Controlling Your Company's Computer Assets

Two years ago, long before I joined the staff of SecurityInfoWatch.com, I was working in a small publishing firm in a northern suburb of Atlanta. We were on the ground floor in a small office building that was shared with a number of other companies. This building was a lot like a lot of the office buildings built in the early 1990s in Atlanta. It had floor-to-ceiling double-paned glass windows, lots of landscaping, a simple prox card access control system that only controlled one of the doors into the building, and of course, it backed up to a small hill covered with trees.

On one springtime Saturday night, thieves struck our offices. The evidence suggested that the thieves parked some sort of van, truck or SUV nearest the side that backed up to the woods, then used blunt object to smash out the glass of the CEO's office, and entered the office. Being a weekend after a heavy sales period, all of our computers and laptops were at the office. The sales staff was having a short break and all but one of them had left their laptops on their desk...without cables or locks. Our graphics machines for designing our magazines were on their desks and all of our other staff members' machines were on their desks too. The thieves had a heyday. The grabbed all the available laptops, then cut cables and made off with our graphics machines, gained access to our other associates' offices and left with their machines, leaving only the offices two oldest computers, the one the CEO used and an old iMac that I had been using. And while they snubbed my machine for not being a computing powerhouse, they did manage to look in my unlocked cabinet and grab a professional camera rig that I often used at the office for photo shoots.

We found the wreckage on Sunday, and slowly pieced our work back together, made all the more difficult because of the fact that we had not backed up the laptops, and the graphics machines' back-up hadn't been run in a week.

I wish I could say that was the end of it. We did what most companies would do and had an alarm system installed. It was pretty basic. It used a door sensor (we had one door in and out) and motion sensors with your basic keypad. The idea was that if they came in the door, we'd know, and if they smashed the glass, we'd know because the motion sensors scanned the perimeter hallway of the office.

We had just completed all of our technology buys and it was probably fairly obvious to anyone who was casing the office that we were back up to speed. The insurance payout loaded us up with the latest machines. The alarm system, unfortunately, was still in its testing mode and wasn't set up for monitoring yet.

It was, therefore, a great time for the thieves to return. And return they did. It was almost the same operation, they smashed a window (this time it was in an office whose windows were a little further back into the woods), the alarm went off but nothing dialed out, and so they had plenty of time to go through and hand-pick the five or so top computers in the office. There was even another attempted break-in, but this time the alarm worked and the would-be thieves were scared away before they could steal anything. After that instance, we ended up adding a smash-resistant, blast-resistant covering for the windows as an extra precaution.

My coworkers and I felt very violated by the fact that someone could break in three times, and it took us an awful amount of work hours to recreate what was lost to the thieves. Sales contacts, articles for the magazines, graphic layouts, business plans, etc., it was all gone on the Toshibas and Macintosh computers that walked their way out of our lives.

So when I saw the news announcement that Absolute Software was installing firmware on some new IBM laptop computers to track stolen computers, it hit home.

It probably will hit home for you, as well. There are scores of incidents of computer theft that happen every day, and with today's laptops and desktops easily costing over $2,000 - and that's without the cost of reinstalling new software and the cost of the downtime - it's a theft that can hit your business hard. Take a few recent examples:

  • Wesley College, Australia: $120,000 in expensive laptops and other computer equipment stolen
  • San Jose Medical Group: two stolen computers, with loss of patient databases with social security numbers and medical information
  • Sikorsky Aircraft: loss of 20 or more computers, valued at $200,000, plus loss of proprietary information, software
  • Austin Public Schools: $500,000 in stolen high-tech equipment, much of it computers, by a theft ring

If those aren't enough to make you concerned, then just wait. It's likely one of your company's employees will be hit, whether it's an office break-in or a theft of a business traveler's laptop. And that's an expensive proposition. According to a 2002 report from the Computer Security Institute/FBI Computer Crime and Security Survey, a single laptop theft will result in an average business loss of $89,000, making the actual hardware just a fraction of the total cost.

SecurityInfoWatch.com recently spoke with Absolute Software CEO John Livingston to discuss computer loss, and according to Livingston, not all computer loss is directly attributable to computer theft.

"Companies are up against computer drift," says Livingston. "On average over two years, 15 percent of notebooks can't be returned after two years. Half of that is theft; half is computer drift."

Drift is what happens, he explains, when a computer is reassigned without any information recorded about to whom it was passed along. Some computers end up with other employees. Some end up at locations off the network such as at home. And some are loaned out to contractors, making it all the more difficult to find where the computer is.

But the theft portion of computer loss is even more dramatic - because it might mean that your company's data could end up in the wrong hands. So where are these thefts occurring?

"Most of the thefts that we see are happening internally," explains Livingston. "It's employees who are coming in and removing the machines."

The other thefts are typically crimes of opportunity, with laptops often stolen at airports and at hotels. Some of these losses are simply grab-and-go operations, but other losses can be simply attributed to forgetfulness.

Livingston gave some examples of today's theft operations, noting that a university fell victim to a theft where a truck was backed up to the location, and 30 PCs were ripped right out the walls, with the cables left dangling. In another instance, he says, a pizza delivery person, after dropping off the pizza at the business, stole numerous laptops that were left unattended in a boardroom where execs had been meeting. In another theft, an employee was found to be lifting up the modular ceiling tiles and stashing computer hardware in the ceiling for retrieval later.

By and far, says Livingston, educational institutions are the ones most often targeted. With large banks of computers plus high traffic areas with numerous students coming in and out of computer areas at all times of day and night, it's not hard to see why school computer labs could be an easy victim.

However, for school security and asset management directors there's an even tougher scenario. With the implementation of the No Child Left Behind Act that encourages one-to-one computing where every student can have access to a computer and are often given laptops to use, asset management reaches new heights of complexity.

Of course, while schools might be the most popular and easiest targets, it's often healthcare and financial institutions - which have to meet their respective HIPAA and Sarbanes-Oxley standards - that have the most to lose now that federal laws require strict control of data.

While some of that data loss can be secured with encryption, not all companies have made it to that level of advanced protection. Indeed, the recent loss of data tapes by Iron Mountain of unencrypted Time Warner data is a prime example. Until encryption is standard for all valuable, private or proprietary data, it's even more important to keep a tight grip on computer assets.

So, what can you do?

Besides the use of software or firmware like Absolute Software's Computrace that is set up to automatically report and track a stolen computer, you're most likely going to need to educate your employees and reassess your security plan.

Livingston, who hears about more than his fair share of computer thefts, says there are really some simple things that employees need to do:

  • When your employees go mobile, they have to keep their belongings in sight.
  • Vehicles are a prime target; remind staff not to leave laptops in vehicles.
  • Employees should be encouraged to take laptops with them once they leave a meeting.
  • Laptops and computers have slots for adding locks and cables - use them to eliminate the crimes of opportunity.
  • It's undoubtedly part of your security plan already, but unaccompanied visitors in a work area is a recipe for computer theft disaster.

Try as much as you can to change access control procedures and visitor management, it will only go so far, especially now that many computers live their lives "on the road." As Livingston notes, the real danger of computer thefts today aren't the large-scale work station thefts. Rather, it's the slow, continuous shrink of your laptop computers. A survey by Kensington in 2001 put the average number of laptops stolen from medium- and large-size companies at 11.65 per year. Multiply that by massive data recovery costs and the hardware costs, and it's surely something to make our industry wake up.

Loading