Log in

Archive for April, 2009

What is the Value of a Lost Laptop?

April 29th, 2009

The picture to the right reminds us of the pain associated with losing a laptop. Personally, it is scary. But even more so, for an organization that must protect their data and their corporate image, it can carry an incredible amount of risk.

Just last week, Intel released a study by the Ponemon Institute that measured the cost of a lost laptop. This study brings to light some fascinating data regarding the actual costs to an organization when a company laptop is stolen. The statistics should be a warning sign to organizations that are only “thinking” about laptop security, including data protection. I want to bring out a few highlights:

The average value of a lost laptop is about $49K. What is interesting about this study is that it calculates the cost across seven components: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses. Why is this important? Because the cost of the actual hardware and software is the least of your worries. If that laptop is stolen, you have to worry about that data and potential litigation. This is clearly brought out in the study, since 80% of this cost is the occurrence of a data breach.
There is a direct correlation between the value of a lost laptop and the speed a laptop is identified as stolen. The longer it takes to identify a stolen laptop, the higher the costs. This is concerning especially for larger organizations with thousands, even tens of thousands of laptops. I’ve worked at organizations with many, many laptops, and losing one is really no big deal. And without excellent asset tracking capabilities, organizations won’t even know when a laptop is stolen.
Encryption makes a difference on the costs. If you have it, you can save on average $20K per lost laptop. Organizations should really look to implement hard disk encryption solutions such as what Alertsec provides to really save money. The saying rings true: “To save money, you have to spend a little money.”
Information and intellectual property are a company’s biggest asset. Why put those two at risk? Think of it this way. If you leave a laptop at a Starbucks, what are the chances of that laptop being returned to you. My guess is less than 50%, probably much lower. Now how many of us have forgotten our laptop somewhere? Many of us. The risk is too high to not protect both your information and intellectual property.

I encourage our readers to really think about how they can set aside resources to investing in data protection solutions. The risk is too high. Alertsec provides a secure solution that can be easily managed within the confines of your organizations security strategy. Take a look at what your organization can do to make sure that your information and intellectual property are protected.

3 comments »

Posted in Data Protection, Encryption, Identity and Information loss

Will 285 Million Compromised Records Catch your Attention?

April 24th, 2009

Earlier this year the Verizon Business Risk team released a fascinating
report that summarizes their investigations into past data breaches. Verizon Data Breach Investigations Report In this
report, the Verizon team has catalogued 90 confirmed breaches from 2004 to 2008
that have resulted in 285 million compromised records. There were a few takeaways
that I’d like to outline in this post:

Attacks are continuing to become highly targeted and customized.
Now, this is nothing new. We’ve seen data the last several years that points
to this fact, but this report provides more conclusive data that suggests
that hackers are trying to go after the crown jewels of an organization.
The value to stolen credit card data is decreasing. In
2007, the value of a credit card record ranged from $10 – $16. Today, that
rate has dropped to $0.50 per record. This has led to criminals overhauling
their techniques to acquire more valuable information.
Large organizations are not the only target for data breaches.
Of all of the breaches documented by Verizon, 26% occurred with
organizations with 11 – 100 employees. This should be a warning to
even small organizations that they must implement a data protection strategy.
Organizations are still not implementing PCI requirements.
In the report, 75% of organizations suffering breaches were not compliant
with Payment Card Industry Data Security Standard (PCIDSS) or had never been
audited. Of particular note are what many organizations consider the most
difficult requirements to implement: “Requirement 3: Protect stored data”
and Requirement 6: Develop and maintain secure systems and applications.”
One interesting aspect to note is that organizations must know where all
sensitive data is and to ensure its protected. Oftentimes, organizations are
not aware of the sensitive data stored on laptops and other mobile devices.

The data from this report is useful to organizations that not only want to
understand the risk, but also implement changes that can help protect sensitive
customer data. These changes will require technology, but also processes and
end-user education. As hackers continue to evolve their approach and techniques,
organizations must also evolve to stay a step ahead.

No comments »

Posted in Data Protection, Identity and Information loss

Tags: Data Breaches Information Loss PCI

The Number One Reason for Security Breaches – Stolen Computers

April 24th, 2009

Earlier this month Josue wrote a blog about your company’s name on the list of security breaches. That got me wondering “Is there actually a list?” and, if there is a list, what really are the causes of security breaches?

Well, a little bit of research led me to the Open Security Foundation’s DataLossDB and sure enough they have very detailed statistics on security breaches. While they have a little bit of data from 2003-2005, they have really been effectively collecting data from 2006 and forward. They are able to obtain information from police reports, news articles and most importantly when companies make public disclosures of breaches (as is required in a number of locations).

The chart below is based on 1,846 incidents. When you add stolen computers with stolen laptops you get 29% and this is the single largest reported reason for security breaches. Hacking attempts may get more newspaper space – but they continue to trial the issues of theft.

Looking at the data, there are 5 reports of stolen laptops for April 2009. The month is not even over yet and they have reports from both Great Britain and the United States. The US reports are from coast to coast with Georgia, New Hampshire and California – not to mention you have to leave the US mainland for the fourth report by the Hawaii Department of transportation.

Also, it is important to realize that sales of desktop computers have been declining as purchases of laptop computers and the newer and smaller netbooks are on the rise. Thus there is every reason to believe that the 22% of the issues being related to stolen laptops is only going to increase.

Now, if Alertsec has their way, while the number of thefts might rise we would actually see a decline in actual security breaches. Consider this data as you make plans as to when and how to encrypt the laptops your own or support. Is it now time past the time when you should be protecting the laptops that you are responsible for!

1 comment »

Posted in Data Protection, Identity and Information loss

Tags: stolen laptops

Lock the door, lock the car and leave the laptop wide open…

April 21st, 2009

Join us for a few moments and answer these four quick survey questions. Don’t try and click the circles below, it’s just an image file, but answer the four questions in your head.

alertsec-survey

Unless you live in a rural area, most folks will answer the first three questions with a resounding YES! Although, I have had a few folks say no to “Do you normally lock your car doors?” but they admitted that their car was so old and run down that they had no fear it would be stolen. However, not enough folks answer yes to “Do you lock (encrypt) the data on your laptop.

Now consider one more question:

alertsec-survey-21

Unless you keep lots of stuff in your car, replacing your car is typically all about money. Likewise, things that are likely to be stolen from your house – DVDs, stereos, TVs – are also all about money. While you might have photos, or scrapbooks or souvenirs, they are less likely to be stolen as they won’t have the same value to anybody else.

But your laptop or your home computers – they are typically irreplaceable. Actually, that is not quite true as any of your computers can be replaced by money alone. The hard drive that is in or attached to your computers, that is what will be near impossible to replace without both money and extensive amounts of TIME!

Just stop for a moment and start the list of how you would recover from the theft or loss of your hard drive. Do you have passwords on the drive that somebody could use; do you have any financial data that they could access, do you have any confidential data in your email (check out this article on Laptops Loaded with Private Data).

Now, compare this to $13.00 a month for the safety and security of hard drive encryption. Do you have automobile insurance? Do you have home owners or renters insurance? Do you have life insurance? Are you taking the same precautions to secure your digital information?

Think about all your data. All your documents. Maybe your photos and music. It’s great to have backups – and that will help you if the hard drive fails. However, if somebody takes the laptop or computer with hard drive inside – are you prepared to deal with the loss?

So either keep your computer at home or the office securely under lock and key – or take some action to ensure that your computers are secure and safe with hard drive encryption.

5 comments »

Posted in Data Protection, Encryption

Tags: Alertsec Express hard drive encryption insurance

Security does not stop at the Firewall

April 10th, 2009

Many businesses have realized the risks involved with the loss of electronic data. Companies that have credit card or other personal data have been forced to manage security because of government regulations about the privacy of data. But while good security managers are watching their network and their staff, all too often nobody is minding the security policies of a company’s partners.

Today very few companies, small, medium or large, have the resources or interest in managing every aspect of their business – we bring in experts: Consultants, lawyers, call centers, companies providing software-as-a-service (SaaS) services and a myriad of other businesses. Lot of business and information takes place outside our security firewall and it’s a grey area as to whom, if anybody, should be watching out for this risk.

Just consider these scenarios:

When you hired an auditor, who reviewed the auditor’s security policy to make sure they would protect your data. Don’t make assumptions here – I once refused to let an auditor’s PC on our network because we could visually see spyware on the browser. We did not even have to run any diagnostics – the spyware was visible on the browser and the desktop!
You probably have some type of legal counsel and they will get some pretty confidential data sent to them. Who is checking out their data security (check out this blog on Can you trust your lawyer’s PC)
You might be using Software-as-a-Service tools, sometimes they might have been picked by the business unit and not by IT. They are hosting your data – does anybody know about their security. And not just their data center security, but all aspects like how secure are their laptops.

Now if I (the admitted security geek) was a lawyer or accountant – I’ll make sure that I told prospective clients about my security, I wouldn’t even wait for them to ask. I would highlight how we encrypt all information. It is a selling point about how good your company is.

But since not every company is that good, I encourage companies to make this part of the process when they hire in outside help. If you have an RFP it should certainly ask about security policies. Even more than the RFP – test it out. When your sales rep visits the office ask if you can see their PC. Then say, “I just stole your PC – do you know who to contact at your company to report this?” Ask “How much confidential data will I be able to access without even needing a password? Is the laptop encrypted?”

While one of your co-workers is busy providing CPR to your visitor, you will have time to print out a copy of your security policy and maybe even share a link to Alertsec Express. We’re all part of a network – your business partner’s security is really your security as well.