Highly sensitive laptops go missing
- 06 October, 2004 07:44
Employees of private and government organizations working with highly sensitive information are still failing to adequately secure laptops containing highly sensitive information, with a spate of recent robberies prompting a stiff warning from a former Australian intelligence chief.
Over the last month in a series of brazen thefts at least four laptops have been allegedly stolen from sensitive security consultancies. In Victoria one alleged laptop theft triggered a police manhunt resulting in at least one arrest and subsequent charges being laid.
Computerworld is unable to publish details surrounding the alleged Victorian theft, including the name of the organization from which the laptop was allegedly stolen, as the matter is currently before Victorian courts.
The other three alleged thefts are understood to have occurred in Canberra over the Labor day long weekend and relate to an electronic security consultancy known to have government information security contracts. Computerworld understands the incident is currently being assessed for its security implications.
Former director of security intelligence for the Department of Defence, Clive Williams, who now lectures in terrorism studies at the Australian National University's Strategic and Defence Studies Centre, said laptop theft remained a serious security threat not least because government victims routinely downplayed the sensitivity of information held on stolen laptops to save their own careers.
"The commonwealth loses several hundred laptops a year. [Victims] invariably say that there is less sensitive information on them than there is [to try and protect themselves]," Williams said.
Williams said part of the problem was that many secure organizations such as Defence remained hostile to portable technologies such as secure thumb-drives because they created as many internal information security issues as they solved outside - but that laptops still remained highly vulnerable.
Williams said well-honed techniques to separate users from their machines were still routinely used.
"Sometimes if you are travelling overseas your hosts will organize an occasion where it's inappropriate for you to have your laptop with you so they can gain access to it," Williams said. Properly secured removable media, which can be more discretely carried by its custodian, offered some advantages in the field, he added.
Rick Draper, managing director of security and crime prevention consultancy Amtac Professional Services, said the fact that laptops now held huge amounts of data which, if left unencrypted, created a potential goldmine for thieves.
"When the information held on [a stolen machine] becomes compromised it is unforgivable - you always have to encrypt the data and have physical protection because of the profitability of a laptop," Draper said.
To mitigate enterprise data loss, Draper advocates a similar loss prevention methodology to that of the retail sector.
"In retail, the term 'stock shrinkage' is used for an acceptable form of loss and normally a result of three actions - incompetence, straight out dishonesty or damaged goods, which in retail can be easily tracked. In a corporate environment with regards to information, the same rules apply," Draper said.