Sunday, November 9, 2008

Lost Laptops : Lost Data

Laptop computers are essential for organizations to make sure their employees have access to information they need wherever they are working…at home, in a meeting, or on the road. A lost laptop creates a two-dimensional problem. First, the laptop itself must be recovered or replaced. Second, and even more unsettling, is the prospect that critical information on the company, its plans, and its customers could have been lost as well.

This article looks at both types of losses, from a statistical and cost point of view. It also examines the internal and external factors that contribute to laptop theft. Who steals laptops? What motivates their actions? Why are companies targeted repeatedly?

Based on an extensive review of published research, the report explores the scope of the problem. A range of detailed solutions is offered. In a sample of worldwide jurisdictions, current legislative efforts impose new sanctions. Several product innovations may help to prevent thefts. Disrupting the ways thieves can unload their bounty is another deterrent. The appendices include exhaustive lists of physical, electronic, and procedural security enhancement, so organizations have specific ways to discourage or prevent thefts. The report encourages companies to set goals to counter laptop theft and then implement those goals through situational prevention techniques and the seven steps of loss prevention. Additional research could aid in preventing the theft of laptops and the data that resides on them. The report concludes with suggestions for further exploration by academic and corporate investigators. Laptop computers are essential tools in today’s global economy. Employees at all levels, in all business sectors, must be mobile. They must have access to information whether they are at home, on a sales call, or in a hotel.

Because laptops are portable, they are highly susceptible to theft. The theft of business laptops and the loss of the confidential and propriety information residing on them can occur when the user is in the office or on the road. Researchers have determined that 25% of laptops are stolen from the office or the owner’s car. Another 14% are lost in airports or on airplanes.


Laptop theft is a two-dimensional problem. On the surface, companies must devise ways to secure the actual devices from crafty thieves with easy access to pawnshops and fences. Even more sinister, the data on a stolen laptop has enormous value among the illicit networks that prey on unsuspecting consumers, or reap rewards from insider information. In their attempts to stay competitive in the world marketplace, companies cannot afford to overlook the seemingly insignificant loss of a laptop. Details on the scope of the problem, the high price of ignorance, and the determined thieves looking for loopholes will convince even the most ardent skeptic to take the actions recommended in this report.

Stolen laptops

The chance that a laptop will be stolen or lost during any twelve months is one in ten, according to a 2002 Gartner Group study. Estimates among industry analysts confirm the frequency with which laptops disappear. A 2004 InfoWorld article, for example, estimated that the annual number of stolen laptops ranges from 700,000 to 1 million. That same year, an Entrepreneur Magazine article used an FBI estimate to report that 1.5 million laptops had been stolen in 2004, a 50% increase from the year before. Both public and private sector organizations are at risk worldwide. In a 2006 report, the Committee on Government Reform noted that in the previous five years 1,137 U.S. Department of Commerce laptops had been lost, stolen, or reported missing. A 2006 Australian Computer Emergency Response Team survey of 17 industries found that 58% of the 389 respondents detected laptop thefts during the year of the survey. Between 2005 and 2007, 4,700 laptops were stolen from offices in Calgary, Canada, according to a 2007 survey by the Calgary Public Safety Committee of the Building Owners and Managers Association (BOMA). Medical, financial, oil and gas, legal, engineering, transportation, personnel, and property management industries were included in the study. Appendix A is a checklist that can be used to track a company’s laptop inventory and monitor how the laptops are being used.

Stolen confidential information

Statistics that measure the loss of business and personal information residing on laptops are even more alarming. A 2006 Ponemon Institute survey found that 81% of the U.S. companies studied reported the loss of one or more laptops containing sensitive information in a twelve-month period. The computer security Web site, www.attrition.org, includes an extensive list of laptop and data thefts. In early 2008, the site reported more than 900 data breaches yielding 310 million records.

Lost productivity

Productivity is the first victim of a stolen laptop. Should an employee lose his or her laptop, that employee’s ability to work is compromised, often for days. At one company, for example, eight laptops used by key employees were stolen, including those in the firm’s finance and engineering departments. It took three days for replacement units and back-up data discs to be found before the business could resume operations.

Recreating data

Depending on a company’s data back-up practices and its use of a central server for data storage, data may be replaced in a few minutes—or be lost forever. In developing adequate data replacement and recreation strategies, company executives must resolve many questions, such as what procedures must be developed to ensure that important data is secured, as well as how quickly it can be replaced or retrieved, and at what cost.

Lost business

When customers learn of a data breach, their faith in the company incurring the loss can be shaken. They may shift their business to competitors. According to the 2007 Ponemon survey, data breaches exposing customer data can cost a company $128 in lost business, per victim. In a similar Ponemon study conducted in 2005, researchers found data breaches seriously affected corporate reputation, corporate brand, and customer retention. When notified of a breach, almost 20% of customers terminated their relationship with the company. Another 40% considered termination.

Internal Factors Contributing to Stolen Laptops and Lost Data

Why are laptops easy targets for gaining access to data? The answer involves a combination of misperceptions on the part of the company and the users of the laptops. Some companies simply fail to maintain an adequate inventory of their laptops, while others completely refuse to invest in appropriate security policies and procedures. Users often fail to understand the value—not only of the units themselves—but also of the information they contain. Consequently, they can resist applying appropriate security policies and procedures when they are enacted.

Accountability

A 2004 survey by Ernst & Young found that few organizations and individuals feel they should be held accountable for failing to protect laptops and data. In many organizations, when a laptop is stolen, the affected employee simply acquires another from inventory. Even some security practitioners hesitate to emphasize laptop theft. One corporate security professional admitted that he had more global issues to confront than

Inadequate security

When finally caught, one Calgary laptop thief responsible for hundreds of thefts over several years admitted to the arresting officers, “companies made it too easy for these types of crimes to be committed, because of the lack of appropriate security measures.” Even when adequate security measures are in place, they are often ignored for two reasons: the security staff is not available, not credible, or unable to sell the value of protective strategies; or employees are uninterested or have been poorly trained.

Perception

The relatively low price of laptops can suggest that they do not merit protection. Even though many organizations spend thousands of dollars on individual laptops, they are often viewed as a minor part of a departmental or organizational budget. Organizations that embrace this thinking fail to understand the true cost of a laptop, or the value of the data residing on it. Even privacy legislation assigns a value to data by assessing fines for losing it.

External Factors Contributing to Stolen Laptops and Lost Data

Even a well-designed security program must be tweaked constantly to keep ahead of external factors that are determined to uncover its weaknesses. The market for a company’s proprietary information and personal data on customers and clients is lucrative. Determined thieves are more than willing to take the risks to reap the rewards. Once thieves have been successful at one property, research shows that they are likely to return.

Determined thieves

According to the 2003 BSI Computer Theft Survey, 99% of survey respondents who experienced computer theft reported that the thief was never caught. Some thieves are simply opportunistic and take advantage of situations to steal laptops. In interviews conducted for the 2007 BOMA survey, one thief admitted that he made between $500 and $600 per unit, and had stolen as many as fifteen laptops at a time. At the other end of the spectrum, thieves admitted they sold laptops for as little as $40 of crack cocaine. Thieves intent on stealing laptops will put tremendous effort into overcoming significant security measures. They will conduct security assessments to look for weak entry points. They will bring props, such as maintenance, janitorial, or security uniforms, so they appear to fit in. They will make phony identification badges, develop cover stories, and communicate with partners using cell phones and radios. One offender indicated that he would conduct research on the latest equipment and develop “want lists” before orchestrating a hit. Organizations are vulnerable to laptop thefts from both outsiders and employees. Research is contradictory about which poses a greater threat. But there is no doubt that those inside organizations are also stealing laptops. Authors Clarke and Eck posit that laptops are “CRAVED” by thieves. The acronym explains why.

Concealable: Because they are small, laptops are easy to hide beneath a jacket, layer between other items, place in a backpack, or put in a gym bag. Removable: The portability of the device is partially what makes the laptop desirable to both companies and individuals.
Available: Many individuals and companies use laptops extensively. As a result, considerable numbers are available to be stolen.
Valuable: Many people are willing to pay large enough sums of money for stolen
laptops. Thieves tapping into this lucrative market are willing to go to extremes to satisfy the demand.
Enjoyable: As computers become more essential for both business and pleasure, the demand continues to grow.
Disposable: An illegal market is readily available, allowing thieves to dispose of laptops easily.

Managing the Threat

Ultimately, preventing laptop thefts and the resulting data loss requires a permanent solution. Countering the threat requires company management to commit to a course of action prescribed by basic security principles. These principles are used by corporations of all types, in all corners of the world, to prevent and deter myriad risks to a company’s well-being. Bringing these same principles to bear on this specific crime can reduce the threat from both internal and external sources. Implementing these principles requires a review of the many resources and options available, including: physical, electronic, and procedural security enhancements; legislation; and product design. In conjunction with law enforcement, preventive measures should also disrupt the market for the stolen goods.

Physical, electronic, and procedural security enhancements

A comprehensive and converged physical, procedural, and information security program is essential for every organization, regardless of size, industry, or ownership. And part of that program must address laptop security and the related loss of potentially sensitive data. Implementing the appropriate security measures requires money, time, and effort. Companies must be committed to supplying all three. Management must realize that a lack of funding is a serious impediment to a comprehensive protection program. Many companies have implemented successful strategies. But research shows that companies that have failed to do so lack a comprehensive, layered approach to security that takes into account physical, electronic, and procedural measures. Also, these measures must be embraced by all employees, including laptop users, management, and security professionals from both physical and electronic disciplines.

Seven steps to prevent loss

These two goals can be achieved by adopting the situational prevention techniques. They can be implemented by adopting the following seven steps:

Step 1: Conduct an audit to determine where laptops are used within the organization. This audit determines specific information about a company’s laptops, such as where they are being used in the organization, how many are in the inventory, which is using them, for what purpose, and what type of data is residing on each one.

Step 2: Determine whether specific employees need a laptop to do their jobs. If a laptop is not required, it should be replaced with a desktop unit. If the laptop is an essential part of the employee’s work, the next steps should be pursued.

Step 3: Classify data on the laptop according to organizational guidelines. The classification scheme should be specific to the organization and its culture. A number of classification models are available. The one selected should be clearly understood, implemented, and followed by all employees. The example of Sample Identification and Classification of Data can help categorize the relative value of “Public Documents,” “Proprietary Information,” or “Highly Confidential Information.” The latter group includes human resources, financial, security, and organizational plans and strategies, as well as test results, assessments, surveys, or other information the organization has spent money collecting or developing.

Step 4: Determine if data residing on each laptop is necessary for employees to complete their jobs. If not, the data should be removed. If the data is necessary, the next step should be pursued.

Step 5: Conduct a risk assessment to determine possible theft scenarios for the data stored, processed, or transmitted by laptop. Devise appropriate security measures to protect both the data and the laptop. The assessment puts the required physical, procedural, and electronic security measures into perspective, as well as the necessary security awareness training. Obviously, the higher the classification of the data, the more security measures should be in place. A number of risk assessment methodologies are available. In addition, ASIS International has published a General Security Risk Assessment Guideline, available to download for free at
http://www.asisonline.org/.

Step 6: Implement the required protection strategies. Protective strategies start with security awareness programs; employees must understand their obligation to use the security measures required to protect laptops and data. Employees should be required to indicate, in writing, that they understand the established laptop and data protection guidelines. Department managers and senior managers should show their support for the policy by signing similar forms. Both facility and IT security personnel have special responsibilities for implementing the policy, and should indicate their willingness to assist on the appropriate forms.

Step 7: Create a loss response team to monitor laptops and data. Should a loss occur, the affected employees should be required to report the loss in writing. The team then responds to the report by investigating the losses and determining the scope of the data breach. In addition, the team should be regularly educating users, conducting audits to ensure compliance, annually assessing data needs, and destroying or removing data when it is no longer required. This process is cyclical, since new laptops and data enter and leave the organization on a regular basis.

No comments: