Response Speed Is Key with Stolen Laptops

News Analysis: After a laptop goes missing, companies must rush to determine the severity of the incident based on the data involved, and decide who to call first for outside help.

Its the call that no IT manager wants to receive, but one thats clearly ringing bells across the world of enterprise security: An employees laptop computer has been stolen, and it may contain sensitive data.

As a spate of recent incidents make clear, laptop computer thefts and the related data exposure are a serious issue, with organizations ranging from the U.S. Navy to financial services giant Fidelity Investments reporting incidents in the last six months alone.

Experts say the manner in which companies respond to such incidents, and the strategies they employ to improve their device security, will determine the impact that stolen laptops will have in putting affected companies information at risk.

In Boston-based Fidelitys case, a laptop containing the information of 200,000 employees at customer Hewlett-Packard was taken from an employees car outside a California restaurant in March.

Company representatives said the firm has already escalated its work to improve equipment and data-handling policies in the aftermath of the public relations disaster.

"Its an ongoing process for everyone; weve accelerated the process of encrypting data on laptops and expanded information security training for all our employees," said Anne Crowley, a Fidelity spokesperson.

"We already had strict measures in place and its not our practice to have that level of data on a laptop, but it had been allowed for the purpose of a particular business meeting."

Some would say that Fidelitys efforts might seem like "too little, too late," at least in the case of the affected HP workers, but experts warn that many companies may not be as well protected from the threat of stolen devices as they may initially think.

Just as in Fidelitys case, where security policies were circumvented for the purpose of facilitating a specific meeting, companies are often their own worst enemies in terms of allowing workers to ignore existing security guidelines in the name of getting business done.

Based on that reality, said Peter Firstbrook, an analyst with Gartner, in Stamford, Conn., enterprises must be ready to deal with the work that needs to be done to respond to and minimize dangerous information leakage from laptop thefts.

"If a company makes a mistake, they need to admit it right away and let people know, so they can try to solve any related problems; trying to wait it out has proven to only make matters worse," said Firstbrook.

/zimages/4/28571.gifClick here to find out how not to get fired for losing your laptop.

"In this type of scenario businesses need to ask themselves if they treat their customer records the same way they treat money, and if they respond the same way to losing 100,000 files as they would to losing $100,000."

One of the best things a company can do to respond to a laptop theft is to get in touch with the appropriate law enforcement officials as quickly as possible, the analyst said.

In addition to the added support in finding the missing device, bringing law enforcement into the picture transfers some of the burden of recovering the machine from the affected company over to police, Firstbrook said.

Other experts agree that calling the cops is one of the first things IT managers should do after a laptop theft, regardless of fears that word of a potential data loss could become public as a result of filing such claims.

Next Page: Law enforcement is getting more responsive.