Your data is more at risk than ever as easily stolen laptops become more and more prevalent.
Daniel Robinson looked like just another job candidate. With his dark grey suit, wingtips, no-nonsense red tie and neatly trimmed hair, he was so utterly unremarkable that, when he asked the receptionist if he might slip into a restricted area of the building to use the bathroom, she let him in without thinking twice. Only minutes later, a brand-new laptop - and not coincidentally, Robinson - had vanished.
This story is a made-up one for our purposes, but the crime is real enough. In Australia, AusCERT's 2004 Australian Computer Crime and Security Survey showed that for two years in a row more than half of respondents (58 percent in 2004 and 53 percent in 2003) reported that they had been victimized. In addition, 63 percent of respondents claimed that laptop theft had caused their organization some financial loss in the previous 12 months.
And the real anecdotes are pervasive: A large insurer had two of its laptops stolen from a locked car. They contained data on about 200,000 customers, who then had to be informed that they were at risk of identity theft. At a banking giant, a laptop containing data on thousands of the bank's mortgage customers was stolen from a rental car's boot when two employees travelling together stopped at a convenience store and left the car unlocked with the keys in the ignition. In another incident, the Australian government revealed that over the past several years it lost more than 1000 laptops, 537 of those from the Department of Defence. And police in Delaware and Pennsylvania joined forces to bust a fencing operation that specialized in car break-ins. Police raided the ringleader's business and confiscated 35 stolen laptops and 20 PDAs.
Safeware, a computer insurance provider, estimates that in 2002, US PC owners filed 620,000 claims for computer thefts - most of them for stolen laptops. And those numbers only promise to increase. IDC predicts that, by 2008, 50 percent of the PCs in the United States will be laptops (up from 29 percent in 2004), which means there'll be plenty of targets out there. Many PC owners seem oblivious to the risks surrounding their equipment; a good number of thefts occur because people carelessly leave their computers in places where they are likely to be stolen.
The dollar amount of such losses isn't easily determined. The AusCERT survey pegs losses by Australian companies from laptop theft in 2003 at $1,484,244, but that doesn't necessarily include the value of data lost. The survey also showed 97 Australian organizations reported that they lost time recovering from laptop theft - and one organization said it may never recover. Gartner estimates that a single stolen laptop can cost a company more than $US6000 for hardware, software, restoring data (assuming it was backed up in the first place) and user downtime. Gartner analyst Leslie Fiering notes that this number doesn't account for the cost of any data lost or exposed.
What can companies do to stop computers from being stolen? "Security today is what quality was in the 80s," says Gerry McCartney, CIO at the Wharton School. "People say: 'Yeah, I don't have to worry about that, we have a team that does that.' So they leave their offices open all the time. It goes back to the mentality that security is someone else's problem, not mine."
But, like quality, "these virtues are either [ingrained] in an organization or they're not", McCartney says. "You can't put up a sign and create them."
At least, not overnight, says Tim McKnight, senior director and CISO of Northrop Grumman. While he acknowledges that company cultures are hard to change, McKnight says that they can become more security-conscious - though only if top management leads the way. "There's no silver bullet for the issue," he notes, saying companies must pay attention to four areas: user awareness, physical security, new and old technologies, and policy.