Laptop loss: How to avoid becoming the next Starbucks

By Deni Connor , Network World , 11/10/2006

Share/Email
Tweet This
Comment
Print

When Starbucks earlier this month revealed it couldn’t find four laptops containing data on thousands of employees, IT administrators everywhere once again were forced to ask themselves: What’s our policy on protecting data on mobile devices?

The seemingly never-ending string of high-profile data loss cases — from Los Alamos National Laboratory to Allina Health to U.S. Veterans Affairs — is pushing more organizations to encrypt data on such devices as laptops and USB flash drives, and establish associated security policies.

Getting to Know You: Managing Identity and Network Security : View now

Secure traveling
A list of some of the products that protect laptop drives and USB flash drives.

Company and product	What it does	Price
Cisco Security Agent	Software that lets an administrator lock down USB, CD-ROM, local drives.	Starts at $2,200 for one server and 10 desktop licenses.
Kingston-Safend Solution	USB drive protection.	Starts at $825 for five drives and 25 user licenses.
Microsoft Windows BitLocker	Drive encryption.	Included in Vista.
Pointsec for PC	Drive encryption.	$150 for 1 to 99 users.
Red Cannon Keypoint Alchemy	Turns a USB drive into a thin client.	Starts at $5,000 for appliance and 100 user licenses.
SanDisk TrustedSignIns	USB drive encryption and authentication.	Not yet available.

Click to see: Secure traveling

“We do have policies specific to laptops that fall under our Mobile Device Policy,” says Tom Gonzales, senior network administrator for the Colorado State Employees Credit Union in Denver. The organization has codified a policy for securing laptops, disk drives, USB flash drives and CD-ROMs.

Related Content

Gonzales describes the policy this way: “USB ports are disabled using the Cisco Security Agent, so only certain people such as IT can write to flash drives. We usually don’t encrypt the entire drive on users’ laptops, but do provide secure storage areas so that end users can just save the files to that location and they will always be encrypted. Our desktop PCs don’t have floppy drives or CD-ROM writers.”

The reason that companies are going to these extremes is clear: Data loss is costing them lots of money. The Ponemon Institute suggests each incident costs about $4.7 million — $182 per record. Using these numbers, the incident at Starbucks put as much as $10.9 million of data at risk (Starbucks said in a press release it is not sure what became of its laptops but has seen no evidence that data has been misused.)

Given the sensitive nature of security policies, some IT and network professionals are reluctant to discuss their policies regarding data protection on removable storage devices and mobile gear.

“Policy prevents me from answering most of your questions so I should probably decline,” says Ken Walters, senior director for enterprise platforms at the Public Broadcasting Service in Alexandria, Va. “My personal feeling is that we need some easy way to encrypt all data leaving the building and a mechanism that allows only the authorized employee to see it.”

For Lenny Goodman, director of desktop management for Baptist Memorial Hospital in Memphis, Tenn., protecting data on laptops, flash drives and other removable media is an everyday experience that started with the hospital‘s adhering to the Health Insurance Portability and Accountability Act.