Convergence Q&A

Laptop Security


Laptop security definitely qualifies as a convergence topic. Laptop theft continues to be a periodic topic in the news with regard to high-profile losses relating to proprietary or privacy-regulated information. The theft is a physical action — the physical removal of property. The impact to organizations goes far beyond the replacement cost of the laptop, due to the consequences of the information loss.

Staggering Laptop Loss
A recent report from the Ponemon Institute (www.ponemon.org) discovered that more than 12,000 laptops are lost (not stolen but left behind) per week in U.S. airports. What is more surprising is that out of the 637,000 laptops that are left behind at airports in a year, just 33 percent are reclaimed by their owners. For the majority of the 426,790 unclaimed laptops, airports have no way of contacting their individual or corporate owners. A simple “if found call this number” sticker would enable airports to notify laptop owners.

I’m not recommending the taping of business cards to laptops for obvious security reasons. I’m just pointing out that thousands of companies are unnecessarily losing laptops and the data they contain, when simple measures could facilitate recovery. This situation also means that implementing laptop security is probably far more important than many companies realize.

The report theorizes that some employees report lost laptops as stolen, to avoid embarrassment and possibly being charged or otherwise penalized for the loss. Thus, it is important that policies regarding lost or stolen data devices be crafted with full thought of their possible consequences, to avoid creating a conflict that pits self-interest against corporate security interest.

Many organizations do not yet have a strong laptop and PDA phone security program. Today there is no reason to take chances with company data, given the technologies are available at reasonable costs.
I remember when one of my consulting colleagues enabled the police recovery of a brand new laptop purchased for a senior executive. It was recovered by the police within 24 hours of its theft, and the insider thief arrested, because the consultant had the client install LoJack for Laptops from Absolute Software, available from many sources including, Dell and Amazon.

Q: Who addresses laptop security in your organization, physical security or IT?

A:

 The IT department handles the configuration of laptops from an approved company disk image, which includes anti-virus and related security software. Investigation of laptop theft from on site is handled by the (physical) security department. For overseas travel, executives and sales personnel sign out special laptops that have no data on it, and which are checked for malware after they return. By policy, no sensitive data is to be stored on the laptops, but I think some of our people are more lax with that when traveling domestically using their personal laptop.
— Security manager, global high-tech company

A:

 Many of our personnel use their own personal laptops when traveling or working from home. The IT department checks the laptops initially to make sure that Windows is being updated, and that the anti-virus software is up to date. Network access is provided for a specified interval and then expires until the laptops are checked again. We are a small company with only a few dozen people who have laptop access to the network. IT seems to be on top of this pretty well.
— Security manager, U.S. manufacturing company

A:

 We are a private school whose teachers and some administrative staff have laptop and PDA access to our systems. We have the ability to wipe a PDA phone or laptop when it is turned on after a loss. I can’t imagine not having that kind of control over critical data.
— CISO, private secondary school

A:

This content continues onto the next page...