We’ve heard about headline-making security breaches, such as TJX and CIBC, but the smaller ones often go and unnoticed – and unreported.
This corporate oblivion is most apparent in the area of laptop theft, which is becoming an increasingly serious problem.
Recent studies show many companies are not even aware that laptops have gone missing or a breach has occurred until much later.
As many as 62 per cent of companies polled in by Absolute Software Corp., believe missing computers go unnoticed, while 20 per cent say breaches are unheeded..
Vancouver-based Absolute Software creates software that tracks, manages and recovers remote and mobile computers.
The company’s tracking software helped Dobson Communications Corp. – a wireless services provider headquartered in Oklahoma City – recover its stolen laptops.
Around two years ago, Dobson discovered some of its laptops had disappeared.
“We just could not figure out where they went,” said Brett Labare, an operations analyst with Dobson.
This was despite the fact the company was using asset-tracking software.
Labare said Dobson signed up for Absolute Software’s CompuTrace service, which includes remote data deletion capabilities plus hardware, software and license-tracking information.
“More than anything I think it’s been a deterrent to internal theft,” since employees know it’s loaded on all new and existing machines, said Labare.
“So the word is out there that it’s something that cannot be removed from the machine and if someone takes it there’s a good chance that they’re going to get caught.”
The company had four laptops stolen last year – one was left in an airport parking lot, one in a hotel room, and two were recovered.
“We haven’t had to do a delete yet but we do subscribe to that service, and we did internal tests here to see how it worked,” Labare said.
At this point Dobson doesn’t encrypt its data. If a manager with confidential information has a laptop stolen, it can do a “data delete” and void the recovery process.
But it hasn’t had to do that yet. It can also log in to a Web site and run customized reports to flag laptops that haven’t been checked in for a certain period of time.
A couple of years ago, the FBI lost track of several laptops, and while the agency knew there was confidential information on some of the machines, it had no idea which machines had confidential information on them or what the information was.
“That’s pretty typical,” said John Livingston, CEO of Vancouver-based Absolute Software.
“It’s the tip of the iceberg that actually gets announced,” he said. “I think it’s been happening for years and this is why you have such an explosive identity theft problem right now – there’s just been such poor regard for all of our personal data.”
According to Livingstone, there are two main considerations when dealing with data breaches.
First is protecting the perimeter, typically via a corporate firewall. Some retailers – such as TJX – haven’t done such a great job of this, he said.
But, he said, approximately 40 per cent of data breaches in the corporate and government space occur when laptops go missing (breaches also occur as a result of lost or stolen hard drives or USB keys).
“We recommend people encrypt the drive even though that is somewhat painful,” said Livingston. “It’s still worthwhile on machines that are carrying sensitive information to combat the external theft issue [such as] smash-and-grab from a car.”
According to research firm Gartner Group, about 80 per cent of theft is an inside job.
So Absolute Software builds “persistent tracking” technology into the BIOS of a computer to help organizations understand where all their laptops are.
“And if they do go missing and they go outside your control, you can actually do something about it,” said Livingston.
With persistent tracking technology, the machine is programmed to call home, and in calling home you get a connection with the machine, so you can erase it or locate the unit and physically recover it.
If a company is dealing with a building that’s plagued with theft, they can go into stealth mode to find out who’s actually stealing laptops.
“We had a case last week where 22 laptops were recovered – a security guard was stealing them,” said Livingston. “We probably get one of those a week.”
Hard drives today can hold enormous amounts of data, so organizations have to take steps to protect these devices, said James Quin, senior research analyst with Info-Tech Research Group.
Organizations need to make sure they’re keeping up-to-date with the anti-malware tools they’re using, both on the devices and on the network.
The technology area that allows enterprises to do that is network access control, which acts as a form of interrogation when a device attaches itself to the network. If it fails because it’s behind on patches or because it’s infected, it’s not allowed on the network.
But in conjunction with that, organizations also have to protect the data that’s on the device – and that’s where encryption comes in. “Encryption is, in my opinion, something that should be mandatory on every single laptop – no ifs, ands or buts,” said Quin.
But it’s not necessary to spend a lot of money on an encryption solution (the initial release of Microsoft Windows 2000, for example, included encryption capabilities with EFS, or Encrypting File System).
It may not be the best encryption solution on the market, he said, since it’s a folder-based encryption (which means it can only be applied to the folders that are set up to be encrypted). But, for something that’s free, he said, it’s a hell of a decent capability.
But he’s not a big fan of data wiping services. “They rely on stupid criminals,” said Quin. “The only way that device can get wiped or lojacked is if it’s given the opportunity to communicate with someone.
If I connect to the Internet, I’m giving it that opportunity.”
That means the only way a data wiping service is going to work is if a criminal hooks up the stolen laptop to the Internet. If they don’t care about the data, then they’re just going to wipe it and sell it off.
But if they care about the data, then they probably aren’t going to do something stupid with it. “If you’ve got the data encrypted, you don’t really need to worry about a data wiping service,” he said.