The use of laptop computers is great! It gives us the portability and freedom to work and surf the Internet: a true benefit for consumers and corporate users. Unfortunately, laptops expose individuals and organizations to an inherent risk of data theft which may lead to fraud, and identity theft. Although it is also true that smartphones are widely used and deployed, laptop theft is considered the second most common security concern after malware.
According to 224 IT professionals surveyed earlier this year by Check Point, a security company, less than 30 percent use data encryption and only 47 percent of users have access to a VPN that connects to the main office. These numbers are dangerously low: making it easy for data to end up in the wrong hands. IT professionals should make it one of their top goals to prevent data leaks within their company and to brief everyone within their organization some information about the use of corporate machines outside of the organization’s office.
Although this post’s main objective is to pin-point the blame on businesses’ IT departments for not having encryption and contingency policies in place, consumers should also be aware of these issues.
Data leakage can be defined in multiple ways; i.e., an employee transferring files using a USB device or emailing files home to a personal account. For the purposes of this blog post, I am referring to data leakage as the loss of data through a laptop computer.
Few are aware of how easy it is to extract data from a laptop whose hard drives have been left unencrypted. I’m not talking about photos and videos from your latest trip to Mexico (although some may want to hide those for other reasons).
An unencrypted hard drive gives the ability for a computer user to do some of the following:
- Extract cookies, Internet history, browser preferences such as auto-login passwords which could lead to access to websites like (Facebook, Gmail),
- View locally stored email cache,
- View word and excel documents,
- Connect to your Virtual Private Network (or VPN),
- Misc. computer configurations, and
- Personal information.
It doesn’t take a sophisticated user to do some of these things. However, if your machine were to end up in the hands of a black hat hacker, the amount of data they could harvest from your machine could be extensive.
Most thieves aren’t black hat hackers.
A thief can steal a laptop during a home robbery or when your bag or laptop is left unattended, even for a second. Since laptops are portable, they’re an easy target for thieves to run off with. You are unlikely to see your machine and its data again unless you have some preventive mechanisms installed. Absolute Software’s Lo-jack software offers a subscription based service capable of aiding law enforcement to finding your lost or stolen laptop.
Although it is usually up to the end user to keep his or her device secure, whose responsibility would it be if your laptop had access to civilian tax records that was stored on the network drive of the machine? Surely, you weren’t aware that you had so much confidential information on your machine. What now?
IT’s Responsibility & Data Encryption
It is up to your IT department to help protect you, your company and your customers from having crucial information exposed by a lost or stolen laptop. Tools have been developed for many years which offer ways to hide sensitive data by disk encryption. Disk encryption makes it nearly impossible for a simple computer user or even a black-hat hacker to read the content of the drive. All the data on the drives are encoded with a specific key which is only accessible by authorized users and specific laptops. The key is unique for each laptop and is usually stored on a Trusted Platform Management (TMP) chip which is only extracted once an authorized fingerprint is swiped, or when a special hard-drive boot-password is entered before the computer boots up. This also prevents other portable boot-disk utilities from booting up and running tools such as password crackers or Linux live discs from reading the contents of the drive. Hard–drive encryption would prevent these easy-to-use software which can be downloaded online by anyone.
Historically, setting up hard drive encryption has been a pain. Today, with Windows 7 Ultimate and Enterprise editions, BitLocker is an embedded extension to the operating system. It offers IT professionals a fast and easy way to monitor, manage and deploy drive encryption to their machines, at a low cost too. There is little excuse for not implementing encryption.
I did some digging for some stats on corporate laptop theft and legal ramifications. According to a report done by the Ponemon Institute [PDF] for Dell Computers in 2008, approximately 12,000 business laptops are lost per week. If 30 percent of IT departments have hard-disk encryption implemented, only 3,600 laptops will be protected. This leaves a staggering 8,400 laptops and their companies vulnerable to data leakage and threats.
During my work-stint with NBC Olympics, I learned some shocking information from one of my full-time NBC colleagues in regards to corporate laptop data. My colleague mentioned that California state law requires companies to notify all parties involved and publically announce exactly what happened when a laptop is stolen or lost. Organizations may also be required to protect stolen or lost identities and compensate victims. The California government can also take your company to court for failing to provide adequate protection of its citizens. It doesn’t matter where your company is based or if your company conducts business in the state, the California government can and will prosecute you as long as you are within the USA.
A website called Privacy Rights Clearinghouse (privacyrights.org) keeps an online database of data breaches and other issues regarding identity theft of US citizens. Ironically, the company is located in San Diego, California. It’s amazing how many instances are reported week.
Given proper IT policies and guidelines, corporate data leakage can be minimized. If only 30 percent of organizations have methods of preventing data leaks from laptop theft, should we be worried about what sort of data companies are storing about us and whose hands this data can be in?
- A more recent survey done by Check Point surveyed UK IT managers and released a few different numbers. Network World – Most company laptops still not encrypted.
- eHow.com has some basic layman information for California Identity Theft Law
- darkreading.com – Windows 7 BitLocker central management tools.