In this issue, we discuss the issues surrounding lost or stolen computers, and some
tools and techniques available to protect against financial and reputation risk.
It is unlikely that any business in America does not have at least a handful of laptop computers.
Many sales departments use them exclusively because of their ability to bring impressive amounts of information right into
the offices of the prospects.
This portability, coupled with the large amounts of data
they can contain, present a number of security issues. While this has been recognized for many years, little has been done
to secure these devices.
Over 600,000 laptops are lost or stolen in airports alone each
year. What is worrisome is that most have no protection of the data contained on their drives.
About 77 percent of people surveyed said they
had no hope of recovering a lost laptop at the airport, with 16 percent saying they wouldn't do anything if they lost
their laptop during business travel. About 53 percent said that laptops contain confidential company information, with 65
percent taking no steps to protect the information.
The typical reason that
is given for leaving hard drive information unprotected is inconvenience. It's too hard to encrypt. It's too hard
to decrypt. It's too hard remember the correct passcodes.
Consider the impact on your
company if customer information is accessed from a stolen laptop, and your defense is, “It was too hard to protect.”
That's not going to go very far in enhancing your reputation for safety to your customers or regulators.
There are simply too many options available to laptop users to put your business at risk. Consider Whole Disk Encryption,
which encrypts all information saved to the hard drive. Your laptop users don't have to think about what information to
encrypt or where to store the data. Everything is encrypted. It is all decrypted when the user keys in their password to start
If traveling overseas, consider somewhat more sophisticated techniques. It
is now common practice for customs officials (US and foreign) to request access to laptops to review for any terrorist-related
information. If you don't grant the access, they can and will seize your computer. Certain free or inexpensive programs
allow you to hide encrypted data from anyone searching your drive.
If your security policies
and practices for laptops – or any other mobile devices like PDAs or pocket drives – do not require the encryption
of non-public information, you are needlessly placing the reputation of your business at risk.
The financial risk is obvious. Other than the potential for lawsuits resulting from lost or stolen information,
it is highly unlikely any of these customers will use your services ever again. Ask yourself: Would YOU use a
business that lost or had stolen your sensitive personal and financial information?
For consideration: Who is authorized
to possess portable, non-public customer information in your company? How can you quickly deny that access? Can you restrict
the ability of the users to copy the information they possess? Do your policies and procedures restrict the amount of information
provided for a specific task, or is your access policy 'all or nothing'? Has your Enterprise Risk Management program
quantified the value gained by portability versus the risk involved?
Laptops Lost Like Hot Cakes at US Airports