COMPUTER BUSINESS REVIEW

Critical. Authoritative. Strategic.

TECHNEWS

CBR is proudly produced & published
by Technews
www.technews.co.za
Issue Date: August 2000 (es)

Media giant to launch SA's biggest Internet recruitment portal

1 August 2001

As the world we live in becomes increasingly mobile, more and more workers are using laptop PCs. We take our computers with us everywhere - we take them home at night, on business trips, and even on vacation. And as laptops become smaller, lighter and more valuable on the black market, they become an enormously popular target for thieves - at hotel check-in counters, at airports, and even as they sit on our desks - it only takes a few seconds of distraction for a thief to steal a laptop or other portable device.
We like them for their mobility, but it is that very feature that gets them stolen. These portable devices - rich in computing power and communications capabilities, and often loaded with sensitive data - are big targets for opportunistic thieves and industrial spies.
How bad is it?
One in every 14 laptops is stolen - that is one theft every 43 s, as reported by the World Security Corporation, and organisations without an anti-theft policy can expect an annual notebook theft rate of 3%, rising to 5% and more through 2002 (Gartner Group).
"There is no central source for PC theft statistics in South Africa", says Jonathan Bass, Managing Director of NetTrace. "However, it is our experience that PC theft in this country is easily in line with Gartner's predictions, and in many cases much higher. It is the crime of the New Economy, and our information is that a stolen notebook might fetch more for a perpetrator of the theft than a stolen motor vehicle!"
The migration to the more mobile workforce in South Africa is borne out by the fact that of the 720 000 PCs purchased in 2000, approximately 110 000 of those were notebooks, up from 90 000 the previous year. On this base alone, apart from the total of approximately 2,5 million PCs in this country, a 5% theft rate has major implications for our economy.
"According to a study done by the FBI, 97% of stolen computers are never recovered", maintains Bass, "a fact that is frustrating all CEOs, risk managers and IT managers alike in our companies, not to mention the insurance industry which is currently under real pressure from such crime".
Whodunit?
Theft of computer hardware is divided between syndicate-targeted organisations, smash-and-grab operations and internal theft. In many cases, thieves are looking to sell the desktop or laptop PC on the black market for some quick cash. Others are looking to get at the parts, most often the RAM, processor or hard drive. Such thieves try to be clever and only steal enough parts so that the machine continues to work, but at a slower pace. So it may be a while before people realise something is wrong.
However, few thieves are interested in the digital treasures contained on the laptop hard drives; they just want the quick profit from selling the devices on the black market. There are plenty of buyers out there searching for the power and convenience of a laptop at a bargain basement price.
Within organisations, internal loss is a growing problem. You can no longer assume that the only things your employees will take home are pens and notepads. Gartner Group maintains that computer crime statistics reveal that approximately 70% of computer theft consists of 'inside jobs' by disgruntled employees.
However, insiders may not only include regular employees. "With the migration of many of our corporates from the city centres to up-market, decentralised locations, the risk of theft by temporary workers and contractors are dramatically increased", says Bass.
If anything, the software loaded on a stolen device enhances the machine's value, while the personal and business files have little practical use to end recipients. This is not to say that industrial spies and enterprising thieves do not seek out the digital bounty held in these portable boxes. Should a notebook bandit sneak off with the right laptop, he could find himself in possession of proprietary secrets, confidential product development information or sensitive financial data. The value of the information depends on how much the victim's corporate rivals are willing to pay for a competitive advantage, or how much the thief can extort for the information's return.
What is the cost?
Research by Gartner Group reveals that the average total cost to corporations per lost laptop computer (not including data) is US$6,285. NetTrace's Marc Descoins believes that this figure ranges from about R35 000 to R45 000 for South African companies. "If one takes into account the type of PC hardware involved, the time required in dealing with police cases, insurance claims, acquiring, reconfiguring and redeploying the lost laptop, let alone the lost productivity of the user, then these figures easily stack up."
But what have you really lost? Losing a laptop is very different to losing a cellphone or a pager; with laptops, you cannot simply cancel the service and unless you have implemented strict security measures, you cannot stop anyone from looking at your proprietary information.
Each organisation has a unique cost profile for its lost data. Gartner Group reports that this has two aspects: the commercial value of the data stored on the missing PC and the exposure to the organisation created by losing control of the missing data.
An additional cause for concern is that most mobile systems are equipped for remote access to corporate networks. This means that not only is key information exposed to unauthorised persons or even competitors, but what about the user IDs and passwords, customer lists, sales forecasts, leads and opportunities, merger and acquisition plans, corporate directories, files and databases that are saved on the PCs and can provide a hacker with all the information on hand to do some serious damage to the organisation?
The Computer Security Institute estimates that over the last four years, the average price of replacing a stolen PC for a typical US business is $41 000 for the hardware, software and data. That is over R320 000 per laptop; but think of the consequences and legal costs if the proprietary information of a bank's or accounting firm's customer information should get into the wrong hands.
Curbing the five-finger discount
Preventing PC theft is not just a problem of selecting the right security product. Organisations with a large and, in many cases, growing mobile worker population cannot merely rely on the end user to take action to protect the asset or follow a list of 'rules' posted on the corporate intranet. Whatever the extent of the risk to PC security, there are best practices that can be employed to reduce threat to the organisation, its employees, and its bottom line.
As for any successful business strategy, the purpose for curbing PC theft must be clear, the crucial 'people element' must be addressed, policies and procedures designed and implemented, and the right products and services for the organisation utilised.
The people element
Security products provide effective theft deterrents and access controls, but ultimately it is up to the individual users to prevent laptop theft. Users need to be particularly careful in public locations, such as airports, hotels and conference centres, and take appropriate steps to ensure someone doesn't try to snatch their machine.
When travelling, owners should keep their notebooks in bags sporting bright colours or large tags. Since thieves do not want to draw attention, they will often avoid stealing bags that stand out.
Unfortunately, few laptop users exercise such caution. No matter how many or what physical and electronic systems and solutions have been deployed, all can ultimately be defeated because of one simple fact. Even if users know about security issues, they may not follow the rules, and one of the biggest nontechnical problems involved in securing laptops is the mindset of the laptop owners themselves - changing users' attitudes and habits might be the biggest challenge of all.
It is common for CEOs and other corporate higher-ups to assume their communications and files are not interesting to anyone but themselves - and, therefore, why go to extreme measures to protect them?
"Laptop security is an issue that has been percolating from the bottom up in large enterprises," says NetTrace's Jonathan Bass. "Although IT departments usually have a good understanding about the potential problems regarding PC theft, it is not a top concern for management. This could be due to the lack of information on and statistics surrounding the subject of PC theft, and what this is actually costing their organisations. For example, the costs associated with replacing stolen PCs, including deployment and the lost user productivity are mostly unknown. It is also very difficult to understand the insurance costs for PCs, since these items are grouped with a host of other electronic goods. PC loss ratios and insurance rates are therefore often distorted."
Develop policies and standards for mobile workers
Policies need to be developed that address the unique needs of the remote user, including what type and how many mobile devices are being used, what kind of work the mobile worker is doing in the field, and how they are accessing corporate information. Policies must be strong enough to protect the organisation, yet flexible enough not to disrupt the user and negatively affect productivity. Policies can include methods for user authentication, encryption requirements for certain types of documents, as well as mandating the use of physical security products while travelling.
Implement and manage policies
Once policies are in place, the organisation needs to define the overall processes by which they will be implemented, monitored, and enforced. Policies become worthless if they cannot be enforced, and enforcement is not feasible without monitoring. There are a number of policy management applications available on the market. At the same time, the organisation needs to make sure employees understand the value of security without feeling intimidated. Companies should therefore not only educate their employees on proper security procedures, they must repeatedly ascertain to see if these are sinking in.
Build information security awareness and train employees
It is crucial that employees understand why information security is critical to the organisation and what they do on a day-to-day basis can have serious consequences in the event of a breach. In addition, employees need thorough training on new security applications, especially given that the majority of security products fail because employees do not use them effectively; or even at all. Additionally, the use of these applications needs to be monitored to ensure employees are adhering to corporate policies. Only when security is adopted as part of employees' day-to-day routines will the threat to the organisation be reduced.
Monitor and audit on a continual basis
Policies and processes are most effective when they are monitored regularly. Understanding the weaknesses in your system is the best way to find measures to correct them. Above all, policies and processes should never be considered static; rather, they need to be reviewed and updated on a continual basis as corporations evolve, as the number of mobile workers and amount of business travel increases, and as new technologies are introduced and/or upgraded.
Organisations must look carefully at what needs to be protected, then decide the best way of making it difficult for someone to get at it. Organisations should determine the appropriate security levels for different employees. A R150 physical cabling device is a must for all users. Stronger access controls, authentication and file encryption would be appropriate for managers who store confidential and sensitive information. As a powerful theft preventative and means of recovering lost PCs and information, use a tracking device and related theft recovery service.
Regardless of the approach, the security method chosen by an organisation must blend into the user's regular routine. Surveys have found that laptop users will not use security systems that inconvenience them.
For details contact Marc Descoins, of NetTrace on tel: (011) 267 6296, e-mail: marcd@nettrace.co.za or visit www.nettrace.co.za


Others who read this also read these articles

Search Site





Search Directory

  • Search for:





Subscribe

Previous Issues