Stolen laptop prompts calls for internal review

If your firewalls, intrusion-detection software and encryption technologies make you feel safe, think again.

As the recent incident involving the theft of a U.S. State Department laptop demonstrates, having the best protection against external hackers means little if sensitive data is allowed to simply walk out the door.

"Statistically, 60% of computer crimes happen inside (companies)," noted Winn Schwartau, founder of the security consultancy Interpact Inc. in Seminole, Fla.

"Putting all your efforts on intrusion detection at the perimeter of the network is a failing policy if that is all you are going to do," said Schwartau, who is releasing a book on security issues, called Cybershock, later this month.

The State Department last week said the FBI is leading an investigation into the disappearance two months ago of a laptop that might contain highly classified material. Last month, a laptop containing sensitive data about Northern Ireland was stolen from an agent of Britain's MI5 internal security bureau.

Laptop theft poses a major risk when it comes to compromising corporate data, and it will only get worse with the increase in the use of handheld devices, said Chris Christiansen, an analyst at International Data Corp. in Framingham, Mass.

Safeware, The Insurance Agency Inc. in Columbus, Ohio, estimates that 319,000 laptops were stolen in the U.S. last year.

People are walking around carrying "corporate passwords, internal phone lists, memos and details on proprietary projects" that could cause damage if such information were to fall into the wrong hands, Christiansen warned.

A virtual flood of products for securing laptops and tracking them down when stolen is available from vendors such as Absolute Software Inc., SAFlink Corp., Targus Inc. and Quantum Power Labs Inc.

The Toronto offices of insurance firm Jardine Lloyd Thompson Canada Inc. used one such product to quickly track down a laptop that was stolen from an employee's car last year.

Today, the company has the software installed on all laptops and has instructed its employees not to leave notebooks unattended. "But generally speaking, the larger the corporation, the more difficult it becomes to police these things," said Rick Smith, the firm's vice president of information technology.

Taking Practical Steps

"If you are concerned about sensitive information being carried on mobile devices, you want to be able to impose control on who can access that information," via measures like encryption, said Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston.

Laptops are by no means the only source of risk, though, analysts warned. Security risks include people who inadvertently unleash viruses on corporate networks, disgruntled employees, indiscriminate access to corporate facilities and a lack of controls over who gets access to the Internet. So it's a mistake to rely solely on technology to reduce security risks, Schwartau said.

Instead, Schwartau warns in his book, corporations need to focus on employee education and awareness training, putting security policies in writing, shredding materials such as personnel lists, erasing hard disks prior to disposal and periodically checking company passwords to make sure they're not easy to crack.

For more enterprise computing news, visit Computerworld online. Story copyright © 2000 Computerworld, Inc. All rights reserved.