"You have to consistently enforce all of that or you lose control," McKnight says. Accordingly, Northrop Grumman constantly drives home the security point. The company has a mandatory security awareness program for all its employees and prohibits employees, including the CEO, from taking laptops with them when travelling to a set list of countries. And company security policy strongly discourages employees from putting data on any devices that leave the borders of the physical corporate building.
Even so, the company occasionally sees laptops stolen, but not from classic "smash and grab" actions; they've been taken almost exclusively from hotels when employees are travelling on business. Hotels are magnets for laptop thieves: They look for weary business travellers who aren't paying attention or who set their laptop cases down for a moment in an unoccupied conference room.
At McKesson, the company has password-protected the hard drives in its notebooks to ensure that if they're removed, they can't be read. Patrick Heim, McKesson's vice president of enterprise security, says: "It's a minor inconvenience for users", but worth it overall to the company. He says that the company encrypts data only for users who carry sensitive information. Heim notes that McKesson's policies can't prevent someone from leaving a laptop in his car, but password protecting the hard drive limits the company's liability, and it's something the company can enforce.
In McKnight's case, he adds that it helps that Northrop Grumman is a defence contractor. Over half of its employees hold some level of government clearance and attend a security refresher yearly to maintain their clearance levels. Many of its buildings require clearance to enter - an automatic barrier to the Daniel Robinsons of the world. But even in buildings that don't, escorts are assigned to all visitors (even when they're headed to the bathroom) and surveillance cameras monitor the premises.
That kind of talk would please Richard Leon, a seen-it-all inspector with the burglary and fencing detail in the San Francisco police department (SFPD). Leon thinks companies should never let visitors in without escorts and should issue badges that clearly show someone is an outsider. In addition, employees should also challenge people they don't recognize who don't have a badge visible. (He recommends that company security guards do badgeless walk-throughs and reward employees who challenge them.)
Law enforcement officials also believe in policy. Leon and his boss, lieutenant Tom Buckley, think simple measures make all the difference. By using visitor escorts, enforcing use of badges and employing surveillance systems where someone actually watches the monitors, most companies would drastically reduce their potential losses for laptop theft, says Leon. Buckley also notes that most companies have no record of their laptops' serial numbers, which means that there's almost zero chance of recovering the computers if stolen. "Look, you can't stop all of it. But if there's no policy, it's wide open," Buckley says.
So policy can work. Again, though, companies must be disciplined about it. Here's what they should do:
• Educate users. Bombard new users with the statistics on theft and the horror stories. Remind them of the need for Sarbanes-Oxley and HIPAA compliance. Drill the fear of laptop theft into their heads.
• Establish data policies. For users with sensitive data access, make sure they need a password to access their hard drives. Encrypt sensitive data and use automated backup. For notebooks with sensitive data on them, try motion alarms.
• Do not leave company visitors unattended.
• Finally, remember that policy is also not something a company adopts solely to prevent theft. In fact, Harold Hendershot, section chief of the computer intrusion section of the FBI's cyberdivision, says policy must extend to what happens when a laptop is stolen, starting with whether to report it to law enforcement.
"As a security officer, you're going to want to do an assessment: What was on the laptop? Was the password for the corporate network written anywhere? Does the laptop have remote access software?" says Hendershot. Companies need to ask these questions to see how vulnerable they are.
Though most laptops are stolen simply for the hardware to be fenced, exceptions will exist. Hendershot says the FBI was recently involved in tracing laptop thefts from a national laboratory. It suspected the worst for lab data. But it turned out that drug dealers just wanted to use the stolen computers for running navigation software. They plotted the locations where police usually set up their roadblocks and mapped alternate routes for drug runners. Still, Hendershot recommends finding out whether there's proprietary data, especially financial data, on the hard disk of any stolen laptop.
Companies should know that the number-one reason why laptops are not recovered is that the laptop's serial number exists only on the laptop. Gartner's Fiering says that many companies have tried to use asset tags to counter this problem. But these are easy to remove, so that doesn't work. She recommends asset management software for keeping the serial number separate from the notebook.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.