What is the solution to laptop loss? Software tracking, a layered approach to security, or is there another way? Illena Armstrong reports

When a laptop is misplaced, most people begrudgingly accept its loss. In cases of theft, some victims may simply hope the pilferers will overlook those sensitive business plans stored on it and skip attempts to connect to the enterprise network.

Then again, most people still fail to employ any kind of solution to secure laptops, says Dave Jordan, chief information security officer (CISO) with Arlington County. And, technology aside, still more people sidestep implementing any processes associated with laptop protection, even failing to provide end users with a couple of common sense security reminders about traveling with laptops.

Laptop theft runs into the millions

Jordan is like many other CISOs striving to protect a far-reaching IT infrastructure used by a legion of employees. However, the expectations he has for safeguarding the mobile devices, used by some of the 3,500 end users with whom he works, may be much higher. After all, the domain for which he is responsible - Arlington County - stretches across some of the country's most important offices.

Home to the Pentagon and landmarks like Arlington National Cemetery, a bevy of metro stations and county buildings, and Washington National Airport, Arlington County supports one of the most critical IT infrastructures in the U.S.

That's why Jordan never underestimates the need to physically secure laptops roving around in the many briefcases carried by Arlington County road warriors. He recalls a couple of incidents over the years when all his work trying to protect those devices has paid off.

The 2003 CSI/FBI Computer Crime and Security Survey reveals that companies experienced close to $7 million in losses from laptop theft alone in 2003. About 75 percent of respondents to the survey, ranging from computer security practitioners from U.S. corporations, government agencies, financial institutions, medical organizations and universities, acknowledged that they did experience financial losses, although only 47 percent of the 530 respondents could actually quantify the losses for that year. This fact most likely contributes to the show of lower losses in 2003 than in years past. Almost $12 million in losses were reported in 2001.

The report goes on to state that almost one in 10 organizations fail to enlist additional physical protections to secure computer assets. "It is quite possible, in other words, that they do not ... equip mobile equipment, such as notebook computers, with locking cables," the survey said.

Tracking software has edge for theft

The incidence of lost and stolen laptops is becoming a growing problem for organizations, says Doug Belfiore, national account executive with STOP - Security Tracking of Office Property, a company that offers permanent security plates with unique bar-coded identification numbers and 'Stolen Property' tattoos to protect and track portable devices.

"Some companies we talk to have absolutely no laptop theft/loss problems, while others have ongoing problems. And there doesn't appear to be a clear or direct connection, such as geographic location, business segment, employee demographics, etc., with these experiences," he says.

Concerns about the possibility of loss and theft, as well as data privacy and security issues, led Arlington County's Jordan to review both ComputracePlus and Absolute Encrypt from Canadian security solutions provider Absolute Software.

He contends that encryption technologies are beneficial to corporate road warriors who store sensitive data on their laptops - particularly to safeguard information that falls under the purview of government-enacted privacy mandates, such as HIPAA.

But for physically securing devices, nothing is better than tracking software, especially since "locks are for honest people," says Jordan.

He got a glimpse of how useful tracking and recovery technologies can be when an employee pinched a laptop that had ComputracePlus installed. Jordan and the employee's manager, after accessing the tool's associated Internet interface, tracked down the laptop, finding it in another state, by zeroing in on the IP address when the thief signed on to the Internet. Locating the device took about 45 minutes in total, says Jordan.

"In minutes we knew exactly where it was. We watched the guy log on every night after work. It [did] take the police a while because we had to cross state lines, but in a few months we went back there and got the PC," he says, laughing.

Jordan also discovered the value of tracking laptops when the Pentagon was hit by one of the airplanes during the terrorist attacks of 9/11. An Emergency Operations Center (EOC) was activated immediately, and Jordan says he became concerned about keeping track of the laptops that would be used by a slew of county employees in the field.

So, within a day or two, he and his team loaded the tracking software onto the machines. As he had hoped, no machines were lost during the initial frenzy of work directly after 9/11, nor during the following three months the EOC was up and running.

"Arlington County's EOC coordinates all of the county's disaster response efforts. In an emergency-operating environment, such as the 9/11 emergency at the Pentagon, multiple agencies respond and laptops have the potential to get misplaced; it's not unusual, for example, for a laptop to return with the wrong First Responder team after an incident," he explains.

Companies, he adds, must engage in some planning to protect these devices, ensuring that they always bear in mind people, processes and technology.

"The secret here is to be prepared and drill," says Jordan.

Whether discussing protections for individuals or an employee group, everyone should know the risks of using portable devices, says Donald Strejeck, president of Safeware, The Insurance Agency, Inc., a company offering insurance programs for computer, electronics and high-tech equipment owners.

Although most people might not think about it, he says, it is important that companies undertake a layered approach to safeguarding these tools. After all, it is not only the device that is at risk, but also the information stored on it and the access it can provide to the enterprise network.

Strejeck says that traditional cable locks, tracking and encryption software, tracking plates, protective bags, power surge protectors, and other tools should all be considered as part of the layering.

"There is a benefit to all of these devices. They all have value, but they must be used," he says.

As such, not only must company leaders deploy security solutions that protect laptops, but they should also make employees understand their obligations through training. Education and awareness programs that discuss usage of tools and any ramifications resulting in their theft, loss or damage should be undertaken.

A common sense approach and training

For his part, Jordan picks up where security solutions leave off, walking his turf to talk to his constituents. In addition to spearheading an end-user awareness program that sends out alerts on viruses and provides educational pamphlets on securing company devices, he also provides documents with pointers to help end-users with their home PC security.

Such active involvement with the county employees leads to a pretty strong symbiotic relationship, he says, that supports overall corporate security.

Education that is tailored specifically to the road warriors about the risks to the business if their laptops are lost or stolen also lends a hand. On the flipside, he has implemented additional policies that some might consider a little "Draconian," which explain to mobile device users that if they lose a laptop once, the county will cover it. The second time around, however, it will be their responsibility.

Still, the best security is that which does not wholly rely on the end user, contends Mike Johnson, network administrator with First United Bank & Trust, which has offices in West Virginia and Maryland. With stringent FDIC requirements nipping at his heals, Johnson can ill-afford to depend on employees to secure the company's wireless devices.

At the same time, though, he does ensure that they participate in training and that information about various security issues is covered. But, ultimately, what has really helped him is maintaining an inventory of the company's laptops and tracking/recovery software.

He contends that a layered approach that includes the likes of locks, cables or disabling devices is a thing of the past.

"People who want to take your laptop, steal it, [are] going to steal it. If you have a lock, they have bolt cutters. No matter how strong your password is there's software out there to break it. They're going to get in. They're going to get what they want," he says.

Yet, the thieves might just lose if company leaders and employees adopt a common sense approach to laptop security, says Safeware's Strejeck. Taking steps, like never leaving the laptop unattended, including in a car, hotel room or cab, and backing up files, go a long way. Also, the use of various security devices helps protect the laptop and often deters thieves from taking it.

STOP's Belfiore agrees, noting that tracking and recovery solutions are just one part of overall laptop security planning. Anything from crypto solutions and the old lock and key standby to employee education are all steps in the right direction. It's always easier to stop a thief than to catch one," he explains further.

"Thus," says Belfiore, "while 'Lo-Jacks' of laptop security are helpful once a computer is lost or stolen, security measures that deter theft in the first place - locking devices, alarms, marking devices, and a strong employee usage policy - are always the most beneficial and effective first steps."

Illena Armstrong is U.S. and features editor for SC Magazine.