informa
News

Assume Your Laptop Will Be Stolen

IT and end users should plan for the worst when it comes to portable data and computing

Another wave of laptop thefts and losses is causing major headaches for enterprises this week. But experts say that in the end, technology can only solve part of the problem. (See Merrill Lynch ID Theft May Affect 33,000 and VeriSign Worker Fired After Laptop, Employee Info Are Stolen.)

Enterprises face plenty of potential downsides when a laptop's lost: public embarrassment, fines, a decline in share price, loss of customers, and damage to the brand name. But none of these possible penalties has stopped employees from losing their laptops -- as the latest headlines will attest. (See Recent Incidents of Data Loss and Boeing Rep Speaks Out on Laptop Thefts & Security.)

In addition to Merrill Lynch and VeriSign, other organizations have checked in during the last 10 days with these losses:

  • August 4: A computer was stolen from Kellogg Community Federal Credit Union with customers' Social Security numbers, names, and addresses.

  • August 3: Computers were stolen from Capital Health, including medical insurance cards, names, addresses, and hospital admission data of 20,000 patients.

  • August 2: Accounting firm E.ON reported a stolen laptop with employees' SSNs, birthdates.

  • August 2: Two hard drives were stolen from the University of Toledo. The devices contain student, staff SSNs, names, and grades.

  • July 28: A laptop was stolen from Yuba County Child Support Services in California with 70,000 names and SSNs.

New disclosure laws make such headlines a lot more common. Employees leave laptops in plain sight in parked cars, or set their computer bags down in an airport and forget to collect them again. Thieves and hackers target those with the telltale shoulder bags.

While security pros don't discourage continuous training and reinforcement of data handling and laptop policies, they also recognize the limits of "best practices" when protecting laptops, enterprise data, and the hapless user. Negligence can arise out of a moment's distraction, or from fatigue, illness, or inebriation -- all facts of life on the road or outside the office. (See How to Protect Your Precious PC Data: From Physical Security to Encryption.)

What can enterprises do? "A combo of technical and administrative controls will protect you from loss, but also help you keep your legal and regulatory obligations to protect customer data," said Eric Latalladi, CTO for JB Hanauer & Co., a financial services company in Parsippany, N.J.

By that, he means using server-centric applications wherever practical, which keeps company data off laptops.

But Latalladi also encouraged companies and IT departments to assume upfront that any given laptop will be lost or stolen. "Take the backwards approach and consider what data resides on your laptops, how people use them," and how a hacker or identity thief might exploit it, he said. "Work backwards to figure out ways to make it un-usable by unauthorized third-parties."

That could mean using biometrics-based authentication, or some of the auto-destruct software that corrupts a hard drive when improperly accessed.

Technology's a piece of the data theft prevention model, but there's an important policy and administrative piece too. "People also need to normalize data with regard to SSNs, dates of birth, mothers' maiden names on laptops," Latalladi said. "There's no useful function for that stuff to reside in a localized manner on a laptop. The applications don't need it." IT can create and enforce policies to prevent that sort of sensitive data from being copied or carried off premises.

There's also the encryption piece. "Laptops and PDAs are as common as toasters and blenders," said Steve Stasiukonis, VP and founder of penetration testing firm Secure Network Technologies, East Syracuse, N.Y.

He says most of his clients recognize they have to do something a little more potent than a simple logon and password to access laptop data. "My customers know that full-disk encryption is a necessity if they have anything that leaves the office or goes into the field," Stasiukonis said. "They're all worried about recovering data in the event they have to get a machine back to its original state."

Stasiukonis also walks the walk. "I do full-disk encryption on my laptop and carry the [encryption] key on a separate device."

There are plenty of other familiar tactics to safeguard laptop computers:

  • Cabling, locks, and tie-down brackets secure a laptop to a desk or work area. Some even have alarms that sound if the machine is picked up or jarred.

  • Laptop lockers can be used in offices and cars; mobile carts that double as workstations and storage vaults are also on the rise.

  • Tagging external casings or internal components with tamper-proof plates makes it possible to add a barcode or serial number to each PC for inventory and tracking.

  • Tracking and auditing tools can transmit usage data in the event a stolen laptop connects to the Internet, or if an authorized user is engaged in suspicious computing activities.

As Latalladi observes, if you've got dozens of laptop users, eventually someone's going to lose one. There are plenty of technical options to calm IT staff, senior executives, and shareholders when it does occur. "Some kind of technical solution means everyone's going to be a lot more comfortable when a laptop gets lost."

— Terry Sweeney, Special to Dark Reading

Recommended Reading: