Laptops and mobile devices may be business travelers' dream tools, but they're likely to be a small-business owner's nightmare if they're lost or stolen.
If you're thinking "It can't happen in my company," consider these statistics: It's estimated by Absolute Software that in 2005 over 750,000 laptops were lost in the U.S., with 97% of them never recovered.
And in 2005, a publication of the Licensed Taxi Drivers' Association and mobile-security company Pointsec conducted a London survey of items left in taxis over a six-month period, yielding some startling results. Londoners are reported to have left behind 4,973 laptops; 5,939 Pocket PCs; and 63,135 mobile phones. In 2006, 81% of U.S. companies reported losing laptops containing confidential data, including intellectual property, business documents, customer data and employee records.
There are stories in the news almost daily about the latest data privacy breach, and no company or agency is exempt. From
to the Ohio state government to Yale University, lost mobile devices such as laptops, PDAs and thumb drives are exposing companies' secrets and their clients' data to the world.
Even the security pros aren't immune. A speaker at a security conference I recently attended had his laptop stolen the night before the event, and he's from the FBI. Most thefts of portable devices are crimes of opportunity. Travelers are especially vulnerable: There's nothing like arriving late in an unfamiliar locale, juggling bags, battling jet lag and trying to figure out which in a row of identical rental cars is yours to make you a little careless or forgetful.
The price of replacing hardware is negligible. But the long-range costs -- financial and otherwise -- can be staggering when a company's confidential data ends up in the wrong hands.
Policy for Protection
To protect your company, it's essential to establish a mobile-device policy before any equipment or data are lost.
Such a policy is both wise for the company and instructive for the employee. There's no way to guarantee that the policy will help employees hang on to their laptops while traveling, but it can ease the pain by reducing the financial and legal impact of data loss, as well as impart awareness of this serious issue to employees.
A large company can afford to spend millions for identity-theft protection programs for clients whose data has been lost, and can withstand the damage to its reputation that a privacy breach causes. But smaller firms can be driven out of business by such an incident -- and an employee who hasn't adhered to an established company policy is likely to be out of a job.
Some of the points formalized in the mobile device policy might just seem like common sense, especially the ones related to physical security. It's hard to believe anyone needs to be told not to leave a portable data device in an unlocked car. But that's exactly what an Ohio state government intern did in June, leading to the theft of a system backup containing personal data on more than 200,000 people.
And if you think it's not possible to absentmindedly wander off and leave behind a BlackBerry or laptop, consider those London cab statistics.
Without a formal, established policy on physical security, an employer may find him or herself with no legal cause to fire an employee whose actions have had a disastrous impact on the firm.
A perfect example lies in one of the biggest and most public data compromises ever, the laptop stolen from an employee of the U.S. Department of Veterans Affairs in 2006.
This computer contained data on all American veterans who were discharged since 1975 including names, social-security numbers, dates of birth and in many cases phone numbers and addresses -- nearly 30 million entries in all. Although the laptop was later recovered, the VA suffered a serious black eye, and Congress demanded that Secretary of Veterans Affairs R. James Nicholson testify about the breach.
Rep. Bob Filner (D., Calif.) took issue with firing the worker, saying that the data analyst was authorized to take a laptop home and use a software package to access the data, contradicting Nicholson's previous testimony that the employee was not authorized to have the information at home. "He got all the approvals that he was supposed to have," Filner said. "I don't know of a policy that he violated, if you'll tell me one. And that's the real negligence -- that there were no policies."
Create Your Own
Privacy and confidentiality of your company's and clients' data is the hot button pushing the most recent regulations and compliance laws. If your company is affected by compliance regulation, such as Sarbanes-Oxley, HIPAA, the PCI DSS (Payment Card Industry Data Security Standard) or other regulations, losing a laptop could land you in serious privacy-violation hot water.
has already spent more than $250 million recovering from a January data loss, with large class-action suits in the wings.
Creating such a policy probably isn't a do-it-yourself project. It's a good idea to sit down with a legal adviser and a security expert to find out where your company is vulnerable and what you can do to plug the holes.
You don't have to build your policy from scratch, however; there are myriad sources to draw inspiration from. The SANS Institute's
SANS Security Policy Project has a wealth of resources for writing security policies, including primers and policy templates. Or take a look through Charles Cresson Wood's
Information Security Policies Made Easy
Creating a mobile device security policy is a crucial step toward reducing business risk when your employees are on the road. Of course, the next step is to implement that policy, so check back next week for tips for the traveler, as well as nifty tools and software to help keep your company's data on a leash.
Russell Dean Vines is Chief Security Advisor for
Gotham Technology LLC and a bestselling author. His most recent book is
The CISSP and CAP Prep Guide: Platinum Edition
, published by John S. Wiley and Sons.