Securius Newsletter

October 19, 2000
Volume 1, Number 10
http://www.securius.com

To Lose a Laptop

By Seth Ross

CEO has his laptop stolen from the podium after a press conference. On that device: the "DNA" - plans, prices, prospects - for a major public company in a highly competitive market. A secret service agent puts his laptop down for a moment at a train station; he turns around and it's gone, along with secret information on anti-terrorist operations. Another secret agent goes on a binge in a pub. In the morning, she can't remember what happened to her laptop.

The mobile computers known as "laptops" or "notebooks" are a favorite target of theft. In many instances, they represent a target of convenience for street criminals due to their small size and high resale value. But not all laptop/notebook theft is due to street thefts. In some cases, the target is not the computing device itself but rather the data it contains.

According to Safeware (http://www.safeware.com), the leading computer insurance company, a total of 319,000 notebook computers were lost in the US due to theft in 1999, for a total loss of $800 million. While Safeware is a reputable company with reputable methods of calculating loss, their numbers are certainly far too low. One reason: it's very difficult to estimate the value of data losses. There's no sure way to know whether the data has fallen into the hands of a competitor or not. Another reason relates to one of computer security industry's most vexing problems - the disclosure conundrum.

The sad truth is that companies lose confidential data every day. In most cases, the companies don't even know they've lost data. If they do know they've lost data, they often don't know how they lost it. If they know they've lost it and know how they've lost it, they don't report the loss.

Historically, computer thefts and breaches of data security are not reported because companies find it embarrassing to disclose significant hardware thefts, especially when that hardware has critical data on it. The problem is even more acute for network security breaches.

Non-disclosure makes it difficult for security practitioners to calculate risk and for executives to make sound decisions about budgeting for security safeguards and personnel. A total US loss of $800 million is a drop in the bit bucket in the context of an economy worth trillions of dollars.

If everyone knew how much everyone else was losing, they could plan and implement appropriate security safeguards and processes. If everyone implemented appropriate security safeguards and processes, the rate of theft and loss would plunge. Criminals would be deterred and - if the safeguards were tough enough - some might even take an interest in an easier line of work.

While very little can be done about the lack of reporting, security planners and decision-makers can factor underreporting into their planning and risk analysis processes. Calculate the total value of information assets based on the value of both hardware and data, and assign a high probability for the loss of mobile assets like laptop computers.

If your company has 2,000 laptops, worth $2,000 each, with $20,000 worth of data on each, your total possible exposure is $44 million. Given that it's impossible to know how many laptops are stolen in a year, assign a percentage based on your users' travel habits, business locations, etc. Two percent loss might be a good guess, leaving your company with an estimated exposure of $880,000. It would be reasonable to spend up to $440 for the security of each laptop.

Fortunately, notebook security measures are fairly inexpensive. Most new laptops have security slots that accept lock and cable assemblies. The cable can be looped through any stationary object or attached to common office furniture or cubicle walls. Kensington is a leading brand; it offers a wide variety of office and computer supply products. PC Guardian focuses on high quality computer anti-theft products. The Notebook Guardian(r), for example, includes a PVC-coated galvanized steel cable and a highly tamper-proof lock. See
http://www.pcguardian.com/hardware/notebook.html

Physical security is only part of the picture. What if the lock and cable are defeated? As part of a strategy of defense-in-depth, PC Guardian also sells encryption software that protects all the system files and data stored on a notebook's hard disk: Encryption Plus(r) Hard Disk. The user must supply a password before Windows starts up. Once activated, the program transparently decrypts files as they're needed: no further user intervention is required. If the notebook is stolen, the thief cannot boot up the system. Even if the thief removes the hard disk and installs it on another machine, the data is encrypted and therefore useless for industrial espionage purposes.

For more about Encryption Plus Hard Disk, see
http://www.pcguardian.com/software/hard_disk.html

Perhaps the easiest and most cost effective approach is purchase a hardware/software bundle. PC Guardian's Road Guardian package includes the Notebook Guardian plus three encryption packages for about $100. See
http://www.pcguardian.com/roadguardian/

You may not be able to solve the conundrum of disclosure, but you can take some easy steps to ensure that _your_ company's notebooks stay out of the headlines. For all but the most marginal endeavors, simple notebook security is an easy buy.



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.