http://www.palmbea
chpost.com/business/content/business/epaper/2006/07/02/a1f_L
aptops_0702.html
By Stephen Pounds
Palm Beach Post Staff Writer
July 02, 2006
Laptops have become the latest loose-lipped losers of
personal and
corporate data.
The electronic documents opened on a stolen laptop computer
can
jeopardize sensitive corporate and personal information and
force
firms to issue embarrassing statements to those who might be
harmed by
the data breach.
Now high-tech managers are looking to reduce their risk of
data loss —
not to mention damage control — resulting from pilfered
notebook PCs
tethered to company mainframes and critical servers.
"Companies go into crisis mode," said Pete
Nicoletti, vice president
of secure information systems at Terremark Worldwide Inc., a
network
services and real estate company in Miami.
"With interconnected
networks, the entire world can dumpster-dive in your
computers."
Today's laptops are lighter, cheaper and more powerful than
ever
before. With a wireless Internet card, users can access the
Web from
anywhere, making them ideal for remote work from home or
while
traveling.
But that same portability has made them more attractive to
thieves.
In the past year, business and government laptops have been
yanked
from homes, cars, aircraft and hotel rooms or lost to owner
fumble-itis in 29 instances, says the San Diego-based
Privacy Rights
Clearinghouse. Those losses put the personal information of
tens of
millions of people at risk.
In one of the largest data breaches ever, a laptop carrying
the
personal information of 26.5 million veterans discharged
since 1975
was stolen in May from the home of a Department of Veterans
Affairs
analyst. The VA announced Thursday the laptop has been
recovered, with
no evidence of identity theft.
And just last month, the Federal Trade Commission, the
government's
standard-bearer against data theft, revealed that two laptop
computers
containing personal and financial data it had gathered in
investigations on 110 people had been stolen from an
employee's car.
"Laptops are a significant (cause) of data
theft," said Beth Givens,
director of the Privacy Rights Clearinghouse. "It is
symptomatic of
people taking their work with them everywhere they
go."
If data has been compromised, 24 states require companies to
notify
those who could be harmed; eight more states have enacted
laws that
will go into effect in the next six months. All of this is
forcing
tech managers to bolster laptop security.
First, they are training employees on laptop management,
starting with
common sense: Employees are to carry their laptops at all
times or to
lock them up.
After a data breach last November involving a stolen laptop
with data
on 160,000 employees at the Boeing Co. in Chicago, the
company began
requiring human-resource and payroll employees who take a
laptop home
or on travel to physically lock them to a desk while using
them. The
company also has begun random audits of laptops to check for
old and
forgotten data files.
"If you have information on your laptop, it should be
encrypted and
the computer is supposed to be secured," said Boeing
spokesman Tim
Neale.
Companies also are disabling extra USB ports and writeable
CD-ROM
drives to keep employees from copying information to thumb
drives,
compact disks and other portable storage devices. They are
restricting
some files only to their secure networks and banning
employees from
taking pictures of documents with camera phones.
And if a laptop is stolen, they are to report it to the
company and to
authorities immediately, said Bob McConnell, a security
consultant who
worked with Alpharetta, Ga.-based ChoicePoint Inc. last year
when the
data broker suffered a major breach of its databases.
"Almost all companies that travel will have to become
sensitive to it
because of what they've seen in the media," McConnell
said of laptop
security. "They can't afford the fallout of
compromised data."
Damage control could be costly and distracting. Already, the
VA has
spent $14 million just to notify veterans of the breach. The
government also has agreed to provide free credit monitoring
to the
veterans whose personal information may have been
compromised, a move
expected to cost millions more. Even so, five veterans
groups have
filed a class-action lawsuit seeking damages for violation
of privacy.
A report last year by the Elk Rapids, Mich.-based Ponemon
Institute
found it costs a company about $5 million to notify victims
of a data
breach, or about $138 a victim. It can be much more for
firms such as
data brokers and banks and financial services.
But the real loss may be in disenchanted customers. Even
when
companies made the effort to notify consumers of a data
breach, 19
percent of survey respondents said they would discontinue
their
business with the company, or already had, the Ponemon study
showed.
"Customers may churn rather than work with a company
that has a bad
reputation. A data breach is a signal that a company is just
not
well-controlled," said Larry Ponemon, the firm's
chairman.
Some companies say the best way to protect data is to take
the risk
out of employees' hands. They have added more layers of
laptop access
control, allowing sensitive data to leave the building with
only a
chosen few.
If employees are authorized remote access to a company's
computer
network, they'll need either a password, smart card,
rolling digital
number from a key fob, biometric identification such as a
thumbprint,
or more than one of these to get in.
"If you don't have a password, you can't get the
laptop up and
running," said Jacob Rice, a spokesman for Siemens
Communications Inc.
in Boca Raton. "You need another password to get into
the VPN."
A VPN, or virtual private network, allows companies to
transmit data
across a public network such as telephone lines or the
Internet using
encryption and other security mechanisms to protect it.
Interfuse Technologies Chief Executive Phil Viscomi is a
believer in
encryption. His Boca Raton-based company sells a software
program that
not only encrypts a document or e-mail but restricts the
receiver from
copying it, cutting and pasting parts of it to another
document, or
disseminating it.
With Interfuse's OfficeLock program, data is scrambled and
transmitted
to someone collaborating with the sender. But the receiver
must have
decoding software and a password to unscramble it. After
reading it,
he is simply restricted to closing it.
"If you lose your laptop, the information becomes
inaccessible,"
Viscomi said. "Data is meant to be shared. It's
normal... to send
information to the wrong person. But they won't be able to
use it."
One Interfuse customer, Verasys Inc. of Miami, uses
encryption
software but also recommends clients consider it as an extra
layer of
protection to access control by passwords and biometric
means, said
Verasys partner D.C. Page.
"Once you check your thumbprint or iris, you've
opened the door. It
doesn't go far enough. It's at the perimeter. You still
need to
communicate securely," Page said.
Despite these measures, most tech managers don't think
their companies
are meeting the computer security threat adequately.
In a survey by Deloitte & Touche USA LLP of 150 chief
security
officers from technology, media and telecommunications
companies in 30
countries earlier this year, only 4 percent said they
believe they are
doing enough to address the problem. Still, 74 percent said
they would
spend more time dealing with information security in the
next year
because of stiffer privacy regulations in many states.
Stacy Cannady, director of client security for Raleigh,
N.C.-based
Lenovo Group, said tech managers opted for free encryption
software
off the Internet a year ago. But lately, they've switched
to
multi-level laptop security that includes a combination of
file,
hard-drive and operating-system encryption after many states
demanded
public notification of personal data breaches.
"No business wants that. It's a huge expense,"
Cannady said.
"Customers don't trust you. The press is all over
you. And you look
like an idiot."
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|