IT security leaders and CIOs need to think ahead: 40% of all data breach cases are caused by a stolen laptop – and that means stolen outside as well as inside the company. Losing a company laptop and its sensitive files results in a massive financial loss, costing your employee hours and internal or external counseling. According to Ponemon Institute’s annual “Cost of a Data Breach” report, a single data loss or leak event reached a mind-numbing average of $7.2 billion in the US. In Europe, it’s as high as 3.4€ million.
In many cases, data breaches involves informing customers and clients that are directly (or indirectly) affected by the loss of data. Affected partners and clients need to know about the issues and need to have a direct (hotline!) contact that they can talk to.
To make a long story short: Any security breach is an undesirable situation. In the end, you’ll probably lose your client’s trust and the entire client relationship.
This article targets the main cause of a data breach, the stolen laptop. It helps you evaluate your current security system and gives a few recommendations for future security investments.
Protecting Sensitive Data
First and foremost, IT decision-makers need to consider deploying data loss prevention suites on their entire IT infrastructure (not just laptops!), especially if you manage hundreds or thousands of workstations. Data Leak Prevention (DLP) products help you identify sensitive data and create policies to protect it. DLP is in contrast to file security tools, such as full-disk encryption programs that control access to information or devices; those are a matter of “Permission denied” or “Permission granted.” DLPs are smarter, as they:
- Classify the data that is on the computer and data that runs through your network. Most data loss prevention suites let you automatically detect and map out critical data, so you can easily decide which assets to protect. This includes not just simple files, but SQL database entries, SharePoint information, and the like. Discovering and categorizing data is where DLP solutions shine. You can’t expect your IT staff or end users to identify all the different kinds of sensitive data across every single departments and then to apply effective policies.
- Monitor and inspect information that flows via e-mail, web (http), on- and offsite file shares, external media (USB thumb drives, hard disks), or even instant messaging.
- Apply centrally managed policies for sensitive data. You decide what happens with data type X if it tries to get out!
According to a recent Forrester DLP comparison (Q4 2010), only 15% of 1,031 enterprise CIOs and decision makers have implemented DLP suites, and 12% are evaluating the possibility. Of course, DLPs requires administrator resources and a financial investment that may run in the 6-digits. As the cost of deployment and complexity of these tools starts to decrease, this figure may change.
Your IT department needs to manage a piece of client software on each system, and the scanning for sensitive content in file shares, databases, client PCs, etc. needs to be carefully implemented. This may require outside assistance and a special evaluation of their agents themselves; not all solution are 100% bulletproof against malware or even user interference (see the discussion on Forrester’s comparison here). All of which amounts to quite an investment, especially with a huge number of clients to manage.
Implementing DLP for smaller businesses might not make sense, either due to a lack of budget or simple manpower to deploy these tools. Be warned, though: In many countries, data protection of PII (Personal Identifiable Information) or credit card data is absolutely mandatory, regulated by law.
3 Tips for Locking Down Laptops
To prevent your company data from getting into the wrong hands, you need to have several lockdown instances at place. Besides the obvious choices (such as smartcarts and keychain solutions) and the aforementioned DLPs, here’s a checklist of tips to help you lock down laptops in case they are lost or stolen.
Implement pre-boot authentication (PBA): Pre-boot authentication and encryption stops non-authorized users from getting to the Windows login before your client OS starts. There are a number of very easy to deploy tools, including the (free) Compusec boot suite or the popular TrueCrypt (starting with Version 5). Also, Windows Vista and Windows 7 feature their own Bitlocker mechanism, available in the Enterprise and Ultimate Editions. Larger companies should look into centralized management solutions (see below).
Use biometric logon authentication: If laptops get stolen or lost while on standby, most PBAs won’t help. Getting around a Windows password while the PC is locked is tough, yet possible, so you might want to consider deploying biometric methods. If your fleet of laptops supports it, use the built-in fingerprint reader. Alternatively, implement facial recognition software, such as Luxand face recognition, which is available for corporate use at $49 per client. Hint: Microsoft is currently looking at implementing facial recognition into Windows 8, according to last years (leaked) documentation. This has yet to be confirmed, however.
Encrypt sensitive files in containers: Deploy an encryption solution on your corporate laptops and lock down sensitive data in a container. Enforce strong-password policies. There’s no sense in having AES encryption at 128, 192, or 256 bit keylength if you’re using an 8 character password – a fact that’s proven by UK-based security expert Dave Whitelegg in his blog on WinZips AES encryption feature. He writes: “The weakness in using WinZip AES encryption, is it uses ‘Symmetric’ encryption, which means it uses a single private password to encrypt and decrypt the Zip archive. Therefore complexity and strength of the password is ‘the’ protection and weak point, as the bad guys have unlimited attempts at guessing and trying password combinations to decrypt the WinZip archive.”
By encrypting files in a container (using tools such as TrueCrypt, WinZip, etc.), you have a final wall against losing your data. Of course, this requires training your co-workers and staff to comply with the business policy, but it’s a worthwhile investment.
We recommend TrueCrypt for smaller businesses, as it’s easy to work with. When users open a TrueCrypt file, it acts as a separate hard disk with its own letter. When choosing an enterprise level encryption solution, make sure it comes with its own centralized management (for example, the CM included in PGP) to monitor the computers encryption status or recovery lost passwords. As for Mac users, two viable solutions for encryption are PGP and Check Point.
Rolling out a companywide encryption usually comes with a fee of about $100 to $200 per client, including deployment investments and IT trainers. But let’s be honest: Compared to losing a client and money, it’s next to free.
And If All Fails? Wipe It
As a last resort and as an important part of your security process, you need to evaluate tools that render a lost or stolen laptop useless. Invest in a remote wipe solution that either supports an active communications channel (in order to receive the wipe command) or that auto-wipes itself after a certain amount of time.
Of course, both methods have their potential downsides. The problem with the regular Internet check-in is that your laptop needs to be connected to a network; otherwise there’s no kill signal. And before the auto-wipe countdown runs out, hackers have a (limited) timeframe to brute force their way into the machine. Keep both aspects in mind.
Absolute Software, maker of Computrace, is one of the more popular solutions that provide an all-around solution for protecting your data in case the laptop is stolen. Computrace offers a remote wipe via the “Absolute Customer Center.” Once activated, the company even helps you get in touch with local law enforcement to get the laptop back.
Another solution to take into consideration is Prey, which support both PCs or Mac as well as Android smartphones (no iOS or Windows Phone yet). You can remotely manage all your clients, and wipe them clean in case of a loss or theft, or make your machine discreetly broadcast the location. Their solutions start at $5/month for up to three devices and goes up to $399 for 500 devices.
Number three on our list of recommendations is Exo5, which supports file encryption, a complete drive lock, geolocation services (to track your stolen or lost laptops) and – obviously – a full remote wipe service called “RemoteKill.”
Don’t forget your OEM. Many computer makers offer their own solution. HP, for example, equips laptops with its Notebook Tracking and Recovery Service, which is based on the aforementioned Computrace.
We hope this article has given you reminders and tips on what do to and where to invest to prevent data loss and act quickly, if it happens. Host the security vendor of your choice on premise. Let them show you a proof of concept of their lockdown or remote wipe solution, and see which fits your company. Make sure that the solution works across your different mix of clients. Then plan on how many clients are actually getting the full encryption, lockdown and remote wipe capability; in some companies that only applies to the Legal, HR, and Executive department.