In Issue 3...

Hardware Security - Lost Laptops?
   
Join Our Mailing List

In this issue, we discuss the issues surrounding lost or stolen computers, and some tools and techniques available to protect against financial and reputation risk.

 

It is unlikely that any business in America does not have at least a handful of laptop computers. Many sales departments use them exclusively because of their ability to bring impressive amounts of information right into the offices of the prospects.

This portability, coupled with the large amounts of data they can contain, present a number of security issues. While this has been recognized for many years, little has been done to secure these devices.

Over 600,000 laptops are lost or stolen in airports alone each year. What is worrisome is that most have no protection of the data contained on their drives.

About 77 percent of people surveyed said they had no hope of recovering a lost laptop at the airport, with 16 percent saying they wouldn't do anything if they lost their laptop during business travel. About 53 percent said that laptops contain confidential company information, with 65 percent taking no steps to protect the information.

The typical reason that is given for leaving hard drive information unprotected is inconvenience. It's too hard to encrypt. It's too hard to decrypt. It's too hard remember the correct passcodes.

Consider the impact on your company if customer information is accessed from a stolen laptop, and your defense is, “It was too hard to protect.” That's not going to go very far in enhancing your reputation for safety to your customers or regulators.

There are simply too many options available to laptop users to put your business at risk. Consider Whole Disk Encryption, which encrypts all information saved to the hard drive. Your laptop users don't have to think about what information to encrypt or where to store the data. Everything is encrypted. It is all decrypted when the user keys in their password to start their laptop.

If traveling overseas, consider somewhat more sophisticated techniques. It is now common practice for customs officials (US and foreign) to request access to laptops to review for any terrorist-related information. If you don't grant the access, they can and will seize your computer. Certain free or inexpensive programs allow you to hide encrypted data from anyone searching your drive.

If your security policies and practices for laptops – or any other mobile devices like PDAs or pocket drives – do not require the encryption of non-public information, you are needlessly placing the reputation of your business at risk.

The financial risk is obvious.  Other than the potential for lawsuits resulting from lost or stolen information, it is highly unlikely any of these customers will use your services ever again.  Ask yourself:  Would YOU use a business that lost or had stolen your sensitive personal and financial information?

Probably not.

For consideration: Who is authorized to possess portable, non-public customer information in your company? How can you quickly deny that access? Can you restrict the ability of the users to copy the information they possess? Do your policies and procedures restrict the amount of information provided for a specific task, or is your access policy 'all or nothing'? Has your Enterprise Risk Management program quantified the value gained by portability versus the risk involved?

More information;

Laptops Lost Like Hot Cakes at US Airports

Copyright 2014 Bison Risk Management Associates
[925] 658-4457
1145 2nd Street • #A251 • Brentwood, Ca • 94513