I attended a press briefing a couple of days ago on a new study that analyzes the impact of lost and stolen laptop computers on businesses. The astounding financial costs and liability from potentially exposed data left me wondering if panic attacks might be becoming another autonomic nervous response, alongside heartbeat and breathing, among businesspeople, IT professionals and CFOs.
Shockingly, not so. In fact, the vast majority appeared so completely indifferent or unaware of the inevitable consequences that they weren’t taking even basic precautions – no encryption, no back-up, no anti-theft technologies.
“The Billion Dollar Lost-Laptop Study,” conducted by Intel Corporation and the Ponemon Institute, surveyed 329 businesses and other organizations. It found that in the course of a year participants’ had parted with more than 86,000 laptops either through carelessness or theft. The resulting cost was a staggering $2.1 billion.
Costs came from wagon-circling in anticipation that data on the systems might fall into competitors’ hands or show up on Wikileaks, lawyers who had to comply with legal and regulatory procedures, and lost productivity of employees who cooled their heels while waiting for replacement laptops and the chance to begin their jobs anew, since none of their work was backed up.
According to the study, the odds of employees leaving their laptops under tables at Starbuck’s or having them yanked through shattered passengerside windows of their cars vary slightly from 5 to 10 percent, the latter about the same odds that “Frosty The Snowman” is the ladies’ in your lives favorite animated Christmas special. Employees in different industries fared slightly better or worse. Of the 11 industries surveyed, educational and research institutions scored the highest in missing laptops at a bit under 11 percent, while the financial institutions lost just over 5 percent.
I was somewhat surprised that thieves made off with only 25 percent of those systems for sure, though they study suggests foul play in another 15 percent. The remaining 60 percent were simply “missing.” When only theft is considered, the places to keep a death grip on your laptop are the ones we all know – airports, train stations (particularly Paris from my experience) and other transportation venues. Among those companies with the highest theft rates, transit locations accounted for nearly 50 percent of the crime scenes.
Here’s the really scary part. It is our comfortably safe homes, hotel rooms or customers’ conference rooms that the study cited as the most dangerous places. More than 40 percent of all lost and stolen laptops wander out of these venues while we’re feeling complacent. Though No. 1 for theft, transportation venues rank No. 2 for combined lost and stolen laptops with roughly one-third going astray there.
Your office is the safest place. Only 12 percent go missing from the home cube. [As a side note, that’s where I lost mine to obviously highly trained thieves. They somehow lifted my unsecured laptop off my desk in my open cube in the middle of the night without leaving a trace or anyone seeing them. The authorities are still baffled, which might suggest why only 5 percent of missing laptops are found. (There will be a test later to see what you’ve learned from this anecdote. So, you may want to reread this section if the lesson is unclear.)] Another 12 percent vanished without explanation, though I suspect the same gang.
According to the study, 48 percent of the missing laptops contained confidential data (the biggest factor in both the cost of missing laptops and severity of crippling after-the-fact panic attacks among their overseers). However, I asked my friend Kevin Beaver, an information security consultant, author and blogger, what he thought of that figure. “Clearly, there are 52 percent of workers and IT pros out there who don’t know what’s on their computers,” he quipped. The source for his skepticism is the data assessments he performs with his clients. When he assesses their hard-drive contents, virtually all have confidential data of some sort, all the way from customers’ – and family members’ – names and numbers to corporate documents they hadn’t considered.
No Bullets in Most Laptops
Finally, here’s the part that will blow you away. We’ve just seen that lost and stolen laptops are astronomically expensive, that thieves are pretty talented, and workers somewhat inattentive and forgetful at times, and that nearly all laptops likely have files their owners wouldn’t want posted on the Internet. So, how many of these companies do you think used encryption, back-up or anti-theft technologies, the basic stuff?
Take a wild guess. Sorry, you’re way too high. The study determined that only 30 percent took advantage of encryption, 29 percent back-up and 10 percent anti-theft technologies. If you guessed right, you were probably either reading ahead or among the CISOs of these companies. While it may seem reckless to send mobile workers out the door without the bullets in their laptops to protect them, I have to think the cause is lack of understanding of the consequences, not cavalier attitudes. Unfortunately, most people, including many IT pros, believe that the cost ends with the missing hardware, that few systems pack confidential material and that the odds of theft are largely in their favor. Well, now it should all be clear.
For solutions, let’s consider Malcolm Harkins. Malcolm is Intel’s CISO. He and his group stand guard on the company’s 87,000-strong mobile workforce. Their strategy looks at both technology – encryption, back-up and anti-theft solutions among them – and employee education to drive down the number of lost and stolen laptops. Here’s my last astounding factoid: using this approach, Malcolm and his team have driven down Intel’s number of wayward laptops to less that 1 percent, about 700 computers a year. Now, that’s staggering.