Preparation Eases the Pain of Stolen Laptops

News Analysis: Many businesses will be forced to respond to the theft of a laptop at some point, and getting the right plan in place to deal with such incidents makes a world of difference, IT security experts say.

With the implications for losing a laptop computer to theft growing every day, companies must be prepared to respond to the theft of these machines and put strategies in place to protect both their sensitive information and their corporate images.

Before the end of the current session, the U.S. House of Representatives is expected to vote on the passage of the Financial Data Protection Act of 2005, which aims for more stringent reporting requirements for businesses that lose or mishandle sensitive customer data.

Much as similar laws passed by individual states have pushed the problem into the spotlight, the bill, if passed, is likely to force companies to be even more open about their technology-related missteps.

As a result of such legislative efforts, and the landslide of publicity from high-profile security breaches among the nations largest businesses and government agencies, business executives are increasingly aware of the threat posed by stolen or misplaced laptops, and the scrutiny they will face from customers, partners and regulators when data stored on missing devices has not been appropriately protected.

The recent theft of a laptop owned by the U.S. Department of Veterans Affairs that held the personal information of an estimated 26.5 million people is widely considered the nightmare scenario for those responsible for managing their companies IT security operations.

"Nobody wants to be on the 6 oclock news, and the reality is that we do lose equipment every year," said Bill Jenkins, director of IT for Unicco, a provider of facility management services in Newton, Mass.

"And no matter how hard you try to educate your users, some people will always do stupid things and walk around with data they shouldnt, even when youve told them not to do so."

To help protect his company if laptops go missing, Jenkins said Unicco has employed a multilayered defense approach that requires data encryption tools on every device and stresses education about improving users equipment and information-handling habits.

Experts agree that creating such a plan and employing multiple endpoint security tools is the best way to help prepare for eventual incidents.

According to a report issued by the FBI, roughly one in 10 laptops will eventually be lost or stolen.

At IT services giant Computer Sciences, the issue of stolen or misplaced equipment is a substantial because of the firms need to protect the interests of its high-profile customers, and the logistics of managing its 79,000 strong employee work force.

/zimages/1/28571.gifClick here to read about an insurance company that lost 540,000 employee records.

Michael Rider, chief information security officer for CSC, in El Segundo, Calif., said the company is rapidly increasing its focus on protecting data stored on mobile devices both internally and for its customers.

Beyond applying encryption applications to all laptops and other mobile devices, he said that building and enforcing aggressive security policies is the most effective way to improve a companys standing.

/zimages/1/128936.gifTo listen to eWEEKs podcast about how to prepare and react to laptop theft, click here.

"Encryption is a great protection method, but its only a technology and businesses need to put people and process to work to address the problem or those tools wont suffice," Rider said.

"If you havent got the right process in place to recover data in case of an incident, you could still lose information, because encryption is only as good as the end users ability to use it and understand why they need to do so."

Next Page: Encryption is only part of the solution.