I attended a press briefing a couple of days ago on a new study that analyzes the impact of lost and stolen laptop computers on businesses. The astounding financial costs and liability from potentially exposed data left me wondering if panic attacks might be becoming another autonomic nervous response, alongside heartbeat and breathing, among businesspeople, IT professionals and CFOs.
Shockingly, not so. In fact, the vast majority appeared so completely indifferent or unaware of the inevitable consequences that they werenâ€™t taking even basic precautions â€“ no encryption, no back-up, no anti-theft technologies.
â€śThe Billion Dollar Lost-Laptop Study,â€ť conducted by Intel Corporation and the Ponemon Institute, surveyed 329 businesses and other organizations. It found that in the course of a year participantsâ€™ had parted with more than 86,000 laptops either through carelessness or theft. The resulting cost was a staggering $2.1 billion.
Costs came from wagon-circling in anticipation that data on the systems might fall into competitorsâ€™ hands or show up on Wikileaks, lawyers who had to comply with legal and regulatory procedures, and lost productivity of employees who cooled their heels while waiting for replacement laptops and the chance to begin their jobs anew, since none of their work was backed up.
According to the study, the odds of employees leaving their laptops under tables at Starbuckâ€™s or having them yanked through shattered passengerside windows of their cars vary slightly from 5 to 10 percent, the latter about the same odds that â€śFrosty The Snowmanâ€ť is the ladiesâ€™ in your lives favorite animated Christmas special. Employees in different industries fared slightly better or worse. Of the 11 industries surveyed, educational and research institutions scored the highest in missing laptops at a bit under 11 percent, while the financial institutions lost just over 5 percent.
I was somewhat surprised that thieves made off with only 25 percent of those systems for sure, though they study suggests foul play in another 15 percent. The remaining 60 percent were simply â€śmissing.â€ť When only theft is considered, the places to keep a death grip on your laptop are the ones we all know â€“ airports, train stations (particularly Paris from my experience) and other transportation venues. Among those companies with the highest theft rates, transit locations accounted for nearly 50 percent of the crime scenes.
Hereâ€™s the really scary part. It is our comfortably safe homes, hotel rooms or customersâ€™ conference rooms that the study cited as the most dangerous places. More than 40 percent of all lost and stolen laptops wander out of these venues while weâ€™re feeling complacent. Though No. 1 for theft, transportation venues rank No. 2 for combined lost and stolen laptops with roughly one-third going astray there.
Your office is the safest place. Only 12 percent go missing from the home cube. [As a side note, thatâ€™s where I lost mine to obviously highly trained thieves. They somehow lifted my unsecured laptop off my desk in my open cube in the middle of the night without leaving a trace or anyone seeing them. The authorities are still baffled, which might suggest why only 5 percent of missing laptops are found. (There will be a test later to see what youâ€™ve learned from this anecdote. So, you may want to reread this section if the lesson is unclear.)] Another 12 percent vanished without explanation, though I suspect the same gang.
According to the study, 48 percent of the missing laptops contained confidential data (the biggest factor in both the cost of missing laptops and severity of crippling after-the-fact panic attacks among their overseers). However, I asked my friend Kevin Beaver, an information security consultant, author and blogger, what he thought of that figure. â€śClearly, there are 52 percent of workers and IT pros out there who donâ€™t know whatâ€™s on their computers,â€ť he quipped. The source for his skepticism is the data assessments he performs with his clients. When he assesses their hard-drive contents, virtually all have confidential data of some sort, all the way from customersâ€™ â€“ and family membersâ€™ â€“ names and numbers to corporate documents they hadnâ€™t considered.
No Bullets in Most Laptops
Finally, hereâ€™s the part that will blow you away. Weâ€™ve just seen that lost and stolen laptops are astronomically expensive, that thieves are pretty talented, and workers somewhat inattentive and forgetful at times, and that nearly all laptops likely have files their owners wouldnâ€™t want posted on the Internet. So, how many of these companies do you think used encryption, back-up or anti-theft technologies, the basic stuff?
Take a wild guess. Sorry, youâ€™re way too high. The study determined that only 30 percent took advantage of encryption, 29 percent back-up and 10 percent anti-theft technologies. If you guessed right, you were probably either reading ahead or among the CISOs of these companies. While it may seem reckless to send mobile workers out the door without the bullets in their laptops to protect them, I have to think the cause is lack of understanding of the consequences, not cavalier attitudes. Unfortunately, most people, including many IT pros, believe that the cost ends with the missing hardware, that few systems pack confidential material and that the odds of theft are largely in their favor. Well, now it should all be clear.
For solutions, letâ€™s consider Malcolm Harkins. Malcolm is Intelâ€™s CISO. He and his group stand guard on the companyâ€™s 87,000-strong mobile workforce. Their strategy looks at both technology â€“ encryption, back-up and anti-theft solutions among them â€“ and employee education to drive down the number of lost and stolen laptops. Hereâ€™s my last astounding factoid: using this approach, Malcolm and his team have driven down Intelâ€™s number of wayward laptops to less that 1 percent, about 700 computers a year. Now, thatâ€™s staggering.