global manufacturing company

New Question:

Q: Are IT and Physical/Corporate security on the same page with regard to convergence concepts?

If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at [email protected] or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.