After all the shocks and finger-pointing following the HMRC breach it’s disturbing to hear that a laptop with unencrypted, sensitive MOD data could be stolen from the boot of a parked car. The data of course should have been encrypted. But that’s not enough, because every lost laptop has a business impact.
All organisations experience laptop losses, so security managers should aim to minimise the risk. Experience shows that proactive efforts make a substantial difference. I've covered this issue before but it's worth repeating and expanding the advice. Here are some practical tips.
1. Ensure your IT Helpdesk reports cases of stolen laptops to a security manager.
2. Conduct an immediate damage assessment for every laptop that goes missing.
3. Establish where and how laptops are being lost. Is it from particular offices, models of cars or hotels?
4. Get professional advice from the local police on how best to avoid theft. For example are some car boots more at risk than others? Are there local hot spots for vehicle thefts?
5. Review your policies to ensure you have major sources of loss covered.
6. Send out warnings and advice to all executives at risk. Tailor this information as far as possible to take account of local threats and vulnerabilities.
7. Take special measures for business units and functions that handle sensitive information.
8. Monitor incidents and report them regularly to senior management. Advertise this fact to business managers.
9. Send out regular reminders to executives, especially at high risk times for thefts and losses such as the lead up to Christmas.
10. Benchmark your performance against other similar organisations. If you’re experiencing more losses, find out why and take further remedial action.
Persistency helps. Keep hammering away at the problem and it will progressively reduce. With good policy, advice and constant reminders you can reduce the level of losses to zero. That should be your target.
Comments (4)
An interesting article David.
One of the things that I have been thinking about is seperating the data from the laptop as a strategy. With the advent of incresingly larger USB Flash Drives (16GB now available) and some with build in biometrics would it be a good strategy to hold the data on a removable device which can be stored seperately to the laptop itself.
I realise that you are exposing yourself to theft of the USB drive but I would guess that people are more likely to steal the laptop that the USB Flash Drive.
I know you were working on a project to produce a secure flash drive or something similar - is this a viable strategy and if you were to implement such an idea what would you recommend?
Howard
Posted by Howard Wright | January 24, 2008 3:04 PM
Posted on January 24, 2008 15:04
Some great ideas in this article. Back in the heady days of the dot-com boom, I ran security for a pan-Asia ISP. They had a very effective policy on laptops: each staff member was given $2,000 to kit themselves out with a laptop. They could spend more if they topped it up with their own money. They could spend less and keep the change. At the end of two years, the staff member got to keep their laptop and was given another $2,000.
BUT: lose the laptop, and you have to make your own arrangements for a new one. Not only that, but the two-year clock is reset, so you have to wait a fresh two years for a replacement machine.
We didn't lose a single laptop in the time I was there.
I appreciate that this doesn't do anything about the (much more important) data loss issues, but if you make a laptop the employee's own, they'll treat it like their own.
Posted by Toby Stevens | January 28, 2008 9:34 PM
Posted on January 28, 2008 21:34
That's a very interesting idea, the answer is too rich for a brief comment, deserves a new blog posting. Watch this space.
Posted by David Lacey | January 29, 2008 12:11 AM
Posted on January 29, 2008 00:11
I totally agree with Toby's illustration but any time I have tried to put this approach into a Remote Working / Laptop Usage Policy for a client they have backed away with all sorts of concerns about Unions and HR .... but the principle remains sound - if it hurts my pocket, I might take it more seriously... :)
Posted by Andrea Simmons | February 6, 2008 12:22 AM
Posted on February 6, 2008 00:22