Before accounting firm Grant Thornton’s employees head into the field, they are issued a laptop. In the past, the laptops were equipped with a locating device that automatically reported back to the IT department at company headquarters as soon as an employee logged on to the machine. However, that meant that the computers and their contents remained vulnerable during the time between when they were checked out from headquarters and when they were activated by a Grant Thornton employee.
“We were not at all comfortable with that gap,” says Dave Johnson, director of IT operations for Grant Thornton. “We wanted to protect the machine when it was in the wild, before the tracking system kicked in.”
The need to protect data on laptops is substantial given the nature of Grant Thornton’s business. Grant Thornton International—a global accounting, tax, and business advisory organization with member firms in 112 countries, including 51 offices in the United States—works with highly confidential financial information for clients. What’s more, its 5,500 employees do their work in a mobile environment. “Our business is 85 percent notebook based,” says Johnson. “Our employees travel throughout the United States and Europe.”
IT has implemented a number of measures to protect client and company data stored on the laptops, which are leased from Dell Financial Services on a two-year contract basis. For example, the company has tracking software called Computrace installed on each laptop. When a user connects to the Internet on the laptop, the software automatically connects to the Internet and reports its location back to Grant Thornton at 15 minute intervals.
Grant Thornton works with Dell Financial Services to include Computrace on each of its laptops. The Computrace service, which is amortized over the life of the lease, costs Grant Thornton a few dollars a month, per laptop.
“When the machine boots up, the software will report its location,” says Johnson. “If the machine has been stolen we turn this information over to the police, and they get the equipment back for us.”
Thanks to the tracking software, the company’s loss rate was under 1 percent. Johnson says that compares well to the 8 to 10 percent loss rate that other companies tell him they experience. But even with that low rate, the potential for content to be stolen existed. The IT team decided that the solution would be to encrypt the data. The company issued a request for proposals.
Most of the companies that responded had full disk encryption products that would encrypt everything on the laptop. However, these programs decreased laptop performance significantly.
Another drawback was that machines would not boot up without a password once the full-disk-encryption products were installed. If equipment was stolen, thieves would not be able to activate the machines. While that might seem desirable, it meant that the tracking software would not be able to report the laptop’s location, making recovery of the computers unlikely.
Only one of the systems, CREDANT Mobile Guardian (CMG), manufactured by CREDANT of Dallas, Texas, offered partial encryption. The product encrypted only the data, not the operating system or software applications, making it undetectable by the user. Also, because the system only encrypted data, the machines would boot up without a password, activating the tracking software.
CMG also protects all the data created by the employee and saved by the computer. “No matter where a word processing document is saved, CMG will encrypt it,” says Kirk Halliday, manager of the systems administration group for Grant Thornton. This makes the encryption easy for employees to use.
This user-friendly approach also works to IT’s advantage because the encryption is transparent to employees. “Users don’t know they have the encryption installed,” says Halliday. “So a thief won’t know that there’s data that they can’t get to.”
Using CMG, Halliday can manage the encryption policies on each laptop and can remotely encrypt information. He can also establish archiving. For example, laptops have a software program called e-mail pooling. The program archives all e-mail and saves it in case of future litigation. The user can delete the e-mail from the laptop, but it will still be saved in another part of the computer. Halliday can remotely access a laptop, enable the e-mail pooling feature, and then reconfigure CMG to encrypt the e-mail.
CMG was also the least expensive encryption program the company explored. As with the Computrace service, the cost of the CREDANT service is figured into the price of the leased laptops. So for about $2 a month extra—for a total price of $50 per laptop for two years—CMG is loaded onto the laptops before they reach Grant Thornton. The maintenance cost for the software is also included in the lease price.
“Even though CREDANT was the lowest in price, building the cost into a lease program helped sell it to senior management,” says Halliday. “We told them if we didn’t want the product after two years, we don’t have to renew it.”
However, after using CMG for a little over a year, Johnson is pleased with the product and plans to renew the lease. Since it has begun using the software, the company has had many opportunities to test it when laptops were stolen.
In one case, thieves broke into the Grant Thornton headquarters and took a plasma television and three notebook computers. The tracking software led to a theft ring working out of a local mall. Police arrested the thieves and returned the stolen property to the company.
In another case, a contractor who worked for the company stole six laptops. The tracking software led to a family that had bought one of the computers from the contractor and was unaware that it was stolen property. The contractor was preparing to sell the other five laptops. He was arrested, convicted, and sentenced to ten years in jail.