[ISN] Companies safeguard against growing risk of laptop 'dumpster-diving'

InfoSec News isn at c4i.org
Wed Jul 5 01:10:22 EDT 2006


By Stephen Pounds
Palm Beach Post Staff Writer
July 02, 2006

Laptops have become the latest loose-lipped losers of personal and
corporate data.

The electronic documents opened on a stolen laptop computer can
jeopardize sensitive corporate and personal information and force
firms to issue embarrassing statements to those who might be harmed by
the data breach.

Now high-tech managers are looking to reduce their risk of data loss —
not to mention damage control — resulting from pilfered notebook PCs
tethered to company mainframes and critical servers.

"Companies go into crisis mode," said Pete Nicoletti, vice president
of secure information systems at Terremark Worldwide Inc., a network
services and real estate company in Miami. "With interconnected
networks, the entire world can dumpster-dive in your computers."

Today's laptops are lighter, cheaper and more powerful than ever
before. With a wireless Internet card, users can access the Web from
anywhere, making them ideal for remote work from home or while

But that same portability has made them more attractive to thieves.

In the past year, business and government laptops have been yanked
from homes, cars, aircraft and hotel rooms or lost to owner
fumble-itis in 29 instances, says the San Diego-based Privacy Rights
Clearinghouse. Those losses put the personal information of tens of
millions of people at risk.

In one of the largest data breaches ever, a laptop carrying the
personal information of 26.5 million veterans discharged since 1975
was stolen in May from the home of a Department of Veterans Affairs
analyst. The VA announced Thursday the laptop has been recovered, with
no evidence of identity theft.

And just last month, the Federal Trade Commission, the government's
standard-bearer against data theft, revealed that two laptop computers
containing personal and financial data it had gathered in
investigations on 110 people had been stolen from an employee's car.

"Laptops are a significant (cause) of data theft," said Beth Givens,
director of the Privacy Rights Clearinghouse. "It is symptomatic of
people taking their work with them everywhere they go."

If data has been compromised, 24 states require companies to notify
those who could be harmed; eight more states have enacted laws that
will go into effect in the next six months. All of this is forcing
tech managers to bolster laptop security.

First, they are training employees on laptop management, starting with
common sense: Employees are to carry their laptops at all times or to
lock them up.

After a data breach last November involving a stolen laptop with data
on 160,000 employees at the Boeing Co. in Chicago, the company began
requiring human-resource and payroll employees who take a laptop home
or on travel to physically lock them to a desk while using them. The
company also has begun random audits of laptops to check for old and
forgotten data files.

"If you have information on your laptop, it should be encrypted and
the computer is supposed to be secured," said Boeing spokesman Tim

Companies also are disabling extra USB ports and writeable CD-ROM
drives to keep employees from copying information to thumb drives,
compact disks and other portable storage devices. They are restricting
some files only to their secure networks and banning employees from
taking pictures of documents with camera phones.

And if a laptop is stolen, they are to report it to the company and to
authorities immediately, said Bob McConnell, a security consultant who
worked with Alpharetta, Ga.-based ChoicePoint Inc. last year when the
data broker suffered a major breach of its databases.

"Almost all companies that travel will have to become sensitive to it
because of what they've seen in the media," McConnell said of laptop
security. "They can't afford the fallout of compromised data."

Damage control could be costly and distracting. Already, the VA has
spent $14 million just to notify veterans of the breach. The
government also has agreed to provide free credit monitoring to the
veterans whose personal information may have been compromised, a move
expected to cost millions more. Even so, five veterans groups have
filed a class-action lawsuit seeking damages for violation of privacy.

A report last year by the Elk Rapids, Mich.-based Ponemon Institute
found it costs a company about $5 million to notify victims of a data
breach, or about $138 a victim. It can be much more for firms such as
data brokers and banks and financial services.

But the real loss may be in disenchanted customers. Even when
companies made the effort to notify consumers of a data breach, 19
percent of survey respondents said they would discontinue their
business with the company, or already had, the Ponemon study showed.

"Customers may churn rather than work with a company that has a bad
reputation. A data breach is a signal that a company is just not
well-controlled," said Larry Ponemon, the firm's chairman.

Some companies say the best way to protect data is to take the risk
out of employees' hands. They have added more layers of laptop access
control, allowing sensitive data to leave the building with only a
chosen few.

If employees are authorized remote access to a company's computer
network, they'll need either a password, smart card, rolling digital
number from a key fob, biometric identification such as a thumbprint,
or more than one of these to get in.

"If you don't have a password, you can't get the laptop up and
running," said Jacob Rice, a spokesman for Siemens Communications Inc.  
in Boca Raton. "You need another password to get into the VPN."

A VPN, or virtual private network, allows companies to transmit data
across a public network such as telephone lines or the Internet using
encryption and other security mechanisms to protect it.

Interfuse Technologies Chief Executive Phil Viscomi is a believer in
encryption. His Boca Raton-based company sells a software program that
not only encrypts a document or e-mail but restricts the receiver from
copying it, cutting and pasting parts of it to another document, or
disseminating it.

With Interfuse's OfficeLock program, data is scrambled and transmitted
to someone collaborating with the sender. But the receiver must have
decoding software and a password to unscramble it. After reading it,
he is simply restricted to closing it.

"If you lose your laptop, the information becomes inaccessible,"  
Viscomi said. "Data is meant to be shared. It's normal... to send
information to the wrong person. But they won't be able to use it."

One Interfuse customer, Verasys Inc. of Miami, uses encryption
software but also recommends clients consider it as an extra layer of
protection to access control by passwords and biometric means, said
Verasys partner D.C. Page.

"Once you check your thumbprint or iris, you've opened the door. It
doesn't go far enough. It's at the perimeter. You still need to
communicate securely," Page said.

Despite these measures, most tech managers don't think their companies
are meeting the computer security threat adequately.

In a survey by Deloitte & Touche USA LLP of 150 chief security
officers from technology, media and telecommunications companies in 30
countries earlier this year, only 4 percent said they believe they are
doing enough to address the problem. Still, 74 percent said they would
spend more time dealing with information security in the next year
because of stiffer privacy regulations in many states.

Stacy Cannady, director of client security for Raleigh, N.C.-based
Lenovo Group, said tech managers opted for free encryption software
off the Internet a year ago. But lately, they've switched to
multi-level laptop security that includes a combination of file,
hard-drive and operating-system encryption after many states demanded
public notification of personal data breaches.

"No business wants that. It's a huge expense," Cannady said.  
"Customers don't trust you. The press is all over you. And you look
like an idiot."

More information about the ISN mailing list