Laptops walking out the door of policy-free firms

Concerned that your employees are being a bit lax when it comes to looking after their laptops?

Concerned that your employees are being a bit lax when it comes to looking after their laptops? Steal them yourself, one vendor has advised in the wake of yet another damning security report that suggests laptops and other equipment are literally walking out of Australian companies that are still operating at far below world's best practice when it comes to device security.

Conducted by IDC and market-research firm Pure Profile, the Kensington Australian Business Security Report 2011 found that 51 percent of surveyed businesses had had IT equipment stolen in the previous year – a 50% increase over 2010 figures. Fully 45% of respondents had had laptops stolen unrecoverably, with an average of 2.2 laptops stolen per year, per company.

The report offered a bleak picture of security policy compliance, with the financial sector surprisingly the least compliant: just 41 percent of IT decision makers in financial-services companies reported having formal security policies in place, compared with 58% in education and 60% in government.

"We really should see that at 100 percent," Sam Goldstein, Kensington Australia's manager of marketing and business development, told CSO Australia. "Nine out of ten employees were unconcerned or slightly concerned about theft in the workplace, which was the most common location of device theft. As theft moves into new areas with tablets and smartphones going missing as well, the need for education is only going to get bigger."

Many companies, Goldstein said, report running their own theft rackets – tasking IT staff with patrolling halls and offices to find and purloin unsecured laptops. They typically leave a note for the employee advising them what has happened and where they can get their devices back, turning the exercise into a tough-love campaign of sorts that is sure to get employees' attention.

"Most customers are aware of the risk and interested in doing something, but a lot of it comes down to budget constraints and issues with laziness or lethargy in terms of locking down their equipment," Goldstein offered. "Employees don't want to put in any effort or do anything fiddly."

Statistics around the location of equipment thefts may help CSOs focus their efforts better: theft of multiple laptops or devices was most likely to take place in the office (35 percent), car (26%), or meeting room (18%) while losses at conferences were relatively low (11%).

One-off thefts had a quite different profile, with cars (47 percent), the office (36%), and meeting rooms (17%) the most common locations for theft. While it may be optimistic to suggest installing physical security measures in employee cars, even simple measures – like getting employees to store laptops in the boot or elsewhere out of sight while parking – can be a significant improvement.

Significantly, 'walk-ins' – in which a thief simply walks into a premises, picks up equipment and walks out with it – were blamed for 45 percent of thefts overall, with education (60%) and government (50%) sectors hardest hit. Break-ins, by contrast, were implicated in just 29% of cases, with half of those from government organisations; opportune theft made up the remaining 26%, with 57% of financial services companies and 50% of healthcare companies suffering opportune-theft losses.

Although the report is an obvious tilt towards Kensington's industry-standard physical security constraints – its industry-standard Kensington lock is built into most contemporary laptops and will soon be available for smartphones and tablets via custom cases – and the survey painted a desperate picture in this area.

Just 41% of companies had formal procedures for managing loss/theft and recovery of devices, while 38% relied on laptop vaults and just 31% on cable locks. And fully 24% of employees said they wouldn't use a laptop lock even if their company provided one.

The report's implications are broader than simply promoting physical security, however, noting that Australia's businesses really need to get their broader security infrastructure in order. Regular asset tracking and management systems, for example, help ensure devices can be accounted for at all times, while just 27 percent of the report's respondents said they even audit compliance with security policy.

Given the broad availability of pro-forma security policies and relevant technologies and products on the market, Goldstein says, there's no excuse for the kinds of numbers found in the new report.

"Many people talk about tracking tools like Find My iPhone, but by the time you track it down, all your data could have been wiped," he says. "The real aim is not to lose it in the first place."


Join the CSO newsletter!

Error: Please check your email address.

Tags IDCsecuritymarket researchkensingtonlaptop

More about IDC AustraliaKensingtonPure

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place