Human beings: a clear and present danger
As long as there are laptops, human factors will remain both a weak spot and a key to defense. After all, most laptop losses can be chalked up to user negligence: An executive left his or her laptop on the podium after a speech; a salesperson inserted a USB drive that contained a keylogger; an accountants teenage son borrowed the laptop and allowed someone to burn a CD; a help desk worker left a laptop on the exposed seat, rather than in the enclosed trunk, of a car.
So it stands to reason that user education and training is a not-to-be-neglected component of any laptop security program.
A recent study by the Computing Technology Industry Association found that only 42 percent of companies had either completed or planned a mobile computing user security education program. Perhaps that reticence has something to do with the difficulty of implementing an effective program.
"How do you communicate to businesspeople in a manner they can understand and relate to?" said Eric Litt, chief information security officer at General Motors. "Thats the skill. It may be more art than science. You have to build credibility."
Litt holds Security Awareness Week sessions at GM, an intensive push to educate the automakers legions of employees, including tens of thousands of laptop users, on the latest security practices. And retelling the tales of laptop woes is part of the program.
These tales include the one about the millions of U.S. veterans whose personal data was exposed when the laptop of a Veterans Administration employee was stolen. "You talk about the VA and make sure people understand the risk of identity theft when you go to a kiosk that has a keylogger and check a bank account," Litt said.
"Its hard to clamp down," said an IT executive at a global manufacturing company based in the Midwest. "It becomes a political minefield and a nightmare. Its Big Brother, and people dont like that."
The IT executive said that he has managed to persuade his organization to encrypt all laptop hard drives but that USB and CD/DVD encryption is, as yet, too unpopular. Still, users must be educated, he said, noting that with hard drive encryption in place, users data may be unrecoverable if they fail to perform backups.
Other organizations are cutting back on laptops themselves. Glen Chrzas, vice president of technology at Altura Credit Union, has cut the number of laptops at the financial institution from 50 two years ago to 35 today. Only 20 of those users have their laptops USB ports enabled, Chrzas said.
Wilson, meanwhile, depends on his companys employees to lock up laptops left in the office overnight, preferably in a file cabinet or desk drawer. On the road, his users are expected to use a Kensington cable to affix their laptops to an immobile object. But will users listen? Will they remember? Will they follow instructions? Many IT pros admit that, inevitably, some will not.
"While everybody recognizes the need for security, how willing are they to walk the walk?" said Paul Tinnirello, a CIO in the financial publishing industry. "How much do they want to be inconvenienced to protect themselves? Most people have no idea how vulnerable they are."
The conclusion is inevitable: Some laptops and the data on them will continue to disappear. With this in mind, many IT pros are looking beyond the era of the laptop to the era of centralized computing based on virtualization technology, when server-based data is parceled out judiciously only to those who need it.
Wilson, for one, said he is looking into what he called "loosely coupled centralized computing," a model in which users access servers to run applications. "The trick is to keep data within the firewall," Wilson said.
Still, he added, "Laptops wont go away. Someone who is on the road will always need a laptop. But the data needs to be stored behind the firewall, with local subsets of just what they need. Make the data easy to get when they do need it, but dont let them download it."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.