The Laptop Lockdown

By Courtney Macavinta

When the Federal Trade Commission (FTC) has to announce that two government laptops containing sensitive personal information for more than 100 employees have been stolen, it's safe to say the incident is a bit embarrassing. The FTC, after all, is charged with protecting U.S. consumers -- including cracking down on organizations that violate their privacy and don't adequately safeguard the sensitive personal information they collect. In the FTC's case, an employee left two laptops locked in his car that were later stolen, containing such data as other FTC employees' names, addresses and Social Security numbers.

"The FTC is the enforcer of security so it was ironic because they are enforcing the law and they aren't even drinking their own medicine," says Avivah Littan, vice president and senior analyst for Gartner Inc., who co-authored the June report, Stolen FTC Laptops Show Extent of Lax Security Data Practices. "There is no excuse for all these [incidents]."

Littan is referring to the fact that the FTC is not alone in struggling with laptop security. Actually, the FTC's loss is the latest in a rash of laptop thefts that have threatened the security of government employees and consumers' privacy. In May, a Veteran's Affairs laptop containing more than 25 million veteran and active duty military personnel records went missing. That same month, a laptop containing the records of 65,000 customers along with their debit card, credit card, and social security numbers, was stolen from YMCA's locked offices in Rhode Island.

For a CIO at any organization, laptops present a common challenge: How do you provide employees with the convenience of laptops while making sure they don't result in a thief walking off with a firm's confidential data? Laptops can be lost or stolen due to human error or they can be deliberately targeted, such as a thief who goes into a company's offices and steals an unmonitored laptop. But it's not equipment loss that worries CIOs most -- it's the loss of data that could be compromised or exploited, or that results in a regulatory reprimand. These days, if an organization's data is compromised, a growing number of states requires it to inform all of those affected.

Robert Parker, author of the IT Governance Institute book on privacy, Information Risks: Whose Business Are They?, says organizations generally aren't taking laptop security seriously enough.

"They're considering this a personal productivity tool rather than an integral part of the organization's information system," Parker says. "They wouldn't let their servers or hosting computers operate for days without backing them up. They wouldn't [sidestep] having good security for their networking equipment. And yet their laptops sit out on desks unattended, or people take them home and leave them out. They have to take a very pragmatic, risk-based approach to [the] risks and vulnerabilities of laptop computers."
 
Analysts say the real issue is not theft, per se, but that laptops contain sensitive data that could be compromised in the first place or can provide unfettered access to a corporate network. Here's how CIOs can better lock down laptops:

• Restrict sensitive data from being stored on laptops Because laptops are mobile and meant to increase productivity, employees might want to store the same files on their laptop that they'd access from a corporate network while at work. But analysts warn against this practice. "There isn't a single business reason to have sensitive data on a laptop," Littan says. And her report goes on to suggest: "Use a content-filtering tool to restrict employees from transferring sensitive data over networks."

What can and can't be stored on a laptop should be outlined in a policy that all employees must agree to comply with. Parker says that sensitive information about clients or customers, or confidential insider information or business plans, "shouldn't be on a laptop or it should be encrypted."

• Use stronger security measures Experts agree: If sensitive data needs to be stored on a laptop, it should be encrypted. Gartner advises that CIOs "extend data protection programs to all media, including tapes, server drives, paper reports, databases, and mobile data on memory sticks." Both Littan and Parker advise CIOs to mandate that laptop users choose strong passwords -- that are automatically required to be changed often -- to protect access to their mobile computers.

CIOs should also deploy two-factor authentication to allow employees to access data from an organization's secure server in the first place or to transfer it to a laptop. Another best practice: Providing employees with cable locks so they can lock their laptop to a desk or table for safe measure. Finally, CIOs should make sure laptops have the latest anti-spyware and anti-virus programs installed to reduce vulnerability.

• Back up often A lost or stolen laptop should never have irrecoverable data stored on it. "The theft of a laptop can be catastrophic if the data is not backed up," Parker says. If an employee is traveling to another country where there is a risk that the laptop could be held by customs officials, or has a greater chance of being stolen, Parker recommends that IT outfit the traveler with a laptop that has only the bare minimum of data and programs necessary for the business trip.

With better security in place, and limitations on what can be stored on a laptop in the first place, CIOs can limit the liabilities that come with pervasive laptop use. The effort is worth the reward, Littan says: "The cost of data breach is much higher than the cost of data protection."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  the online program The Online Family.