The U.S. government has recently been given full permission to check the contents of laptops and mobile devices belonging to travelers passing into the United States at border control checkpoints. Enterprises with international travelers should take immediate steps to safeguard the sensitive corporate data that exists on their executives' laptops and mobile devices. Knowledge Center contributor Jack E. Gold explains the steps you must take to ensure that your company's mission-critical data is protected from prying eyes.
April 21, 2008, the 9th U.S. Circuit Court of Appeals essentially gave
the U.S. government carte blanche permission to check any and every
piece of data on laptops belonging to travelers passing into the United
States at border control checkpoints.
In its decision
court stated that they "are satisfied that reasonable suspicion is
not needed for customs officials to search a laptop or other personal
electronic storage devices at the border." This decision also allows
the U.S. government to confiscate the laptop for an unlimited period of
time, and with no recourse for the owner of the device. Most business
laptop owners have nearly everything about themselves stored on their
hard drives, including financial information, pictures, e-mails from a
variety of sources, and, of course, work-related sensitive information.
Encrypt and back up
This case highlights the need for every enterprise--and any
individual who travels internationally--to take immediate steps. The
typical password log-in protection is not sufficient to mitigate this
risk. Enterprises should require that all users have their hard drives
encrypted. Further, it is imperative that a backup of the data on the
drive be made and left in a safe place. This should be done in case the
U.S. government decides to confiscate the user's machine (although this
is an unlikely scenario, it is nevertheless possible). Typically, 50 to
75 percent of critical business information is stored on user PCs, and
it is often never backed up. So, if an executive's machine is
confiscated, the potential for disruption is alarming.
Use laptop security suites, file backup and employee awareness
Any company with international travelers should initiate the following three precautionary steps immediately:
Precautionary Step No. 1:
If there isn't a laptop security
suite already in place, companies should deploy one. There are suites
available such as Sybase Afaria, Credant, Trust Digital, PGP, RSA and
Utimaco. Using this technology, companies should enable a secure
storage capability on each device by turning on and maintaining file
encryption. It usually isn't desirable to do whole disk encryption
(available within Windows XP and Vista), as this could cause
performance issues. But specific files of sensitive information should
be selectively encrypted.
Precautionary Step No. 2:
Next, make sure that all data files
on each laptop are backed up to a server or to a portable hard drive
provided to the end user. Then follow up with appropriate "nagging" to
make sure the user performs the backup regularly. Automated tools are
available to accomplish this at a reasonable cost, and often within the
same security suite deployed for encryption.
Precautionary Step No. 3:
Finally, inform every business
traveler of the new rules, and make sure they understand that the new
security regimen is not optional.
Re-evaluate lax laptop security attitudes
It is estimated that 75 percent or more of corporate laptops go
unprotected (except for the use of passwords). This is despite the
risks inherent in losing or having the laptop stolen, and with the risk
of the consequent data loss. This action by the U.S. government should
finally force the majority of companies to re-evaluate their lax
attitude toward laptop security, and provide a robust and secure
environment for their users.
Know the ruling also applies to all mobile devices
This ruling does not only apply to laptops. Smart phones, including
RIM's BlackBerry, are also included in the powers of review and
seizure. Companies should take all necessary steps to secure them as
well. Users of many wireless e-mail solutions (such as BlackBerry,
Good, Sybase and MSFT Direct Push) already have higher levels of
built-in security than the majority of users with enterprise-deployed
laptops. Many of the wireless devices already include the ability to do
a remote wipe of the device, which many security suites also enable.
Although the risk to individuals of data snooping or laptop loss
because of this government ruling is minimal, it nevertheless does
represent a real threat--especially in regulated industries such as
finance and health care. Further, the risk is disproportionately higher
for upper management, since many of a company's highest-level
executives regularly engage in international travel while carrying
highly sensitive corporate data.
Protect all mission-critical data
Although we hope sanity returns and Congress acts against this
unprecedented invasion of privacy, we do not believe that this is a
near-term likelihood. Therefore, each company with users who travel
with their laptops must go into defensive mode and make sure all
mission-critical data is protected. This can be done through the proper
deployment of security and backup technology. Failure to act may cause
the loss of sensitive information and potentially result in substantial
harm to the company from confidential data being publicly disclosed.
Jack E. Gold is the founder and principal analyst at J. Gold Associates.
He is a former vice president of Research Services at the META Group.
He has over 35 years experience in the computer and electronics
industries. He can be reached at firstname.lastname@example.org.