Ron Baklarz has had only a few laptops disappear from his organization, but for him, one is enough. That's why Baklarz, the chief information security officer at The American Red Cross in Falls Church, Va., recently decided to draw up a three-level security policy that governs the use of laptops at his organization. "We didn't have a whole lot of disappearing, but there was enough that we really felt like we needed to get something going on it," he says.
His plan escalates the level of protection on a laptop according to the sensitivity of the data on it. Basic level laptops, for example, will come configured with mandatory security settings, such as use of encrypted file systems and strong password settings. At the top level -- laptops used by senior executives such as the CEO -- machines will be equipped with tracking software that will automatically broadcast a stolen laptop's whereabouts the minute it gets hooked up to the Internet.
Baklarz is not alone. According to research company Gartner Inc., 70% of the Global 1,000 will struggle to successfully implement policies and procedures to govern the security of mobile devices -- most importantly, to protect the valuable corporate data that resides on or is accessed from those devices. That's an important distinction. The loss of a laptop, while annoying, is hardly going to break the budget for most companies. But losing the data that resides on that laptop is an entirely different story.
"The value of the data on the laptop is always worth more than the hardware costs," says Kevin Burden, program manager, mobile devices, at IDC, a research company based in Framingham, Mass. "At the same time, there are many threats to personal systems. For example, the legal exposure from compromised data is immense. You've also got the risk of competitive losses, fraud, theft and employee sabotage -- just to name a few. The smaller the device and more mobile it is, the more likely it is to be lost."
But despite the risk to corporate data, laptop security remains lax at many companies, says John Girard, vice president and research director in the security practice at Stamford, Conn.-based Gartner. "It's very much a serious problem," he says, but most companies struggle with laptop security. Why? Because it requires behavioral changes on the part of the user community, and most resist any new policies that affect the ease of use of their laptops. "Most users object to changes as simple as using a user ID and password when logging onto a laptop," says Girard. "I hear whining all the time."
In spite of the whining, however, IS executives such as Baklarz are heeding the danger and forging ahead with security policies for laptops. "Locking down mobile devices is a challenge, but there are a variety of policies that help minimize the threats," says Burden. For those considering creating or updating policies for their own organizations, the following tips divided into three categories could help.
Physical security. This consists of a variety of procedures and tools to ensure the physical safekeeping of laptop security. The simplest include common-sense procedures such as tagging a laptop carrier with a brightly colored tag to differentiate it from the hordes of black canvas bags that go through security at an airport. "Keep your laptop under your watch at all times while traveling," says Baklarz.
There are also a variety of theft deterrent devices, ranging from simple locks to steel bars to actual laptop alarms that will go off if the device is moved beyond a certain distance from its owner. The problem with these, of course, is that it presumes willingness to use them on the part of the user community. "Most users won't want to schlep anything too big," says Baklarz, but he adds that locking devices are very helpful in an office environment, where theft is also a problem.
Logical security. This refers to the many security procedures that can be built into the software and data itself. The first step is to require username and passwords upon booting up the laptop, whether on the road or at the office.
Some experts advise even more authentication security. Girard, for example, recommends tokens, such as the technology put out by Security Dynamics or RSA. "It's still the most unique system you can use," he says.
File encryption that's keyed to a correct logon is also recommended, says Girard, as well as running a personal firewall on the machine.
Then there's wireless. Nearly all laptops these days come with a wireless port, and when the computer boots up, so does the wireless port. This leaves laptops open to attack if there's a wireless network in the vicinity. If users are actually connecting via wireless LAN, using a VPN, or virtual private network, is a must. Again, cautions Girard, strong password protection is vital. "People think they're secure if they use a VPN," he says. "It may be private, but if it only uses simple password protection, it's not secure." As an aside, Girard also advises against allowing split tunnels on a VPN -- that is, no accessing the Internet while logged onto the company network.
'Morning after' security. Otherwise known as tracking and recovery technology, this level of security helps protect and recover laptops that have been stolen. "You can't depend on peoples' adherence to policy and base security on that," says Kesler. "You have to have the checks and balances in place as well."
Tracking and recovery technology ranges from practices such as etching the name of the owner onto the machine to Lojack-like devices, such as those put out by ZKey and zTrace, that send a message with the laptop's whereabouts once the machine is connected to the Internet. At the top of the heap is software that will actually encrypt and purge vital data in the event of a theft.
The stakes will only rise as more employees embrace mobile technology -- not just laptops, but handheld devices such as PDAs and Internet-enabled cell phones. And as such devices grow in popularity, so does the risk of serious data theft, says Baklarz. "Today, thieves probably steal the laptop for the hardware. But when they find out that this computer is worth $30,000 instead of $500 if only they can grab important data such as names and social security numbers off of it, they'll only be too happy to do that, instead."
About the author: Carol Hildebrand is a freelance writer in Wellesley, Mass.
Check out a recent Featured Topic on Mobile Security.
>> Stay ahead of the security curve by viewing our most recently posted links on notebook security.
This was first published in June 2003