Preparation Eases Pain of Stolen Laptops

Businesses step up response policies

Before the end of the current session, the U.S. House of Representatives is expected to vote on the passage of the Financial Data Protection Act of 2005, which aims for more stringent reporting requirements for businesses that lose or mishandle sensitive customer data. The bill, if passed, is likely to force companies to be more open about technology-related missteps.

As a result of such legislative efforts, and the publicity from high-profile security breaches among the nations largest businesses and government agencies, business executives are increasingly aware of the threat posed by stolen or misplaced laptops, and the scrutiny they will face from customers, partners and regulators when data stored on missing devices has not been appropriately protected.

The recent theft of a laptop owned by the Department of Veterans Affairs—announced May 22 on the VAs home page—that held the personal information of an estimated 26.5 million people is widely considered the nightmare scenario for those responsible for managing their companies IT security operations.

"Nobody wants to be on the 6:00 news, and the reality is that we do lose equipment every year," said Bill Jenkins, director of IT for Unicco, a provider of facility management services in Newton, Mass.

To help protect the company if laptops go missing, Unicco has employed a multilayered defense approach that requires data encryption tools on every device and stresses education about improving users gear and information-handling habits.

Experts agree that creating such a plan and employing multiple endpoint security tools is the best way to help prepare for eventual incidents.

At Computer Sciences Corp., the issue of stolen or misplaced equipment is substantial because of the companys need to protect the interests of its high-profile customers and the logistics of managing its 79,000-strong employee work force.

Michael Rider, chief information security officer for the El Segundo, Calif., company, said CSC is rapidly increasing its focus on protecting data stored on mobile devices. Beyond applying encryption applications to all laptops and other mobile devices, Rider said aggressive security policies are the most effective way to improve a companys standing.

As part of that plan, companies should employ data forensics technology and other forms of investigation that will help them determine what information was stored on a particular device and whether the information has been compromised, he said.

While its unlikely that a given laptop will be recovered, knowing what data may have been exposed on each specific machine before it goes missing will give companies a starting point for launching security efforts.

Internally, CSC has created a security incident control center that serves as a clearinghouse for any IT mishaps.

In maintaining a round-the-clock point of contact for workers when something goes wrong, the company can respond to incidents and mitigate risks much faster, Rider said.

Another step to respond to stolen laptops is to organize a team of specialists who can help determine the seriousness of the event and what requirements companies may face to report incidents publicly.

Executives at Pointsec Mobile Technologies, which markets endpoint device encryption applications, said enterprises must start with an internal policy that dictates how sensitive every piece of information is and how that specific data and the device it resides on must be protected.

"A big part of this is making sure that the user base and the entire IT department know what they need to do to protect the information," said Bob Egner, vice president of product management for the Lisle, Ill., company. "If you dont engage in this type of planning before you implement security technologies, you may find that your needs arent met by a lot of the products that are out there."

Pointsec recommends that its customers review all of the various device images they maintain and the configurations of every type of machine to determine what encryption tools fit each computer model best.

Locking Down Your Laptop

Some may seem obvious, but following these rules will keep your laptop and the data it carries out of other peoples hands.

1. Use visual deterrents such as cable locks

2. Avoid leaving unsecured laptops un-attended, even in the home or office

3. Keep laptops inconspicuous by using simple carrying cases

4. Use complex alphanumeric passwords and change them regularly

5. Use anti-virus, encryption, anti-spyware and firewall software

6. Back up valuable data on a scheduled basis

7. Understand the dangers of pirated software and file sharing

8. Stay informed of emerging theft schemes

9. Use asset tracking and recovery software

10. Employ advanced data protection tools