Reducing the True Cost of Laptop Theft

David Higgins - 4ITSec

The loss or theft of a laptop could be critical to your business, yet many businesses do not adequately assess this risk and take appropriate action.

“What does the loss or theft of a laptop cost a business?” is a question with an infinite range of answers.

Recent figures from UK police forces show that over 34,000 laptops are reported stolen each year which is over 90 per day and those figures only includes those which have been reported to the police.

A worldwide survey conducted recently highlighted that not only were security measures fundamentally basic but that staff training in security measures was limited, inadequate, or often non-existent.

Victims can not only lose hardware, but software, and essential data that has not been backed up.

The topics below outline areas of risk along with some of the risk mitigating solutions that could be implemented. The mitigating solutions should be considered as part of a “layered” security design and ensures they are seamless, quick, and managed centrally so that the user cannot circumvent them.

Business Costs Incurred by Loss or Theft

When trying to calculate the replacement hardware costs, the laptop hardware replacement should also include the cost of rebuilding that laptop to the same specification of the “lost” item and testing its functionality.

The cost of re-installing the laptop software should include the laptop operating system, business critical software and license details replacement along with the man-hours of re-installation - and subsequent testing of its functionality.

If an employee cannot function properly until the laptop has been replaced, rebuilt and tested, there will be an impact on the business and the employee’s effectiveness within the business

Some data may have been lost forever – if it was never backed up routinely or it was so new that it had never been saved on a backup. What’s your data worth to you? When did you last back it up? The loss of sensitive data, personal and company information is of significant risk to all employees and businesses and appropriate measures should be taken to protect the data adequately.

Some remote systems authorize external user access based on credentials stored on the laptop including web cookies, passwords, MAC Addresses, and possibly cryptographic keys. If any of these were stored locally on the “lost” device, there is an immediate compromise to the business’s security which would need to be addressed as a matter of urgency.

Why not try the exercise?

Check how long it takes to re-build a laptop, like for like, calculate the costs – include this figure in any Risk / Benefit Analyst work used to select the Risk mitigating solutions that are cost effective to the business

Mitigating Solutions

General Security Issues
Every business must have a set of “standards” relating to their IT Security. These will be detailed in the Management Security Policy (management’s goals and objectives in writing). Every user who has access to the company IT system must be aware of these requirements, must have been officially trained in the company security policy and must have signed to agree that they understood those security details.

A complete record of every laptop, contents, software license details, backup location and frequency must be kept. If possible, a “device specific backup” image, or “Gold” image – should be kept up to date and regularly tested to automate the rebuild of the laptop accurately and quickly.

Security should be built into your IT System at the design stage; it is always harder and more expensive to retro-fit a solution.

Security Training and Staff Awareness
All staff should be made aware of the company security policies
All staff should be trained in aspects of Security relating to the company data

Physical Security
Protecting against laptop and data theft would appear to be relatively easy but, in a business sense it rarely is. Often, even the basic steps are often overlooked: never leave the laptop unattended, never leave it on the floor or out of sight, on your desk when at lunch, laptops are easy to snatch from a café table. Try and keep the laptop in a less obvious bag such as a briefcase

These might all seem like commonsense items but for every single entry in this list you will find people who have lost their computers by not taking precautions.

Device & User Passwords
Employees often find that the current business password policy document is unworkable or non-existent. When this happens they often take shortcuts which undermine the security policy – ensure that the policy is understandable, workable and acceptable.

Passwords are no longer solely adequate to protect laptops. There are solutions that can improve the strength of a laptop's protection; however, there are a number of tools widely available, both commercial and open source that enable a user to circumvent passwords for Windows, Mac OS X, and Linux and thus gain access to the laptop contents.

Encryption
Full Disc encryption (FDE) is an increasingly popular and cost-effective – a software-based approach, a hardware-based approach, or a mixture of both; it provides protection before the operating system starts up, with pre-boot authentication.

Passwords provide a basic security measure for files stored on a laptop; when combined with disk encryption however, they can reliably protect data against unauthorized access and ensure that the only value to the thief is from the sale of the laptop and not your data.


Where Should Data be Stored?
Within business, the question of where data should be stored is a complicated one – the answer coming from the business’s security and operational needs. Should it be held on the laptop, centrally, or a combination of both? Obviously, protection of corporate data is critical today; you could argue that employees should not have sensitive information on their laptop when out of the office but, the reality is that, the laptop is tantamount to a working environment. One approach could be to implement a “thin client” solution, which ensures that all data resides on the server and therefore may be less liable to loss or compromise – however, it does need network connectivity to be available. This approach can be coupled with strong centralized authentication routines as such single sign-on (SSO). Single Sign On is a centralized authentication database that administers access to multiple resources.

An audit policy design as part of a risk assessment process will reduce the impact of data loss and ensure you know exactly “what” has been lost.

A backup mechanism that performs automatic replication of laptop data back to a central point on a daily basis can also be useful.

All redundant storage devices (including laser printers) need to be professionally “erased” to ensure data confidentiality during the equipment disposal.

A Laptop Security Policy Document outlines the responsibility of the user and how they should treat their laptop and data. It is no less important than any other corporate email or data policy and, as such, should be part of the employee’s contract of employment.

In Conclusion

To protect your laptop and its data, make it harder for thieves to get hold of it through the simple security steps outlined above.  By encrypting data and good use of passwords, you can also ensure that the only value to the thief is from the sale of the laptop and not your data – the costs are minimal against the benefits realised.

Whichever solutions you implement, make sure they are seamless and quick, managed centrally, for additional security and auditability, and fully supported by the business. Ensure that there is a business wide set of security policies which are fully endorsed by the business. Ensure that all employees and users are fully trained and aware of the security issues. Ensure all cryptographic keys & passwords should be centrally held by the security custodian.

Share this

Gold Patrons