Categorize the Data
The first step toward secure travel is to ensure that employees are not carrying any files, documents, or data that they don’t absolutely need, says Mark Lobel, a partner in PricewaterhouseCoopers’ security services practice. That simple precaution minimizes the likelihood that the loss of a laptop will expose sensitive customer or employee information. And that’s critical because the loss of such data could hurt the company’s reputation and put it in violation of the more than 20 federal and state privacy-disclosure laws.
There can be serious financial repercussions to losing this type of information. Persons whose information has been lost may demand that the company pay for credit monitoring, Lobel says, which can cost as much as $100 per person. Multiply that by the thousands of people involved, and it becomes a significant issue. (Research from The Ponemon Institute found total costs from a data breach to be $140 per lost customer record.) On top of that, if laws have been broken, such as the exposure of health-related information, criminal penalties may loom for corporate executives.
So, Lobel says, long before road warriors leave the office, organizations need to consider how information is classified, and it’s imperative that they have controls “that define how the information is protected when it’s created, when it’s stored, and when it’s destroyed.”
With that classification complete, the company can more readily assess if there is any sensitivity to the information kept on a notebook, Lobel says. If the information needs to be on the laptop, the company must provide controls commensurate with the categorization of that data.
While it’s important to limit the amount of sensitive information carried, it’s also critical to physically secure the computing device. Nearly every laptop made today features a small slot on its side known as the Kensington Security Slot. Locks made by Kensington and other vendors fit into the slot, allowing laptops to be cabled to a sturdy or immovable object. Some of the locks are alarmed so that if the steel cable is cut, an alarm will sound. Laptop locks such as Kensington’s MicroSaver Retractable, which has a steel cable that can be retracted into an easily carried compact case, are available through computer stores and online retailers starting at about $30.
John Livingston, the CEO of Absolute Software, is a frequent business traveler. He keeps his laptop locked up when he can, but he says that simply keeping a laptop out of sight removes the temptation for somebody to steal it. “If I’m traveling in a vehicle, I make sure it’s in an area of the vehicle where it can’t be seen,” he says.
“In a hotel room you can hide it under your bed” if no safe is available, he says. While these may seem like minor measures, Livingston asserts that in most cases where laptops or other electronics disappear from hotel rooms, it’s because they were left out in the open.
Whether it’s because users are careless or thieves are determined, laptop thefts are not uncommon. Statistics from Safeware Insurance indicate that more than 600,000 laptops were stolen in 2004, with hardware losses alone estimated at $720 million and associated losses from theft of proprietary information estimated at more than $5 billion. Those statistics highlight the importance of measures that pick up where physical security leaves off. That means looking for ways to retrieve stolen hardware and to prevent thieves from accessing the data in the meantime (the latter is addressed in the next section).
Companies can buy software that makes it possible to find where a stolen computer has been taken. One such program is Computrace, made by Livingston’s company. Livingston explains that the “Computrace Agent” is hidden on the hard drive of a computer. This agent cannot be seen or, in most cases, deleted from the drive, even if the hard drive is formatted. The agent “phones home” to a monitoring center regularly when the computer goes online.
“We get the very bare bones of information in an anonymous format” from this agent, Livingston says. This information, which includes the serial number, date, time, and an IP address or telephone number, identifies the machine and its approximate location.
If a user notifies the monitoring center that the computer has been stolen or lost, “we ask the machine for additional information to help us pinpoint its position and help with the recovery process,” Livingston says. The information from the beacon can be passed to the company’s law enforcement liaison team, mostly former police officers, which works with local police departments to recover the laptop. Last year, Livingston says about 1,000 computers were recovered using Computrace.
The company has found that local law enforcement agencies are often happy to help out. That’s because many computers are stolen by theft rings, Livingston says. “We’ve probably broken over 100 theft rings that were actively stealing computers out of an organization,” he says.
In one case last year, a beacon from a stolen machine was tracked to a warehouse in McKinney, Texas. Local police were thrilled to help; Livingston says they believed there was criminal activity taking place at the warehouse but had no evidence to get a search warrant. The Computrace lead helped them get one, and when the police arrived on the scene, they found drugs, stolen vehicles, unregistered weapons—and stolen computers.