http://www.palmbeachpost.com/business/content/business/epaper/2006/07/02/a1f_Laptops_0702.html By Stephen Pounds Palm Beach Post Staff Writer July 02, 2006 Laptops have become the latest loose-lipped losers of personal and corporate data. The electronic documents opened on a stolen laptop computer can jeopardize sensitive corporate and personal information and force firms to issue embarrassing statements to those who might be harmed by the data breach. Now high-tech managers are looking to reduce their risk of data loss — not to mention damage control — resulting from pilfered notebook PCs tethered to company mainframes and critical servers. "Companies go into crisis mode," said Pete Nicoletti, vice president of secure information systems at Terremark Worldwide Inc., a network services and real estate company in Miami. "With interconnected networks, the entire world can dumpster-dive in your computers." Today's laptops are lighter, cheaper and more powerful than ever before. With a wireless Internet card, users can access the Web from anywhere, making them ideal for remote work from home or while traveling. But that same portability has made them more attractive to thieves. In the past year, business and government laptops have been yanked from homes, cars, aircraft and hotel rooms or lost to owner fumble-itis in 29 instances, says the San Diego-based Privacy Rights Clearinghouse. Those losses put the personal information of tens of millions of people at risk. In one of the largest data breaches ever, a laptop carrying the personal information of 26.5 million veterans discharged since 1975 was stolen in May from the home of a Department of Veterans Affairs analyst. The VA announced Thursday the laptop has been recovered, with no evidence of identity theft. And just last month, the Federal Trade Commission, the government's standard-bearer against data theft, revealed that two laptop computers containing personal and financial data it had gathered in investigations on 110 people had been stolen from an employee's car. "Laptops are a significant (cause) of data theft," said Beth Givens, director of the Privacy Rights Clearinghouse. "It is symptomatic of people taking their work with them everywhere they go." If data has been compromised, 24 states require companies to notify those who could be harmed; eight more states have enacted laws that will go into effect in the next six months. All of this is forcing tech managers to bolster laptop security. First, they are training employees on laptop management, starting with common sense: Employees are to carry their laptops at all times or to lock them up. After a data breach last November involving a stolen laptop with data on 160,000 employees at the Boeing Co. in Chicago, the company began requiring human-resource and payroll employees who take a laptop home or on travel to physically lock them to a desk while using them. The company also has begun random audits of laptops to check for old and forgotten data files. "If you have information on your laptop, it should be encrypted and the computer is supposed to be secured," said Boeing spokesman Tim Neale. Companies also are disabling extra USB ports and writeable CD-ROM drives to keep employees from copying information to thumb drives, compact disks and other portable storage devices. They are restricting some files only to their secure networks and banning employees from taking pictures of documents with camera phones. And if a laptop is stolen, they are to report it to the company and to authorities immediately, said Bob McConnell, a security consultant who worked with Alpharetta, Ga.-based ChoicePoint Inc. last year when the data broker suffered a major breach of its databases. "Almost all companies that travel will have to become sensitive to it because of what they've seen in the media," McConnell said of laptop security. "They can't afford the fallout of compromised data." Damage control could be costly and distracting. Already, the VA has spent $14 million just to notify veterans of the breach. The government also has agreed to provide free credit monitoring to the veterans whose personal information may have been compromised, a move expected to cost millions more. Even so, five veterans groups have filed a class-action lawsuit seeking damages for violation of privacy. A report last year by the Elk Rapids, Mich.-based Ponemon Institute found it costs a company about $5 million to notify victims of a data breach, or about $138 a victim. It can be much more for firms such as data brokers and banks and financial services. But the real loss may be in disenchanted customers. Even when companies made the effort to notify consumers of a data breach, 19 percent of survey respondents said they would discontinue their business with the company, or already had, the Ponemon study showed. "Customers may churn rather than work with a company that has a bad reputation. A data breach is a signal that a company is just not well-controlled," said Larry Ponemon, the firm's chairman. Some companies say the best way to protect data is to take the risk out of employees' hands. They have added more layers of laptop access control, allowing sensitive data to leave the building with only a chosen few. If employees are authorized remote access to a company's computer network, they'll need either a password, smart card, rolling digital number from a key fob, biometric identification such as a thumbprint, or more than one of these to get in. "If you don't have a password, you can't get the laptop up and running," said Jacob Rice, a spokesman for Siemens Communications Inc. in Boca Raton. "You need another password to get into the VPN." A VPN, or virtual private network, allows companies to transmit data across a public network such as telephone lines or the Internet using encryption and other security mechanisms to protect it. Interfuse Technologies Chief Executive Phil Viscomi is a believer in encryption. His Boca Raton-based company sells a software program that not only encrypts a document or e-mail but restricts the receiver from copying it, cutting and pasting parts of it to another document, or disseminating it. With Interfuse's OfficeLock program, data is scrambled and transmitted to someone collaborating with the sender. But the receiver must have decoding software and a password to unscramble it. After reading it, he is simply restricted to closing it. "If you lose your laptop, the information becomes inaccessible," Viscomi said. "Data is meant to be shared. It's normal... to send information to the wrong person. But they won't be able to use it." One Interfuse customer, Verasys Inc. of Miami, uses encryption software but also recommends clients consider it as an extra layer of protection to access control by passwords and biometric means, said Verasys partner D.C. Page. "Once you check your thumbprint or iris, you've opened the door. It doesn't go far enough. It's at the perimeter. You still need to communicate securely," Page said. Despite these measures, most tech managers don't think their companies are meeting the computer security threat adequately. In a survey by Deloitte & Touche USA LLP of 150 chief security officers from technology, media and telecommunications companies in 30 countries earlier this year, only 4 percent said they believe they are doing enough to address the problem. Still, 74 percent said they would spend more time dealing with information security in the next year because of stiffer privacy regulations in many states. Stacy Cannady, director of client security for Raleigh, N.C.-based Lenovo Group, said tech managers opted for free encryption software off the Internet a year ago. But lately, they've switched to multi-level laptop security that includes a combination of file, hard-drive and operating-system encryption after many states demanded public notification of personal data breaches. "No business wants that. It's a huge expense," Cannady said. "Customers don't trust you. The press is all over you. And you look like an idiot." _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 04 2006 - 22:33:46 PDT