“We have a problem.” When your boss says this, it can be translated directly to “we’re bleeding money” or hints at some risk to revenue or the bottom line. How do you react to this statement?
The most efficient reaction is to find the money leak and plug it while determining its impact on your other plans – hopefully before it happens. This risk management behavior works both in business and your personal life. Maintaining calm while you drive these activities is a mark of someone who is comfortable with chaos, risk and the moods of the Gods of Business.
When I refer to a problem, it usually has to do with laptop theft or loss. I work with the Intel® Anti-Theft Technology team; when we started looking into the problem of laptop theft and loss, there was little broad data characterizing it, or placing it in proper scope. Sure, it was an impact to businesses, but how much? The cost of a lost laptop report , by Ponemon Institute, provided a baseline to the impact to businesses. A second Ponemon Institute report, “The Billion Dollar Laptop Problem”, looked at the greater impact to businesses – not just one laptop, but the issue of loss and theft across the entire fleet. If you understand the impact to your business, you can put a plan together that can not only plug the hole that leaks the money, but perhaps learn new, better ways of doing business.
These reports both highlighted the need for more education and adoption of very basic security policies. In this light, Intel Anti-Theft Technology has just posted a new tool*. This online tool takes in factors around the laptop use environment, and provides a risk profile, as well as looking at the risk mitigation of various security solutions. The data the tool relies on comes from findings within the Billion Dollar Laptop Problem report. This tool isn’t a true return on investment or total cost, but does give you a perspective on the potential impact of laptop loss or theft to companies that are pretty similar to your company. You now have a baseline against which you can test your lost laptop rate.
Calculating the Lost Laptop Money Leak
Since this tool is available, what can you do to further understand laptop loss and theft within your company? You can compare your numbers against the report “The Cost of a Lost Laptop” report - it breaks down the potential costs really well. The report provides a great framework that you can use right now pretty easily. Here’s a simple table you can use to collect the data (I’ve inserted the average ratios from the report into the table only for comparison; your results may be different).
Laptop Replacement (3.2%)
Detection & Escalation (0.5%)
Forensics & Investigation (1.7%)
Data Breach Cost (79.8%)
IP Loss (11.9%)
Productivity Loss (0.5%)
Other Legal / Regulatory (2.4%)
This gives you the potential cost of your (potential or real) lost laptop, as well as your data breach cost – critical in understanding cost drivers in more general IT security. Some costs in the table will be pay-outs or simple expenditures, and others will be calculated by the time needed to do the work times the cost of the role (number of hours, multiplied by a standard IT tech’s hourly salary). If you want a better definition of these data points, this will help:
Cost drivers of a lost laptop -
- Laptop replacement – a new laptop, ready for use. What does it cost to get a functional laptop in front of the person who needs it (and just lost theirs)?
- Detection & Escalation – how do you discover a laptop is lost, and where does that knowledge go? Calculate the wage and time taken to do this work.
- Forensics & Investigation – effort of research of laptop loss.
- Data Breach cost – The cost of a data breach for your company, caused by the laptop going bye-bye – we’ll look deeper into this in a minute.
- IP (Intellectual Property) Loss – The cost of lost IP against the chance of a competitor discovering it (risk = potential * impact). The calculated risk and financial impact of having your competitor know everything on the laptop.
- Productivity Loss – downtime due to lost laptop. Ponemon used estimated hourly rate times 2.5 hours. This is normally an indirect cost (not impacting the company’s bottom line), but to determine the lost laptop value, it’s a reasonable addition.
- Other Legal / Regulatory – any other acquired costs or effort in responding to the lost laptop. You may have fines, but this also includes consulting in laptop loss or remediation.
The Cost of a Data Breach
Data breach cost is derived from (1) what you pay out in the process of handling the breach, (2) work or effort related to the data breach, and (3) loss of future business due to the data breach. This is only cost directly related to the breach itself – not including the cost impact of lost IP or other costs already accounted for or not relevant. Now you have a way to calculate any type of data breach inside your company.
Look at these data points and add them up. If the laptop’s state – lost or stolen – isn’t known, treat the cost components based on the chance (risk) of the laptop and its data getting into wrong hands – chance of occurrence times impact equals risk-adjusted cost.
Go back to the risk tool link and answer the questions, getting it as close as you can to your business’ environment. Compare the number you calculated above to the results of the report. The number you calculate is to be compared against the total cost of a lost laptop before anti-theft technology. The expected cost of a laptop is risk-adjusted, both on the chance of the laptop being lost or stolen and with the risk spread across all the laptops you define for the analysis via the tool.