AUSTRALIA ARTICLE ON LAPTOP THEFT AND COMPUTER SECURITY IN GENERALAustralian IT - Laptop lockdown (Selina Mitchell, MARCH 09, 2004)Laptop lockdown
Selina Mitchell
MARCH 09, 2004

SOMEWHERE across the country right now, someone's laptop is probably being stolen. Depending on the nature of the data stored on it and how well it is protected, the theft could lead to the downfall of a company or even a government.

At the very least it will mean lost work time and potentially high data recovery and laptop replacement costs, as very few laptops are recovered.

It is impossible to fully protect every laptop-toting individual from thieves, but it is possible to reduce the probability of theft happening to companies and staff, experts say. It is also possible to minimise the damage by being prepared for the worst.

It is difficult to know just how many laptops are stolen in Australia each year, as not all thefts are reported because of fears of bad press and theft figures are not collated nationally.

According to figures from the Australian Computer Emergency Response Team's 2003 Australian Computer Crime and Security Survey, laptop theft is one of the largest sources of computer crime losses.

More than half the companies (53 per cent) surveyed by AusCERT reported at least one laptop theft in the previous 12 months, and 64 per cent said the theft had caused financial loss.

Stolen laptops created an average loss for each affected organisation of $27,500, and the mobile theft crime category, at $2.3 million, was the second highest total annual loss, behind financial fraud on $3.5 million.

Organisations took longer to recover from a laptop theft than from any other type of computer crime, with six of the affected companies saying it took more than a month to recover and another six saying they may never fully recover.

The 2004 computer crime survey will be released at the end of May. Analysts expect the figures will continue to grow, as laptop sales continue to rise nationwide.

Thefts are a problem in both public and private sectors.

A federal parliamentary committee investigating computer security is surveying all government departments on thefts in recent years.

Not all agencies have responded to information requests, but so far the committee has found 851 laptops were stolen from government agencies in the past three years. That figure does not include the Department of Defence, which reported 530 items had been stolen, including laptops.

So far the biggest loser from laptop theft is the Australian Tax Office, with 147 laptops stolen, closely followed by the Department of Industry, Tourism and Resources, with 138.

"Evidence to the inquiry showed there was no mandatory reporting of theft across the government, and record keeping in agencies and departments varied greatly," Labor IT spokeswoman Senator Kate Lundy says.

Asset management is another important area that is lacking, Lundy says.

"In fact, no-one would know about laptop theft at all unless parliamentary committees asked the right questions," she says.

"Being accountable is the first step. This requires incentives to develop policies and procedures to minimise theft and loss."

According to analyst Meta Group a 10-15 per cent annual loss of laptops in private firms is mirrored in the public sector.

"Typical global 2000 companies might lose $US1 million ($1.3 million) to $US3 million in hardware replacement costs per year due to laptop theft," analyst Jack Gold says.

"When you count the loss of business data — which, in most cases, is never backed up to a server in the office — the loss may be $US20 million or more, depending on what users keep on their laptops."

If confidential information is stolen and lands with a competitor, the loss to the organisation can be "catastrophic", the Meta Group report says.

AusCERT senior analyst Jamie Gillespie says not enough organisations protect their laptops and data to the best of their ability.

"Some are ignorant, some do not view data or the laptops that store it as an asset, and some view the cost of security measures as too high," Gillespie says.

IBM Australia Thinkpad manager Greg Hunt says the potential for theft is a consideration for all who purchase notebooks, but that it is not a deterrent to purchase. "Many of our major customers are standardising on mobiles, irrespective of whether staff are mobile or office-based," he says.

IBM's hardware- and software-based Embedded Security Subsystem is available on the whole ThinkPad range, but it must be activated by the user.

"Even if a ThinkPad is stolen or lost, the encrypted data cannot be cracked by an unauthorised user," Hunt says.

The subsystem consists of an integrated security chip and downloadable IBM Client Security Software. It protects company information, including vital security information such as passwords, encryption keys and electronic credentials, while guarding against unauthorised user access, he says.

Effective security requires a multilayered approach, Hunt says. Companies must use up-to-date protection for the core aspects of their networks and should build in security guards on laptops.

There are different motives for stealing laptops, and they require different security strategies and priorities, Symantec Asia-Pacific systems engineer director Tim Hartman says. Some thieves are interested in the hardware and others are interested in the data.

Stealing a laptop can be as easy as waiting until its owner looks the other way, and stealing data as simple as shoulder surfing, he says.

"There is no way to ensure 100 per cent safety of equipment. It doesn't matter if it is a desktop or a laptop, if a criminal wants to get your data or hardware, they probably will if they are persistent — and the weakest link is usually the human being."

Hartman speaks from experience. He has had two laptops stolen, one from home via an easily accessible balcony, the other, all snug in its IBM-logoed computer bag, from an airport.

Hartman's first piece of advice is to always be very aware of your surroundings when you have a laptop in tow.

"If it can be seen, it can be stolen," he says.

Never leave a laptop unattended, because if it is not stolen it will be confiscated by security, he says.

It is a good idea to carry the computer in something other than a traditional computer bag, as it is then not so obvious to the average criminal, Hartman says.

"Laptop bags scream 'steal me'," Gillespie agrees.

"It does not have to be an expensive bag. Some bags look like ordinary luggage but have the advantage of personal security alarms," he says.

There is a huge industry in laptop protection, including software that tracks the location of a stolen laptop each time it makes a connection to the internet.

"You can even purchase metal plates that attach to the top of the laptop that, when removed, leave large red markings reading 'stolen laptop'," Gillespie says.

Chains and cables are another common tool for the security-conscious.

Hunt says notebooks should be physically locked down when they are left for long periods, including in car boots, offices and homes.

Cables with locks should be issued to staff with every laptop, he says.

Chains are a good deterrent, Gillespie agrees. "It makes a less easy target and is better than nothing," he says.

Companies should set up their laptops to require specific user identity and password verification before they become usable, and for data to be encrypted and decrypted only by authorised users, Hunt says.

Guidelines should be issued to everyone who uses a company laptop, and these should include rules about always carrying laptops as hand luggage and never leaving them in the back seat or boot of a car, he says.

Staff should be educated about environments that are not secure, such as wireless hotspots at airports and hotels, and crowded public places.

"Wireless connections can be highjacked. For example, in hotels people scan the network to see who else is connected," Hartman says.

"You must see yourself as an island of security. People who need to carry data with them must have good antivirus and firewall software, at least.

"There is a false presumption that you must be physically plugged into a network for someone to be able to steal your data," Gillespie says.

"If you leave your wireless Ethernet adaptor running, it listens for connections up to 150 metres away. A very simple software configuration would prevent any data theft, but it is often not done."

"Once authorised for access, a connection should be established through a virtual private network, thereby establishing complete privacy of the data being exchanged," Hunt says.

Encryption is the only failsafe for secure email and attachments, he says.

When determining the extent of security efforts, it is important to consider the value of the potential target, Hartman says.

"If you have a $2000 laptop with millions of dollars worth of data, you would do everything to protect it — encryption, or storing all of the data at work and using a VPN connection to access it, so the laptop becomes a dumb terminal.

"If, however, you have a sales force with 800 laptops and it doesn't matter if you lose one, the cost of replacing it is minimal compared with the cost of securing all of them with cables, and so on."



--------------------------------------------------------------------------------


Data safety-first on the road

To avoid laptop theft...

Carry laptop in a backpack or other non-computer bag.
Lock down laptops with cables whenever possible.
Never leave laptop unattended or highly visible.
When packed up, keep the laptop attached to you, bag strap under a leg or arm.
At airports, if travelling in a group, send one through to watch and wait for laptops to go through X-ray.
Don't leave laptops in plain sight in hotel rooms.
Define policies and educate staff on safe travel with laptops.To avoid data loss
Encrypt all sensitive data stored on laptops.
Install firewall and antivirus software.
Only allow access through a complex password.
Regularly back up data stored on laptops to reduce possible losses.
Transfer all data regularly to the office server and leave the laptop as a thin client.
Define policies on what data can and cannot be kept on laptops and how that data should be protected by password or encryption, or other measures.