http://australianit.news.com.au/articles/0,7204,15431809%5E15864%5E%5Enbv%5E,00.html Selina Mitchell The Australian MAY 31, 2005 EMPLOYEES may be able to use a notebook computer almost anywhere, but equally, a laptop can be stolen from almost anywhere. An unexpected destination for a corporate traveller is often the local police station to report a stolen laptop. The handy little lightweights are swiped from cars, homes, airports and hotels as well as businesses. As the rate of notebook use increases in business, so does the number of thefts. The notebook itself may be expensive to replace, but the data on the system is sometimes priceless. Depending on the nature of the data and how well it is protected, the theft could lead to the leaking of state or company secrets and the downfall of a company or even a government. It is impossible to fully protect every laptop-toting individual from thieves, but there are products designed to make theft harder, and to protect data even if the hardware is stolen. The fear of data theft, accidental or intended, has led some laptop purchasers to begin demanding better built-in security from vendors. Figures on notebook thefts in Australia each year can only be estimated, as not all thefts are reported and there is no national tally. The Australian Computer Emergency Response Team's 2004 Australian Computer Crime and Security Survey reports that 58 per cent of respondents experienced laptop theft in the past 12 months, up from 53 per cent in 2003. According to 63 per cent, the laptop theft had resulted in financial loss, ranging from as little as $1000 to as much as $200,000. The average loss was $17,670 – well down on the $27,500 quoted in last year's survey and perhaps reflecting lower costs of laptops. The total annual loss of $1.5 million accounted for 9 per cent of total losses from computer crime, behind virus infections, computer-facilitated financial fraud, and degradation of network performance because of network scanning. Almost three quarters of those surveyed said they had increased spending on computer security in the past 12 months. "The readiness of organisations to protect their IT systems has improved in three key areas: the use of information security policies, the use of information security standards or guides, and the number of organisations with experienced, trained, qualified or certified staff," the report says. However, despite these improvements, fewer respondent organisations reported they were managing all computer security issues reasonably well (only 5 per cent in 2004 compared with 11 per cent in 2002 and 2003). According to IDC market analyst Michael Sager, company CIOs pay more attention to desktop security than laptop security. Despite 28 per cent growth in sales, laptops made up 31.4 per cent of the combined desktop/laptop market in the first quarter of 2005, he says. In laptops, "CIOs don't know what they want, so they are not necessarily getting what they need from vendors", he says. Some notebook vendors have begun to supply security products, but there's a lot of market particularly among small and medium businesses. "We're on the cusp of companies finding out that notebook security is an issue," Sager says. "There are so many vendors, the market is saturated and something has to give. "Vendors don't want to lose sales, so it may push back their ability to meet customer needs – or it could really drive change." Toshiba Information Systems general manager Mark Whittard says system and data security now tops the list of his customers' requirements. Enterprise clients are more concerned about data theft, but small business and education buyers are more worried about the loss of the notebook itself, he says. Lenovo offerings manager David Nichol says security is the top consideration for corporate clients, and data security is the increasing focus. "Organisations are realising that, as more of their staff use notebooks, their data is more likely to be in the public domain," Nichol says. "They want notebook-level security, where before they wanted network-level security." Hewlett-Packard enterprise notebooks market development manager Laurie White says the race is on for vendors to supply the best in business anti-theft options. As vendors introduce security measures, notebooks will become like cars, White says. Thieves will target the brands known to be easy to steal. "There will be brands of notebooks that thieves won't touch because they know they won't be able to get them to work." Theft and data protection are becoming more and more important, he says. "The loss of the notebook is minuscule compared with the value of the data that may be held on it. The data is worth 10 times more." The costs of introducing security are minimal – 5 per cent of the notebook's total cost, White says. Dell senior product marketing manager Jeff Morris says even old, slow notebooks are a target for thieves. "It's not down to how it looks, but how easy it is to take," he says. Nichol says physical security has a lot to do with the user and how they control the notebook in their care, and users are becoming more careful. They also, however, have more devices to help them keep their notebooks safe, including cable locks, alarms, and anti-theft tags that, if removed, disable the system or mark it as stolen. Some insurance options include no-excess cover for theft or damage, and premiums can be lowered if anti-theft measures are in place. If data is protected, there should be little concern that information on a stolen notebook will fall into the wrong hands. Tor Nordhagen, Accenture Asia-Pacific security group director, says all portable devices were a security risk as they involved information in transit, including memory sticks, pieces of paper and notebook computers. All businesses require an information policy that states clearly information pertaining to an enterprise should be treated as classified. "You need to protect all of that information," he says. The contents of the machine should be protected by encryption, and there are a number of ways to authenticate a user before a system can be accessed at all, including basic password protection, smartcard readers and fingerprint readers. Encryption can also be used to secure the network the laptop uses to communicate with its home base. Whittard says the wireless network technology has improved and if all the security levels are set it can be more secure than a wired network. Nordhagen says companies with high security requirements can use a form of mandatory access control, so only de-classified information is allowed in insecure zones. "You can also impose a very simple form of information management on the notebook," he says. "You can check in and out information to the laptop, information that is generally stored on a secure office network but can be released for use on a notebook." He also warns that some security measures can backfire, so it is important to ensure administrators can deal with any technical issue that arises, such as a forgotten password or a lost smartcard used to boot up a notebook. Security measures will only improve, vendors predict. Vendors are working on more security products. For example, Later this year Toshiba will release a privacy screen. When switched on the screen can only be viewed from directly in front, avoiding spying while in airport lounges, on planes or other public places. Handy tips on securing your laptop Physical security * Use a cable lock or alarm device to secure the notebook to the office desk or to permanent structures such as airport seats. * Don't leave an unsecured notebook in the car - lock it in the boot out of sight. * Don't use an obvious laptop bag that may make you a target. * Keep your laptop with you when travelling - take it on planes as carry-on luggage. * Consider products that secretly mark your computer as your own, or as stolen if a business tag is removed. Data security * Develop and enforce an information security policy. * Require passwords for boot-up access. * Encrypt data on the notebook and data that is transferred to and from the notebook when on the road. * Consider insurance that can cover theft or accidental loss – premiums can be lower if security measures have been adopted. * Back up all data. Examples of products and services available * Software at BIOS level that tracks a reported stolen computer when it is reconnected to a network, or vendor services that provide identity tags that can be tracked when a new user tries to access support or products for a stolen notebook. * Software that ensures a notebook will not work outside a set radius. * Software that locks off sections of the system, or particular devices, such as the DVD writer. * Technology that provides shock protection, spill resistance. * Built-in or external smartcard and fingerprint reader - no card no boot-up. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue May 31 2005 - 11:25:45 PDT