Vulnerabilities / Threats
12/2/2010
03:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Lost Laptops Cost Billions

An Intel-sponsored study finds that organizations fail to grasp the risk of lost laptops.

The study happens to note that while 46% of laptops were reported to contain sensitive data, only 30% of them had disc-based encryption, only 29% had been imaged for backup, and only 10% had anti-theft features.

Intel was also present as an example of what can be achieved through best practices. Intel chief information security officer Malcom Harkins revealed that Intel, out of 87,000 laptops, only loses about 700 per year. That's five to ten times less than the average loss rate at the companies surveyed.

Harkins said that as Intel shifted its focus toward mobility in the late '90s, the company made a concerted effort to build business processes that fostered security and encouraged employees to take responsibility for safeguarding their laptops. He added that Intel tries to be fairly permissive about allowing employees to store personal information on their laptops, which he said encourages a sense of ownership and responsibility. Acknowledging that some information security professionals see the mingling of personal and professional data as a risk, he said, "I think it helps more than it hurts."

Harkins added that one problem in dealing with the issue is that security teams tend to want to keep quiet about lost laptops and lost data. He said he understood that impulse but insisted that being open can help people recognize the risk of losing laptops.

"The biggest vulnerability we all face today is misperceiving risk," he said.

Kevin Beaver, an independent security consultant and expert witness with Principle Logic, offered an example of this misperception. He observed that companies spend significant sums to protect themselves from SQL injection attacks but fail to invest in laptop tracking or remote data wiping capabilities.

"Laptops are always the greatest risk in any given security assessment, more so even than smartphones," he said, noting that laptops simply have more data on them.

According to the study, the places where laptops are most likely to be lost break down as follows: off-site locations (43%), while traveling (33%), and inside the workplace (12%). And 12% of the time the location of the loss is unknown.

Laptops are stolen most often when people travel with them. Ponemon observed that security checkpoints are the place where laptops are most frequently lost. Diluting the irony, he added that security checkpoints are also where travelers recover lost laptops most often.

To underscore the need for organizations to manage laptops carefully, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years.

"She claimed she wasn't really that careful with laptops because the only way she could get a better one was to lose it," he said.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.