Blogs |
| How to increase laptop security |
06 April 2008
The government must bring in tough laws to make companies realise that responsible handling of data is a necessity, writes Charlie Taylor.
In February, the Irish Blood Transfusion Service (IBTS) confirmed that a laptop carrying detailed information on more than 170,000 blood donors and 3,200 patients had been stolen in New York. While the information contained on the laptop was encrypted, the announcement caused widespread concern among the general public, many of whom were worried about becoming victims of identity theft.
According to Gartner, the information and technology research and advisory firm, a laptop is stolen every 53 seconds from airport lounges, hotel rooms and restaurants in the US. Moreover, the FBI estimates one out of every ten laptops will be stolen within the first 12 months of purchase and that 97 per cent of laptops that go missing are never recovered.
Given such frightening statistics, one would imagine that firms are doing their utmost to ensure precautions are in place to ensure that corporate laptops don't go missing and that, if they do, any information stored on the laptop is safeguarded. Unfortunately though, it seems this is rarely the case.
“The problem of missing or stolen laptops is getting worse because laptops have become so cheap that they are almost seen as being disposable items,” said Eoin Goulding, managing director of IT security company, Integrity Solutions. “Usually if a laptop goes missing, it's highly unlikely that it will be reported to the gardai; a new one is purchased instead.”
Recent media reports concerning lost or stolen laptops have once again alerted organisations to the fact that, while laptops may offer flexibility, there are also security risks involved in allowing employees to have them.
Earlier this year, the National Health Service in Britain admitted that a laptop containing medical re cords for more than 5,000 people had been lost from an outpatients department in a hospital in Derby, while a few weeks earlier, the Ministry of Defence lost a laptop containing details of 600,000 applicants to the armed forces in Britain.
Although most of these incidents have tended to involve public sector-related organisations, it's imperative that businesses are also aware of the dangers involved in allowing staff to have laptops that have vital information stored on them.
“A second problem is that, much of the time, companies have no idea what information is stored on corporate laptops,” said Goulding. “Many firms don't have risk policies in place covering what can and can't be kept on a laptop and no training is given to staff on the subject. This means that organisations are often completely in the dark about what data may have ended up in the hands of someone not connected with the company.”
According to Gartner, 73 per cent of companies do not have specific security policies for their laptop, a figure that doesn't surprise Tina Kavanagh, managing director with Bray-based Stealth Shield, a firm which supplies software that protects, tracks and assists in the recovery of stolen laptops.
“There is a huge culture of ‘it'll never happen to me' among organisations, and amazement when it actually does,” said Kavanagh.
“We are contacted on a daily basis by companies and individuals who have suffered a loss or theft and never thought it would happen to them, and are surprised that when it does it can affect their whole business for weeks.
“Stolen laptops are potentially a bigger cost burden to businesses than viruses or spyware. A laptop may contain sensitive corporate information such as proposals, reports, audits, customer contact details, organisational plans, product details, etc, and will almost certainly contain the user's personal information. All of this is itself valuable to a thief and there is now a ready market for such information.
“In some cases it could be worse if the stolen laptop contains passwords or credentials for accessing the corporate network remotely. This could, and has, resulted in major security breaches causing even greater losses, not just financially but to the firm's reputation too,” she added.
The Office of the Data Protection Commissioner has said it is concerned about the amount of private information being stored on laptops and other devices that are used outside the office and it has previously issued guidelines on the subject.
“Organisations bear a heavy responsibility towards staff and customers in relation to personal data that they hold,” Billy Hawkes, the Data Protection Commissioner told Computers in Business.
“As stated in our guidelines, organisations should have clear security policies and enforce them strictly. Laptops and other portable electronic devices are vulnerable. Employees should not be allowed to download personal data onto such devices unless the data is properly secured and employees are warned not to display such data in insecure environments,” he said.
One question that many organisations have yet to ask themselves is who really needs to have corporate laptops. Dealing them out to employees may be useful in terms of aiding productivity and, given their cheapness, may be cost effective. But given the security risks, are laptops really the best technology to hand out willy-nilly to staff ?
“As laptops, BlackBerries and other mobile devices become commonly used, data no longer just resides on secured servers located at corporate headquarters,” said Mairtin O'Sullivan, security consultant with Espion. “Although this shift has advantages for companies and their employees in terms of productivity and flexibility, it presents a host of challenges as to how the data can be adequately safeguarded.
“Whereas previously security threats came in the form of hackers targeting the server rooms of companies, now every laptop could potential ly contain confidential customer or corporate data that is critical to a company's operations,” he said.
While laptops have become ubiquitous, some IT security professionals question whether they should be handed out left, right and centre and question whether laptops are likely to remain so popular in future given the high security risks involved.
“In 2008, the laptop is undoubtedly still the tool of choice for the mobile worker, but for how long will it remain so? Carrying it between home and the office, or on increasing numbers of business trips and site visits, is starting to take its toll, not just on tired backs and shoulders but also on companies' data security,” said Chris Mayers, chief security architect with application delivery firm Citrix.
Mayers believes that in a few years' time, organisations are likely to ditch laptops in favour of other mobile devices and virtualisation technology. “Many mobile workers only really need access to e-mail, for which other devices are more appropriate. Other employees simply need occasional access to data that they have ill-advisedly saved on their laptop. But in fixed locations, such as the home office or hotel business centre, remote access to data and applications hosted centrally offers users al l of the convenience with none of the risk,” he said.
“Companies must ensure that their corporate data is centrally managed and delivered to users on an ‘as needs' basis. This is the most effective way to help prevent security risks through the loss of a laptop. By implementing technology such as virtualisation from the desktop to the data centre, organisations can isolate different environments with varying levels of access and security, and can securely manage and send data to the end user,” said Mayers.
That's all well and good for the future, but are there steps that firms should consider right now?
“The first task for firms is to implement effective security awareness training by educating all personnel on the risks of company asset and data loss. For laptops that contain sensitive data, make sure they are locked. This can be done by disabling USB devices, using biometric authentication and restricting access to the laptop,” said John Power, senior solutions strategist with CA.
“Businesses should also consider installing tracking devices and software on laptops in the event of the laptop being lost or stolen,” he said.
Power contends that while the onus is on protecting laptops that are in use, firms also need to think about what to do with laptops that come to the end of their life, because loss of company data can still occur long after firms have ditched the devices.
“Laptops are typically replaced on a three-year cycle and it is therefore extremely important that organisations have a decommissioning process in place. Decommissioned laptops need to be fully scrubbed of all sensitive information contained on them. Criminals are increasingly targeting the recycled laptop,” added Power.
Even with the best will in the world, chances are that a laptop will go missing or be stolen at some stage. In the event that this happens, organisations need to act quickly.
“Have a clear plan in place for dealing with any such security breach,” said Billy Hawkes. “Notify the Office of the Data Protection Commissioner if any personal data is involved. Assess the danger of the personal data being accessed by unauthorised persons and alert the people concerned immediately if they need to take measures to protect themselves.
“In other cases, consider - in consultation with the Office of the Data Protection Commissioner - if people should be informed of the security breach as a matter of good customer or employee relations.”
While such steps may certainly help, Chris Mayers believes it's no longer enough to hope firms will act responsibly when it comes to safeguarding data, particularly when there's a chance that an individual's details may be at risk.
“Given the severity of recent data breaches, the time for talking is most definitely over. The government needs to bring in tougher laws to make companies realise the responsible handling of our data isn't an option; it's a necessity. Similar measures have proven successful in the US since they were introduced in California in 2003.
“Companies there not only fear the public backlash upon being named and shamed but also face the very real threat of criminal prosecution if they fail to disclose a breach,” said Mayers.
“That fear has forced many US companies to check and double-check all the processes they have in place when handling sensitive information. Sadly, a similar level of diligence is severely lacking in Britain and Ireland,” he said.
http://www.sbpost.ie/post/pages/p/story.aspx-qqqt=COMPUTERS+IN+BUSINESS-qqqs=computersinbusiness-qqqid=31680-qqqx=1.asp
|
|
|
|
|
|
|
|
|
|