[ISN] Laptop lockdown
isn at c4i.org
Tue May 31 03:07:13 EDT 2005
MAY 31, 2005
EMPLOYEES may be able to use a notebook computer almost anywhere, but
equally, a laptop can be stolen from almost anywhere.
An unexpected destination for a corporate traveller is often the local
police station to report a stolen laptop. The handy little
lightweights are swiped from cars, homes, airports and hotels as well
As the rate of notebook use increases in business, so does the number
The notebook itself may be expensive to replace, but the data on the
system is sometimes priceless.
Depending on the nature of the data and how well it is protected, the
theft could lead to the leaking of state or company secrets and the
downfall of a company or even a government.
It is impossible to fully protect every laptop-toting individual from
thieves, but there are products designed to make theft harder, and to
protect data even if the hardware is stolen.
The fear of data theft, accidental or intended, has led some laptop
purchasers to begin demanding better built-in security from vendors.
Figures on notebook thefts in Australia each year can only be
estimated, as not all thefts are reported and there is no national
The Australian Computer Emergency Response Team's 2004 Australian
Computer Crime and Security Survey reports that 58 per cent of
respondents experienced laptop theft in the past 12 months, up from 53
per cent in 2003.
According to 63 per cent, the laptop theft had resulted in financial
loss, ranging from as little as $1000 to as much as $200,000.
The average loss was $17,670 well down on the $27,500 quoted in last
year's survey and perhaps reflecting lower costs of laptops.
The total annual loss of $1.5 million accounted for 9 per cent of
total losses from computer crime, behind virus infections,
computer-facilitated financial fraud, and degradation of network
performance because of network scanning.
Almost three quarters of those surveyed said they had increased
spending on computer security in the past 12 months.
"The readiness of organisations to protect their IT systems has
improved in three key areas: the use of information security policies,
the use of information security standards or guides, and the number of
organisations with experienced, trained, qualified or certified
staff," the report says.
However, despite these improvements, fewer respondent organisations
reported they were managing all computer security issues reasonably
well (only 5 per cent in 2004 compared with 11 per cent in 2002 and
2003). According to IDC market analyst Michael Sager, company CIOs pay
more attention to desktop security than laptop security.
Despite 28 per cent growth in sales, laptops made up 31.4 per cent of
the combined desktop/laptop market in the first quarter of 2005, he
In laptops, "CIOs don't know what they want, so they are not
necessarily getting what they need from vendors", he says.
Some notebook vendors have begun to supply security products, but
there's a lot of market particularly among small and medium
"We're on the cusp of companies finding out that notebook security is
an issue," Sager says. "There are so many vendors, the market is
saturated and something has to give.
"Vendors don't want to lose sales, so it may push back their ability
to meet customer needs or it could really drive change."
Toshiba Information Systems general manager Mark Whittard says system
and data security now tops the list of his customers' requirements.
Enterprise clients are more concerned about data theft, but small
business and education buyers are more worried about the loss of the
notebook itself, he says.
Lenovo offerings manager David Nichol says security is the top
consideration for corporate clients, and data security is the
"Organisations are realising that, as more of their staff use
notebooks, their data is more likely to be in the public domain,"
"They want notebook-level security, where before they wanted
Hewlett-Packard enterprise notebooks market development manager Laurie
White says the race is on for vendors to supply the best in business
As vendors introduce security measures, notebooks will become like
cars, White says. Thieves will target the brands known to be easy to
"There will be brands of notebooks that thieves won't touch because
they know they won't be able to get them to work."
Theft and data protection are becoming more and more important, he
says. "The loss of the notebook is minuscule compared with the value
of the data that may be held on it. The data is worth 10 times more."
The costs of introducing security are minimal 5 per cent of the
notebook's total cost, White says.
Dell senior product marketing manager Jeff Morris says even old, slow
notebooks are a target for thieves.
"It's not down to how it looks, but how easy it is to take," he says.
Nichol says physical security has a lot to do with the user and how
they control the notebook in their care, and users are becoming more
They also, however, have more devices to help them keep their
notebooks safe, including cable locks, alarms, and anti-theft tags
that, if removed, disable the system or mark it as stolen.
Some insurance options include no-excess cover for theft or damage,
and premiums can be lowered if anti-theft measures are in place.
If data is protected, there should be little concern that information
on a stolen notebook will fall into the wrong hands.
Tor Nordhagen, Accenture Asia-Pacific security group director, says
all portable devices were a security risk as they involved information
in transit, including memory sticks, pieces of paper and notebook
All businesses require an information policy that states clearly
information pertaining to an enterprise should be treated as
classified. "You need to protect all of that information," he says.
The contents of the machine should be protected by encryption, and
there are a number of ways to authenticate a user before a system can
be accessed at all, including basic password protection, smartcard
readers and fingerprint readers.
Encryption can also be used to secure the network the laptop uses to
communicate with its home base.
Whittard says the wireless network technology has improved and if all
the security levels are set it can be more secure than a wired
Nordhagen says companies with high security requirements can use a
form of mandatory access control, so only de-classified information is
allowed in insecure zones.
"You can also impose a very simple form of information management on
the notebook," he says. "You can check in and out information to the
laptop, information that is generally stored on a secure office
network but can be released for use on a notebook."
He also warns that some security measures can backfire, so it is
important to ensure administrators can deal with any technical issue
that arises, such as a forgotten password or a lost smartcard used to
boot up a notebook.
Security measures will only improve, vendors predict.
Vendors are working on more security products.
For example, Later this year Toshiba will release a privacy screen.
When switched on the screen can only be viewed from directly in front,
avoiding spying while in airport lounges, on planes or other public
Handy tips on securing your laptop
* Use a cable lock or alarm device to secure the notebook to the
office desk or to permanent structures such as airport seats.
* Don't leave an unsecured notebook in the car - lock it in the boot
out of sight.
* Don't use an obvious laptop bag that may make you a target.
* Keep your laptop with you when travelling - take it on planes as
* Consider products that secretly mark your computer as your own, or
as stolen if a business tag is removed.
* Develop and enforce an information security policy.
* Require passwords for boot-up access.
* Encrypt data on the notebook and data that is transferred to and
from the notebook when on the road.
* Consider insurance that can cover theft or accidental loss
premiums can be lower if security measures have been adopted.
* Back up all data.
Examples of products and services available
* Software at BIOS level that tracks a reported stolen computer when
it is reconnected to a network, or vendor services that provide identity
tags that can be tracked when a new user tries to access support or
products for a stolen notebook.
* Software that ensures a notebook will not work outside a set radius.
* Software that locks off sections of the system, or particular
devices, such as the DVD writer.
* Technology that provides shock protection, spill resistance.
* Built-in or external smartcard and fingerprint reader - no card no
More information about the ISN