Its the call that no it manager wants to receive: An employees laptop computer has been stolen, and it may contain sensitive data.
As a spate of recent incidents makes clear, laptop computer thefts and related data exposure is a serious issue, with organizations ranging from the U.S. Navy to financial services company Fidelity Investments reporting incidents in the last six months alone.
Experts say the manner in which companies respond to such incidents, and the strategies they employ to improve their device security, will determine the impact the stolen laptops will have on putting affected companies information at risk.
In Boston-based Fidelitys case, a laptop containing the information of 200,000 employees at customer Hewlett-Packard was taken from an employees car outside a California restaurant in March.
Fidelity representatives said the company has already escalated its work to improve equipment and data handling policies in the aftermath of the public relations disaster. "Weve accelerated the process of encrypting data on laptops and expanded information security training for all our employees," said Anne Crowley, a Fidelity spokesperson. "We already had strict measures in place, and its not our practice to have that level of data on a laptop, but it had been allowed for the purpose of a particular business meeting."
Experts warn that many companies may not be as well-protected from the threat of stolen devices as they may think. Just as in Fidelitys case, where security policies were circumvented to facilitate a specific meeting, companies are often their own worst enemies in terms of allowing workers to ignore security guidelines in the name of getting business done.
When faced with a laptop theft, enterprises must move quickly to minimize dangerous information leakage, said Peter Firstbrook, an analyst with Gartner, in Stamford, Conn. "If a company makes a mistake, they need to admit it right away and let people know, so they can try to solve any related problems," Firstbrook said. "Trying to wait it out has proven to only make matters worse."
One of the best steps a company can take is to contact immediately the appropriate law enforcement officials. In addition to gaining support in finding the missing device, calling on the law transfers some of the burden of recovering the machine to the police, Firstbrook said.
While finding the right law enforcement official may take some legwork, most police departments and federal agencies are responding more aggressively to such thefts, according to Ben Haidri, vice president of business development for Absolute Software, which markets the LoJack brand of laptop tracking tools.
For its part, Absolute Software, based in Vancouver, British Columbia, operates a "recovery team" of former law enforcement workers whose specific job is facilitating interactions with local police departments in the name of tracking down stolen devices.
When dealing with any law enforcement agency, it is important to have on hand all the pertinent information about a stolen machine, such as its serial number. A surprising number of companies find police departments unable to help them when such basic data isnt readily available, Haidri said.
In addition to contacting the police after discovering one of its laptops has been stolen, a company needs to figure out just what type of data is on the device and how likely it is that it will be accessed, said Joseph Ansanelli, CEO of Vontu, which markets data recovery software, in San Francisco.
Knowing what information is on a missing device will drive the companys next steps in responding to an incident, he said. "The most important thing when you have a loss is getting a sense of what was on [the laptop] because that is going to determine the overall sensitivity of the data, who you have to inform of the loss and whether or not this is going to be a big deal," said Ansanelli.
Surprisingly, some experts say companies need to be reminded to follow through on any policy changes or security projects they launch in the wake of a laptop theft.
Even after going through the pain of multiple incidents, some companies dont pick up the ball and run with their efforts until something truly damaging affects their business, said Bryan Glancey, chief technology officer of device encryption specialist Mobile Armor, in St. Louis.
"We talk to people in this situation all the time, and unfortunately most refuse to make significant changes to policy until something happens that results in a noticeable financial loss," Glancey said.