Concerned that your employees are being a bit lax when it comes to looking after their laptops? Steal them yourself, one vendor has advised in the wake of yet another damning security report that suggests laptops and other equipment are literally walking out of Australian companies that are still operating at far below world's best practice when it comes to device security.
Conducted by IDC and market-research firm Pure Profile, the Kensington Australian Business Security Report 2011 found that 51 percent of surveyed businesses had had IT equipment stolen in the previous year – a 50% increase over 2010 figures. Fully 45% of respondents had had laptops stolen unrecoverably, with an average of 2.2 laptops stolen per year, per company.
The report offered a bleak picture of security policy compliance, with the financial sector surprisingly the least compliant: just 41 percent of IT decision makers in financial-services companies reported having formal security policies in place, compared with 58% in education and 60% in government.
"We really should see that at 100 percent," Sam Goldstein, Kensington Australia's manager of marketing and business development, told CSO Australia. "Nine out of ten employees were unconcerned or slightly concerned about theft in the workplace, which was the most common location of device theft. As theft moves into new areas with tablets and smartphones going missing as well, the need for education is only going to get bigger."
Many companies, Goldstein said, report running their own theft rackets – tasking IT staff with patrolling halls and offices to find and purloin unsecured laptops. They typically leave a note for the employee advising them what has happened and where they can get their devices back, turning the exercise into a tough-love campaign of sorts that is sure to get employees' attention.
"Most customers are aware of the risk and interested in doing something, but a lot of it comes down to budget constraints and issues with laziness or lethargy in terms of locking down their equipment," Goldstein offered. "Employees don't want to put in any effort or do anything fiddly."
Statistics around the location of equipment thefts may help CSOs focus their efforts better: theft of multiple laptops or devices was most likely to take place in the office (35 percent), car (26%), or meeting room (18%) while losses at conferences were relatively low (11%).
One-off thefts had a quite different profile, with cars (47 percent), the office (36%), and meeting rooms (17%) the most common locations for theft. While it may be optimistic to suggest installing physical security measures in employee cars, even simple measures – like getting employees to store laptops in the boot or elsewhere out of sight while parking – can be a significant improvement.
Significantly, 'walk-ins' – in which a thief simply walks into a premises, picks up equipment and walks out with it – were blamed for 45 percent of thefts overall, with education (60%) and government (50%) sectors hardest hit. Break-ins, by contrast, were implicated in just 29% of cases, with half of those from government organisations; opportune theft made up the remaining 26%, with 57% of financial services companies and 50% of healthcare companies suffering opportune-theft losses.
Although the report is an obvious tilt towards Kensington's industry-standard physical security constraints – its industry-standard Kensington lock is built into most contemporary laptops and will soon be available for smartphones and tablets via custom cases – and the survey painted a desperate picture in this area.
Just 41% of companies had formal procedures for managing loss/theft and recovery of devices, while 38% relied on laptop vaults and just 31% on cable locks. And fully 24% of employees said they wouldn't use a laptop lock even if their company provided one.
The report's implications are broader than simply promoting physical security, however, noting that Australia's businesses really need to get their broader security infrastructure in order. Regular asset tracking and management systems, for example, help ensure devices can be accounted for at all times, while just 27 percent of the report's respondents said they even audit compliance with security policy.
Given the broad availability of pro-forma security policies and relevant technologies and products on the market, Goldstein says, there's no excuse for the kinds of numbers found in the new report.
"Many people talk about tracking tools like Find My iPhone, but by the time you track it down, all your data could have been wiped," he says. "The real aim is not to lose it in the first place."