Survey: More than 10,000 laptops lost each week at airports
They're most often lost at security checkpoints, the Ponemon Institute says
The complete article is here.
Check this out:
Close to 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65% of those laptops are not reclaimed, the survey said. Around 2,000 laptops are recorded lost at the medium-size airports, and 69% are not reclaimed.
The thing that really gets me is that 2/3 of these laptops are not reclaimed!
And then look at this!
About 53% said that laptops contain confidential company information, with 65% taking no steps to protect the information.
Over half of these machines have confidential information on them and no one cares? No one has made any effort to protect this data? What's wrong with this? Why should we be so upset with other companies that loose our data when we don't care about it either? In our society, we look for someone else to blame way too often. If you loose a laptop and compromise confidential data, I'll tell you who to blame; look in the mirror! Each and every one of us should take responsibility for protecting our own data. I would hate it if I lost my machine, and I know Microsoft wouldn't be very happy with me either, but I'd much rather have a discussion with my management that I lost my machine AND I did everything possible to ensure that my data was not compromised. The reality is that I'm much more concerned about my data then my laptop. If someone wants to steal my laptop, they are welcome to it; it's not worth the fight if there's a possibility of someone getting hurt. If someone wants my data though, I have an issue with that! Let's make sure we are proactively ready to keep our data safe! While I don't offer to give my machine away, if someone does walk away with it, I'm confident that they will now have a very good laptop, but not my data.
This article goes on to advocate the recovery of the lost computer equipment. I agree, I'd like to recover my lost hardware as well, but even if I recover it, how do I ensure my data wasn't compromised while it was out of my control? What if the thief had time to clone the hard drive and then attack it offline? Again, let's make sure that even if they have the hardware, they don't have access to the data. With BitLocker, all of the decryption keys do not reside on the hard drive. Even if they successfully clone your hard drive, the only way they can recover your data is through a brute force attack. Basically they have to try and guess your 128 bit or 256 bit encryption key. Good luck! That's man years worth of effort.
As I've said before, I don't travel with an un-encrypted laptop; if someone does get physical access to my machine, they don't get access to my data! If a malicious user wants to try and crack my password, or remotely attack my hard drive offline, I have an answer for that. BitLocker was built to defend from the offline attack, and Microsoft's password policy forces complex passwords to protect from any online attacks. Complex passwords are exponentially more difficult to crack than the typical password. According to the statistics above, it sounds like my tablet is in better shape than the majority of the other mobile machines out there. I'll bet this situation is a lot like the locks on our doors. If we have better locks than our neighbors, the bad guys will be less interested in our machines and more interested in the higher gain for less effort machines.
I don't customarily encrypt my external hard drives, because they only contain my demo content and reference material. As a rule, the only thing I keep on unencrypted drives is information that is publicly accessible, or publicly available items that can be assembled into things like demos.
When you look at the numbers above, and realize that most of our users are more interested in catching their flight than protecting their corporate assets, we must help the company protect their assets without impacting the user community. Let's work on the assumption that our users don't care, so let's make sure that we can "seamlessly" protect their data for them. I know this sounds like Big Brother, but if we're allowing them to store our confidential data on their machines, we need to ensure that they treat this data like confidential information from the beginning to the end of its' lifecycle, even if the user doesn't know it! BitLocker allows encryption of the hard drive with no impact to the end user. That's the best part about it. It's invisible to the user and it does not get in the way of the user doing their job. There's always the balance of "doing my job" vs. "protecting our data". BitLocker does a great job of finding that right balance.
Normally as IT we would now say something like. "We need encryption" or "We must encrypt all of our hard drives!" Or "We will deploy BitLocker right now!". While that's the right plan, the fact is that if we can get the business to buy into deploying BitLocker, getting BitLocker deployed is then easier than you think! How do you get them to buy into it? Show them the article I reference above, show them some of the other articles on recent data loss and lost machines. Heck, show them some of the older NY Times and USA Today articles! There's plenty of public information describing data loss, just get your facts straight. Once you gather all of the public data losses, then assemble a list of your corporate machines that have already been lost; If you really feel that your company hasn't lost confidential information, then your company is WAY ahead of the curve, or you are in the dark! Once you show them the sheer number of data losses every year, show them how many machines within your company have already been lost; AND THEN when you provide a sampling of the confidential corporate data that is already sitting on some of your companies laptops, you will win them over. At this stage, this is now a business decision, not a mandate from IT... Right? Now they buy into solving the problem, not fighting IT because it's trying to act like Big Brother.
The Business will recognize the business risk, not the IT risk. Now we can help the business recognize the business risk and help them do something about it. Most IT organizations are loosing budget, if IT can help the Business understand the risk, and show the Business an easy way to close this gap, the Business will support the need to protect the data on the laptops. Now we can let the Business inform the rest of the user community that their data will now be secured, and the Business will help the user community understand the necessity of protecting their data. It's no longer an issue of budget, the business will ensure that business critical initiatives get funded, and you don't have to beg for the money, you just need to put together the deployment plan!
I hope this helps, I'm happy to discuss any part of this discussion if you have any questions.
Until next time!
Rob