MISSOURI WHAT'S ON YOUR LAPTOP STLtoday - Business - Story

Recent thefts of laptop computers that contained sensitive business data have exposed a weak link in many corporate security plans - mobile devices and the people who carry them

."The biggest issue is - no matter how much software and how much hardware (protection) you put on a laptop - it's the end user" who determines how safe a company's data is, said Guy Denton, an associate partner in International Business Machines Corp.'s security practice

.In recent months there have been several high-profile theft or losses of laptops.

In November, a Boeing Co. laptop with personal information on 160,000 current and former employees was stolen and never recovered. Last month, Ameriprise Financial Inc. of Minneapolis had to notify 226,000 people that their names and other personal data were stored on a laptop that was stolen from an employee's car.

More companies are using laptops instead of desktop computers, and some are moving to wireless networks rather than wired ones. Many are putting limits on how much e-mail or other data employees can store on company servers.

For that reason - or simply for convenience - some employees may download data that normally is stored on a server. Or they might download a report to read at home, not realizing that the report contains information that could be damaging to the company if it's lost or stolen.

"All of a sudden, you have all this data sitting there," said Paul Davis, vice president of security solutions for Calence LLC, a national security firm with offices in St. Louis. "Contact lists, spreadsheets. The dollars associated with that are incredible.

"Safeware, a company that sells specialized insurance for computers, reported that 600,000 laptops were stolen in 2004, with losses estimated at $720 million. The FBI estimates that 97 percent of laptops are never recovered.

Davis said companies need to make sure data on a laptop is backed up so it can be recovered in case of a theft or loss. "It's painful to rebuild contact lists.

"If a company is using credit card data, it also must meet standards to protect customers' data, Davis said. Even a hint that such data is compromised can damage a company's reputation.

Companies need to instill in employees that the data in their devices is valuable, said Mark Murdock, a partner in Lantern Secure Solutions LLC of Chesterfield. A few years ago, an FBI survey estimated that the average stolen laptop costs a company $90,000, mainly from lost productivity to re-create the data and potential lost business.

"If you explain to someone that they're carrying $90,000 in their hand," they may be less likely to leave the laptop case with their luggage while they go to an airport restroom or to leave it lying on the credenza in their hotel room, Murdock said.

Physical security is the first step in securing a laptop. That can be as simple as locking the computer in a desk or cabinet when an employee leaves for the day. Some companies buy cables or brackets that secure laptops to heavy furniture.

Other physical measures include screen protectors, which make it difficult to read the screen if you're not directly in front of it. Employees who travel should be careful using laptops on planes or in cafes, where a thief might be looking over their shoulder, Davis said. They should also avoid putting a laptop on the floor, where it can be forgotten or picked up when the owner isn't looking.

Anti-virus software, anti-spyware and encryption programs are among the basics needed on almost any business laptop. Some companies require that outside consultants have their laptops screened for viruses before they plug into the client's network. Personal firewalls can block viruses when the laptop is carried outside the company network.

Further protection comes in the form of hard-to-decipher passwords that include numbers as well as letters. Some companies set up the laptop so an employee must log on before it will boot up. But even those protections can be broken if the hard drive is removed.

IBM uses embedded security chips that won't allow a machine to work unless the hard drive has a matching chip, Denton said. In turn, the hard drive won't work if it's removed and placed in another computer.

Mobile Armor LLC of Town and Country makes security software that includes password protection, data encryption, anti-virus protection and a firewall. The software also will destroy the data on a hard drive if an employee fails to log in within a specified period.

"You have to make the protection so it's automatic and transparent," said Bryan Glancey, chief technology officer for Mobile Armor. He recommends using smart cards, biometrics (such as fingerprint authentication) or key systems that generate a dynamic password that is never written down, making it much more difficult to crack.

Davis recommends that companies identify which data has to be protected and make sure it's secure, usually through encryption or limited access. Companies need to train employees to use passwords that aren't common words or the names of family members or pets.

Employees need to know which security warnings they should pay attention to, particularly when they're using a public wireless network, Murdock said.

"People tend to click through warnings," he added. "Some of them should make you stop and think" whether it's necessary to do the work immediately or better to wait for a more secure connection.

"In today's world, it's becoming more apparent that information is becoming more valuable than the products that we produce," Davis said. Thieves and hackers know that, and they can create havoc if employees aren't wary.

"People don't intentionally (expose their company to harm), but they become complacent," Davis said.

Safeguarding your laptop

Choose a secure operating system and lock it down. Use passwords with a combination of letters and numbers, and take advantage of built-in encryption software.

Don't leave access numbers or passwords in the laptop carrying case.

Register the laptop with the manufacturer. This can flag it so that if a thief sends it in for maintenance, you have a better chance of getting it back.

Write down the laptop's serial number and store it in a safe place.

Engrave the company name and address on the laptop case or use a metal tamper-resistant commercial asset tag.

Use tracking software that allows your laptop to "call home." With this software, the laptop periodically checks in to a tracking center with a traceable signal.

Back up data on an external hard drive, tape drive or CD-ROM.

Use a nondescript carrying case, such as a backpack or padded suitcase.

At airport security points, wait for the person in front of you to pass through the metal detector. Make sure the laptop is well into the screening machine before you step through the detector. Keep an eye out for it as it comes down the conveyor.


Sources: Microsoft Corp., LabMice.net, Lantern Security