Securing the Laptop: Mission Impossible? - Page 2

: Mission Impossible?">

Nearly every week, the report of a stolen laptop hits the news and, with it, a horror story of data loss, identity theft and corporate liability. With a downside that steep, its no wonder that the laptop is the target of corporate IT security campaigns nationwide. Few corporate executives will sleep soundly until their IT managers have done all they can to lock down laptops and limit the sensitive data on them.

But thats easier said than done.

In the age of personal computing, the laptop has emerged as the preferred productivity device for professionals across many industries, thanks to its convenience, usability and ever-increasing power. Because of that popularity, the path to securing laptops is strewn with difficult choices and compromises. Only one thing is certain: The freewheeling laptops-everywhere age is over.

The vulnerabilities that go hand in hand with laptop usage are no secret.

First, the laptop can be stolen. No one likes to lose a spiffy laptop, but most companies can afford to spend a couple of thousand dollars to replace one. However, the data on the laptop could cost a company billions of dollars once all liabilities are added up.


Click here to read more about laptops stolen from the Romney campaign.

Second, CD burners and USB drives sit ready and waiting to drain off critical data and pour it into the hands of thieves.

Third, laptop users are likely to fire up their systems outside corporate firewalls and inside unsecured Wi-Fi networks. Theyre also likely to swap USB drives with friends and business contacts, as well as participate in consumer file-sharing networks. Those usage patterns exponentially increase the likelihood of data loss and the chances of picking up spyware, Trojans and bots. And that malware may expose sensitive corporate information to thieves via keyloggers and system monitors such as those used in the massive 2006 data theft from clothing retailer TJX.


Faced with such a daunting array of threats, most IT professionals are way beyond the naive stage when it comes to securing laptops and the data on them. Just how far IT pros have gone, or will go, depends on the datas importance, the companys computing needs and just what is politically acceptable in the corporate work force.

Thus, organizations in different industries respond in different ways. A local bank, for example, may limit laptops to a handful of top executives; a global industrial company may be unable to limit the number of laptops but may be able to limit the data that can be stored on them and follow up with an aggressive education campaign.

A logical response for many IT pros is to start with a risk assessment to find out who has what computing devices and who has access to what data. With that information in hand, a defensive strategy can be formed and implemented.

Yet IT managers often find it makes more sense to shoot first and ask questions later—to encrypt all laptop hard drives without taking the time and trouble to analyze precisely who has access to what. Similarly, IT pros are finding its more efficient to encrypt a hard drive entirely than to pick out, say, only sensitive files for encryption.

The age of encryption

Its safe to say that the age of laptop hard drive encryption has arrived, for two main reasons: technology advances and legal requirements.

Just a few years ago, encrypting a hard drive unacceptably degraded system performance. Faster processors have changed that. "Three or four years ago, it wasnt nearly as realistic an option as it is today, because of the performance hit," said Jon Allen, information security officer at Baylor University, in Waco, Texas. "Now, its a 3 percent to 5 percent impact on the CPU, which is not noticeable for most users."


Click here to see an eVideo on notebook drive encryption.

In addition, legislation in many states requires that an organization disclose the thefts of laptops containing personal information if the data on them is unencrypted. Such disclosures require the time and trouble of mailings and press releases to affected parties. And such mea culpas can give organizations a public black eye that damages credibility and prestige.

Baylor finds itself in the middle of a mushrooming laptop population among its 2,500 faculty and administrative staff members, combined with a greater impetus than ever to protect laptop data. The result has been a campaign to encrypt the hard drives of all laptops belonging to faculty and administrators.

"Higher education has seen a great move to mobility," Allen said. "We have gone from a few laptops to a good majority. That really changes the way you look at data security."

Page 2: Securing the Laptop: Mission Impossible?