E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.		 LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


LOST, STOLEN LAPTOPS BRING SECURITY RISKS

Source: AZCentral

Posted on May 15, 2006

      With businesses relying more on laptops and mobile technology, more and more sensitive information is leaving the office, often unprotected.

      And when a laptop is lost or stolen, it's not only an inconvenience but potentially a security breach.

      Higher-profile instances of laptop theft make headlines, such as when a Fidelity Investments laptop holding Social Security numbers and other information on more than 196,000 current and former employees of Hewlett-Packard was taken from a parking lot outside a Palo Alto, Calif., restaurant in March. But there are plenty more that we never hear about.

      Last year, 1,970 laptops or laptop-related items were reported as stolen to the Phoenix Police Department, up from 1,667 in 2004. As of April 30, 663 reports of laptop or laptop-related item theft have been filed this year.

      Thefts, or even simple losses, of laptops can cause headaches for employers and concerns about confidential data getting in the wrong hands. Although some businesses remain lax, more and more are using encryption tools, and encouraging good old common sense, to cut back on security risks.

      Dr. Theodore P. Firestone, a Phoenix orthopedist, had a scare in January 2005 when someone stole two laptops holding confidential patient information from his office.

      "In the medical profession, in particular," he said, "identity theft is a major concern."

      While the laptops were never recovered, nothing ultimately came of it - except for Firestone increasing his security.

      "I hired somebody to manage that for me so I don't have to deal with that," he said. "So yes, another added expense to me to protect my computers."

      Tom Liffiton, a special agent for the FBI who heads a cyber-crime squad in Phoenix, said that while most laptop thefts go unreported to the FBI, "I can tell you I recently talked to a very large bank that said they lose a laptop (to theft) every day."

      The good news for the bank and those who do their banking there is that, unlike Fidelity, the bank encrypts the information on its laptops.

      Not all information is so lucky.

      Robert Zises runs a Web site called Stolen Computer Registry where victims can enter the serial number of their missing laptop.

      "Laptop thefts," he said, "go up each year somewhat in proportion to their increase in the market."

      The International Data Corp. reported in 2005 that PC makers predicted laptops will account for more than 40 percent of the PC market in 2006-2007, and expected that figure to pass percent in 2008.

      According to FBI reports, more than 97 percent of those laptops are never recovered.

      In last year's Computer Security Institute/FBI Computer Crime and Security Survey, nearly 50 percent of the 700 businesses, government agencies and universities responding reported a laptop or mobile device theft in the past year, representing a financial loss of $4.1 million.

      But as CSI Director of Education John O'Leary noted, actual numbers may be higher.

      "Any stats are incomplete," he said. "The companies we deal with are members of CSI, so our survey tends to be skewed a bit toward people who are already interested in this,"

      While there is a tendency to not report a missing laptop, O'Leary said, Fidelity had no choice. Especially since the passage of the Sarbanes-Oxley Act in 2002, O'Leary said, "The legislation has been getting to the point where now you must report a loss of personally identifiable information."

      This is why so many businesses have, in O'Leary's words, "gotten religion" on security.

Risky business

      "Are business getting the message?" asked Keith Dolgaard of Computer Consulting Partners, an IT security firm. "There's no question about that. Laptops tend to be stolen a lot. Or they're left inadvertently somewhere. So most of the major companies are concerned about the litigation risk, and their chief security officers and chief information officers are becoming more proactive in how can we secure the data that rests on the laptop computer. That's the bottom line."

      That bottom line is harder, though, for smaller companies, who Liffiton says may be less inclined to pony up for the added security.

      "It costs money," he said. "And it's complicated. Also, they've never had anything happen before. So if it's never happened before, it's never going to happen."

      Aaron Wagner of Net Concepts, a local computer-consulting firm, is surprised at the number of businesses that still don't bother with security.

      "The hard part," Wagner said, "is users have a tendency not to take it seriously."

      And that includes not just small businesses but larger corporations whose employees leave the office carrying sensitive data every day.

      His mother's laptop, for example, doesn't have as much protection as he thinks it should. And she works for a military contractor.

      "If they have mobile users," Wagner said, "and they're not locking the machines down in today's climate, that's just stupid. They rely on these things every single day to work and run and be secure, but they don't treat it that way."

      In addition to the threat of data being lost, a stolen laptop leaves a business open to the threat of litigation and public embarrassment.

      Dolgaard said, "You've read about all these credit card companies that have lost something and everybody has to receive a notification that your data is out there in Romania or something. So it becomes a public embarrassment. And their shareholders wonder, 'Is my data private?' "

Intel training

      Among the companies that take a serious approach to the matter of laptop security is Intel, where roughly 85 percent of employees use company laptops. All employees are required to participate in a security awareness class, which Intel updates every year.

      As Arizona IT manager Fred Alderson explained, "You've got to make the training interesting. You've got to make it germane. You've got to have policies in place that are easily understandable as well as easily executable. And we do. Our security department works very hard on that."

      It doesn't hurt, of course, to be in the technology business. As Intel develops products, a lot of thought goes into what type of security measures can be baked into those products, working closely with people like Alderson - "because obviously," he explained, "we're a customer of Intel, so we can tell them, 'Hey here's what a world-class IT department is going to want in terms of security on the laptop.' "

      The city of Phoenix is in the midst of updating its IT standards and administrative regulations. As it stands, though, the city approaches the matter of mobile security on strictly an "as needed" basis. As the city's acting CIO Kris Sigfridson explained, "We don't have a broad-reaching policy that says before you put data on a mobile device, encrypt it."

      As Sigfridson pointed out, "For a city, it's probably less of an issue, because most of our information is public record. And unlike a business, we don't have proprietary patent information or financial information."

Cost of data

      In any laptop theft, if all you're losing is the hardware, as O'Leary said, you're looking at a thousand-dollar problem.

      It's the missing data that can really wreck your day.

      "You always hear about internet viruses," said Thi Nguyen-Huu, whose company, WinMagic, has developed a bargain-priced full-disk encryption solution, MySecureDoc, based on the same technology the NSA now uses. "But then the data at the end resides on the hard disk. There's a chance that people intercept the data over the Internet and they find something, but you have much more data on the laptop or the desktop than what's going through the wires. And if someone can steal your hard drive and go into your corporate network with that laptop, then it's not only the data on the laptop hard drive, it's also compromised on the server."

      The key to protecting a company's data then, said O'Leary, is "to get it into the heads of people who are using these things that it is sensitive information and that it's their responsibility to maintain it. More than anything else, it's training."



CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.