January 2006 - Theft and Security of Laptops

According to survey data from CREDANT Technologies, a security software provider, 29 percent of all stolen laptops are taken from offices, with thefts from cars responsible for another 25 percent of laptop losses. Some of the 283 executives who responded to the survey noted that office laptops had been stolen despite being locked or even glued to desktops. Other key findings of the survey were:

• Almost 90 percent of lost or stolen devices contained company communications and confidential business information not intended for public view.
• Of the devices lost, the vast majority – 82 percent – are never recovered. Once they are gone, they are gone … and so is the data on them.
• It took a minimum of five days for more than half of respondents to have their laptops replaced, translating into lost productivity for mobile workers.
• 70 percent of respondents were simply issued a new laptop, showing companies do not understand the severe consequences that can result from a data breach.
• Time lost to recover the full capability of the device is the primary concern respondents reported after their device was lost or stolen, but the answer varied according to responsibility and executive status of the individual.

A copy of CREDANT’s report, “Corporate Exposure Survey: Lost & Stolen Laptop Edition” is available from Mary Van Zandt at mvanzandt@credant.com or Michelle Metzger at Michelle_Metzger@mccom.com.

What can companies do to stop laptops from being stolen? According to the FBI, here is what they should do:

• Establish a computer security policy, and enforce it.
• Educate users with the statistics on theft. Remind them of the need for compliance with various legislation, such as the Sarbanes-Oxley Act, which requires management of publicly-traded companies to report on their information security controls, and the Health Insurance Portability and Accountability Act (HIPAA), which has a “security rule” that addresses security of electronic protected health information (ePHI).
• Establish data policies. For users with sensitive data access, make sure they need a password to access their hard drives. Encrypt sensitive data and use automated backup. For notebooks with sensitive data on them, try motion alarms.
• Do not leave company visitors unattended.
• Finally, remember that policy is also not something a company adopts solely to prevent theft. In fact, Harold Hendershot, section chief of the computer intrusion section of the FBI’s cyberdivision, says policy must extend to what happens when a laptop is stolen, starting with whether to report it to law enforcement.

COPYRIGHT ©2005, ISO Services Properties, Inc.

The information contained in this publication was obtained from sources believed to be reliable. ISO Services Properties, Inc., its companies and employees make no guarantee of results and assume no liability in connection with either the information herein contained or the safety suggestions herein made. Moreover, it cannot be assumed that every acceptable safety procedure is contained herein or that abnormal or unusual circumstances may not warrant or require further or additional procedure.