Vulnerabilities / Threats
12/2/2010
03:50 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Lost Laptops Cost Billions

An Intel-sponsored study finds that organizations fail to grasp the risk of lost laptops.

The study happens to note that while 46% of laptops were reported to contain sensitive data, only 30% of them had disc-based encryption, only 29% had been imaged for backup, and only 10% had anti-theft features.

Intel was also present as an example of what can be achieved through best practices. Intel chief information security officer Malcom Harkins revealed that Intel, out of 87,000 laptops, only loses about 700 per year. That's five to ten times less than the average loss rate at the companies surveyed.

Harkins said that as Intel shifted its focus toward mobility in the late '90s, the company made a concerted effort to build business processes that fostered security and encouraged employees to take responsibility for safeguarding their laptops. He added that Intel tries to be fairly permissive about allowing employees to store personal information on their laptops, which he said encourages a sense of ownership and responsibility. Acknowledging that some information security professionals see the mingling of personal and professional data as a risk, he said, "I think it helps more than it hurts."

Harkins added that one problem in dealing with the issue is that security teams tend to want to keep quiet about lost laptops and lost data. He said he understood that impulse but insisted that being open can help people recognize the risk of losing laptops.

"The biggest vulnerability we all face today is misperceiving risk," he said.

Kevin Beaver, an independent security consultant and expert witness with Principle Logic, offered an example of this misperception. He observed that companies spend significant sums to protect themselves from SQL injection attacks but fail to invest in laptop tracking or remote data wiping capabilities.

"Laptops are always the greatest risk in any given security assessment, more so even than smartphones," he said, noting that laptops simply have more data on them.

According to the study, the places where laptops are most likely to be lost break down as follows: off-site locations (43%), while traveling (33%), and inside the workplace (12%). And 12% of the time the location of the loss is unknown.

Laptops are stolen most often when people travel with them. Ponemon observed that security checkpoints are the place where laptops are most frequently lost. Diluting the irony, he added that security checkpoints are also where travelers recover lost laptops most often.

To underscore the need for organizations to manage laptops carefully, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years.

"She claimed she wasn't really that careful with laptops because the only way she could get a better one was to lose it," he said.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.