I’m always looking for data that people can use to gain support for information security and compliance initiatives, and I’ve recently come across a gem. If you feel you need a little boost in your budget or support for your projects, then check out Ponemon Institute LLC’s study, “The Billion Dollar Lost Laptop Problem.” This Intel Corp.-backed study of 329 public- and private-sector organizations found that 86,455 laptops were lost or stolen in a one-year period. Taking into account that the value of one lost or stolen laptop is $49,246, the cost was $6.4 million, on average, per organization. That makes a total of $2.1 billion across all organizations surveyed. Ouch.
Spreading fear, uncertainty and doubt is a shortsighted approach to getting security and compliance support. However, hard numbers such as these in the Ponemon study can really help.
Based on what I see in my work, I’m not surprised at all by these Ponemon study numbers. There are a lot of heads in the sand over the laptop security issue. Managers are often out of the loop and overtrusting. They often assume that their employees are always doing the right things. Maybe so, but likely not. The reality is that most laptop users just want to get their work done and not have all these rules and hoops to jump through to keep things safe. People are going to default to the path of least resistance, which will undoubtedly equate to security and compliance risks for your organization.
Perhaps the biggest issue I see related to the lost and stolen laptop problem is how so many people say they don’t have anything sensitive on their laptops. After all, IT has a policy for storing everything on the network. That all sounds good. However, once you analyze any given laptop, nearly 100% of the time you’ll find documents, spreadsheets, cached passwords, virtual private network credentials and so on stored and ready for the taking.
Once you analyze any given laptop, nearly 100% of the time you’ll find documents, spreadsheets, cached passwords, virtual private network credentials and so on stored and ready for the taking.
There are big compliance ramifications here. Why? Because it’s very simple to crack or reset passwords to gain access to a laptop. Even power-on passwords aren’t foolproof since you can usually remove the drive from the laptop and just access the data from another computer. Not only are sensitive files containing personally identifiable information, etc., at risk, but your entire network also faces data security risks exposure when someone is able to gain access to both local and remote login credentials.
Complicating matters are the people who are often exempt from all those “pesky” laptop security controls. Executives, sales reps and even people in IT come to mind. Furthermore, there are others who use their own personal laptops that no one in the organization even knows about. It’s hard to secure what you don’t -- or can’t -- acknowledge. All in all, I suspect the problem with lost and stolen laptops is much more pervasive -- and expensive -- than what the Ponemon study uncovered.
Given the alternative, there are reasonably priced hardware-level laptop controls that can be combined with drive encryption and tracking software to fix this problem, or at least minimize the risks. I still shake my head when I see organizations that ignore such high-payoff laptop security controls. Do yourself and your business a huge favor and learn where your sensitive information is, understand how it’s at risk, and then put the proper controls in place to set everyone up for success. This proven formula will not only provide compliance payoffs, but you’ll also know that you’re minimizing the impact of what’s arguably the greatest threat in IT today.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.