Yet another laptop theft story in the newspapers. This time a case of three stolen laptops containing payroll and pension details of more than 15,000 Met Police officers. Following on from the recent Nationwide incident it’s clear that the UK Media have this theme firmly in their sights. It’s nothing new of course. Thousands of laptops are lost or stolen in the UK every day. But the problem is growing with increasing numbers of laptops with larger amounts of data being carried to and from work and between meetings. And there is now a higher probability that sensitive data might be compromised with the growing interest of organised crime in new sources of information to support identity theft.
Sensitive personal and business data should always be encrypted - both in transmission and storage. There is no excuse for not doing this today. The technology is available and affordable. But you can’t change the habits of an organisation overnight. Lots of HR, Marketing and Finance personnel have been downloading sensitive personal data into unprotected spreadsheets on their PCs for many years. It’s a legacy from a less dangerous age, when we all operated in secure office environments and criminals were less inclined to steal PCs for the data they contained. But the business environment and the security threat have changed substantially, so we should aim to close down these vulnerabilities as quickly as possible.
So what should CISOs be doing to mitigate the risks? Here are some suggestions.
Firstly, introduce encryption facilities for all users handling sensitive personal data. But make sure it is underpinned by professional key management. Otherwise you may be introducing a denial-of-service problem. Because the keys will get lost or corrupted from time to time.
Secondly, introduce a risk assessment process into the reporting process for laptop losses and thefts. In the absence of any security advice, most IT helpdesks will simply replace the lost laptop with a new one. You need to establish if there was any sensitive data on the laptop or any suspicious circumstances surrounding the loss, and, if so, to conduct a damage assessment as quickly as possible.
Thirdly, monitor and analyse where and how laptops are being lost or stolen. Then intervene with appropriate policies, controls and education. It’s amazing the difference this can make. You might find that there is a spate of thefts associated with a particular building, or a make of company car, or a hotel frequented by staff. With targeted warnings and controls you can prevent many future losses. During my time in Royal Mail Group we drove down laptop losses dramatically, almost eliminating the problem for months at a time.
Finally, take special action to remind staff to look after their laptops during the run up to Christmas period, when many staff are distracted and may well leave their laptops unattended in pubs, trains or offices.
Good laptop security is not difficult, it’s just a matter of simple common sense and prudent countermeasures.
Comments (7)
Many laptops are being stolen this is true but surely ones with such important information should be encrypted with the most unbreakable encrypted software or better still if the laptop is stolen their should be a system or program you could join where the owner of the laptop contacts someone and they totally destroy all files on the laptop.
Surely with all the technology in this world there has to be some sort of protection.
Posted by Cheap Laptops | December 11, 2006 10:56 AM
Posted on December 11, 2006 10:56
I always find it amusing to read about laptops being stolen with the assurance that 'it's protected with a very strong password'.
I have in my tool kit a bootable CD that I use to reset forgotten passwords including the admin. It works fine on Windows 2000 upwards and makes a joke of 'strong' passwords.
Posted by Dick Cowen | December 12, 2006 1:06 PM
Posted on December 12, 2006 13:06
Dear Sir,
I am sorry to contact you in this way but I admire your work and am not able to find your contact details.
My name is Magda and I represent hakin9 - an IT Security magazine available in USA in Barnes&Noble stores (for more details about hakin9 - see below).
As you are an expert in IT security matters we would like to invite you to cooperation with us. We were wondering whether you wish to write some
technical, IT security related articles for our magazine.
Also, in the next issue of our second magazine - Linux+DVD - we are planning to have consumers' test on Laptops working under Linux. Could you help us with this issue?
Thank you for reading this email. If you are interested, please contact me to
discuss further details. I am looking forward to hearing from you.
Best regards,
Magda Blaszczyk
hakin9 Junior Product Manager
Hard Core IT Security magazine
www.en.hakin9.org
About hakin9:
hakin9 is a monthly mag covering questions of breaking into computer systems
as well as defense and protection methods, the latest security tools and
events.
Our magazine is published in 7 language versions in about 20 countries!
We have great readership in Europe and in September we hit the USA (available
in Barnes&Noble) and Australia.
I don't know if you are familiar with hakin9?
If not, here's the link to one of our archive issues:
http://software.dt.pl/download.php?p=192&u=1312&h=d1d697e889550aed7c1c
LINK TO GUIDLINES FOR THE AUTHORS
http://en.hakin9.org/content/display/52
Posted by magdalena | January 8, 2007 3:45 PM
Posted on January 8, 2007 15:45
Good Afternoon,
I have just read your column with a great deal of interest, we Keep IT Secure have worked alongside Nottinghamshire LEA Insurance and Nottinghamshire police to design a realistically priced range of portable Laptop Storage & Charging solutions for the education and business sectors, however as a manufacture spreading the word about our product range is incredibly difficult.
The problem we find is people are far more interested in the technical specification and all the bells and whistles on there notebooks than they are about them being stolen.
We have spoken with schools throughout the UK and I often get comments like, the local community treat our schools as the local Dixon's warehouse, they know the school is full of expensive electrical equipment they can steal and they know every time they steal our laptops we will replace them !
The problem we find with our range, is not lack of security features and specification, it's the fact they are not an exciting product, you would get far more excited about a new HD TV Purchase than you would about a new sideboard or cupboard.
Ours company has spent a lot of time developing a range of secure mobile units that would greatly reduce Laptop theft and increase mobility and flexibility, I just need to get people to take a look at them.
Great column, keep up the interesting work !
Kind Regards
Brian Murphy
Posted by Brian Murphy | March 2, 2007 1:59 PM
Posted on March 2, 2007 13:59
It is always disruptive when something gets stolen, especially a valuable item such as a laptop.
A good laptop computer insurance policy can at least protect you from the financial problem of losing your laptop through theft, although you would still need to protect your valuable data.
Posted by Laptop Insurance UK | March 26, 2007 1:30 PM
Posted on March 26, 2007 13:30
Its all very well having your data encrypted but when you lose your laptop in the taxi such as I did last year its less the data is unsecure and more that it was the only copy, which again was my fault I know but still dosn't help get the data back. I've moved to now keeping at least two copies; one in an external HD at home kept in a seperate place (you can buy 500Gig for £100) these days and using a gmail account to keep documents.
Posted by I lost my laptop | July 10, 2007 3:29 PM
Posted on July 10, 2007 15:29
Having the use of trusted/multilevel security gives one extra options. For one, a kernel level policy enforcer will prevent information from being copied to a laptop that should not be, in the first place, eliminating the potential for some incidents.
We also offer an AI risk analysis engine that can limit the risk of laptop carriers by setting the value of corporate data and setting limits to what value may be loaded on different corporate user roles. With greater risk comes the possiblity that certain laptops would have to to be authenticated by means of a special version of Trustifier, for the information to be released to it, but that would also prevent anyone from recovering said information in the event of theft or loss.
Posted by Rob Lewis | March 13, 2008 5:36 PM
Posted on March 13, 2008 17:36