There are shed loads of stories around data loss, data leakage, mislaid laptops in the news. Not only is it hot news but disclosure of a bit of customer data that has inadvertently been mislaid is fast becoming law – it is already so in the US and not a stones throw away in EMEA. So what do we do about this relatively new phenomenon?
A Symantec customer, who must remain nameless, was recently claiming that, in spite of Gartner’s predictions of data growth of between 50% to 100% growth year on year, they were only seeing a 20% increase in data. Well, here we have two choices, either their data capture is simply atrocious, or IT are unaware of the growth in data. As this company is a large global I am in grave doubts as to their ability not to create vast and unmitigated amounts of data, which leaves us with the other alternative – they don’t know what they’ve got. So where is it then? Ah, now that’s the easy part, on the laptops of all those execs, in PST files, external hard drives backing it up, and so on …
Back in the dark ages of 2004, 10,000 laptops were left behind in London taxis. If a typical organisation can expect to lose up to 5% of their laptops per year that means, even this year, at that rate, there’s going to be 4,350,000 + missing laptops worldwide. Makes you wonder where they’ll end up? Anyway, it’s a huge security risk. So really we should be looking at how we protect our confidential, sensitive data and intellectual property.
Suffice to say, that an end user laptop in the wrong hands, either physically or virtually – through nasty people who take over your computer and do stuff you are unaware of – is more than potentially a disaster for most organisations. So, what can one do about it? There are 11 steps here that could protect your laptops, your company, your data, and save your bacon:
Introduce a strong password policy. On average, the human brain can hold only five to nine "random bits of information" in short-term memory. Considering the brain's limited capacity and the sheer number of secret names, codes, and words a person needs to remember in this password-protected age, it's no surprise that the most common password is simply "123456." Passwords you should avoid at all costs:
a) '123456' - Can you count to 6? A simple numerical sequence as a password is the most common idiotic choice
b) 'password' - Akin to pressing the 'any' key, when told to enter a 'password', it would seem that users aren't the sharpest tool in the box
c) 'Football Team' - Your most popular football team means are willing to entrust private data to the team you love the most.
d) 'letmein' - A modern-day version of 'open sesame' - Fox Mulder's password from the X Files - 'trustno1' is also quite popular – Doh!
e) 'Your Name' –, these can be homage to a number of famous people – given 3 is football teams I wonder how many Beckham’s there are?
f) 'your Child’s name’ - your children’s names are pretty popular
g) 'monkey' - Quite why the monkey makes it into the top 10 is quite beyond me, but the fact that it's a 6-letter word (6 letters is a typical minimum length for passwords), is easily typed and is memorable probably helps cement its position as ideal password material.
It seems a bit obvious but lock up the PC when not in use, but this is fundamental and quite often overlooked. Ctrl/Alt/Delete, Lock Computer, it works and if you have implemented a strong password policy you add strength to this policy. If a computer is not turned on, even if it is in a theoretically physically secure area, then it should be locked it away, out of sight is often enough to prevent the opportunist thief. Even if an environment you consider to be safe there are still numerous people who roam your corridors, bearing in mind that an increasing number of security breaches are instigated internally.
Install a BIOS password and change device boot order to prevent the system booting from anything but the hard drive. This makes it harder for someone to boot from a CD that contains hacking tools designed to get at your data. If you do ever need to boot from a CD simply temporarily change the boot order – and then change it back. It’s not a bad idea to promote a policy where employees have to remove the CD/DVD drive when in transit and they only insert the drive when they actually need it.
Why nor encrypt the contents of the laptop hard drive? Simple but effective - .I don’t know about you but my laptop roams the world’s airports, and some pretty dodgy ones at that. And every time I do it, every hotel, every airport every internet café, I would be susceptible to data theft. An unencrypted hard drive, even without the knowledge of usernames or passwords, it is a simple matter to gain access to the private data on that machine. If, however, you encrypt the contents of the hard disk, you can effectively protect against potential “egg on the face” headlines in the press should a laptop go missing.
Implement Enterprise Vault to remove PST files from the hard drive of the laptop and at the same time force local laptop backups and enforce a policy through spot checking and save as little data to the local machine as possible. The more data you have on the laptop the more damage you could do yourself when you loose it. Given the improved state of corporate and other networks, there is really very little excuse not to connect back to a secure corporate file server and upload files through the company's VPN. This also means that the sensitive data is not only protected from the bad boys, but you’ve not lost any work you put into it either.
Why not invest in hardware recovery software, or ET software, that phones home when it is plugged into an external network. Clever, but also extraordinarily criminal unfriendly; when it is used with the assistance of the Police there are claims of a 90% recovery rate for computers that are stolen and eventually connected to the Internet. This is a great way to counter gangs that are stealing laptops in order to sell on identities or credit card details.
Be wary of wireless, always disable the wireless network when not in use, if you have the wireless connectivity enables you machine can be compromised. Although wireless networks provide a quick and easy way to connect to the Internet and conduct business, they also open up a huge potential for data theft when security is not included in the network design. Turn off Bluetooth, it's pointless and insecure, in hotels put the laptop in the safe or at the very least use a Kensington lock, treat your PDA in the same way as your laptop.....quite simply you're 22 times more likely to lose this than your laptop.
Quarantine returning laptops, or enforce system scans to make sure it doesn't carry any harmful viruses or spyware. If the device has spent time outside the corporate firewall there is a huge chance some kind of spyware, at the very least, has attached itself to the computer. At the same time enforce virus live updates whenever a laptop is connected to the internet. Any infection like this can run in the background, which is as good as having your laptop stolen – but more difficult to spot.
Report any incidents; this is likely to become law in the not too distant future. If you don’t report the theft and your computer is used to commit a crime the owner of the laptop can end up in a tight spot, and one that is sometimes difficult to prove one’s way out of. If you do have users that are somewhat lax in their security practices and their system is stolen it is imperative to change all security passwords and VPN account details in order to protect company assets and stop you getting into the news.
Get Symantec End Point Protection ASAP. Antivirus, anti-spyware, and other signature-based protection measures, which are primarily reactive, may have been sufficient to protect an organisation’s vital resources a few years ago, but not today. Organisations now need proactive endpoint security measures that can protect against zero-day attacks and unknown threats. They need to take a structured approach to endpoint security, implementing a solution that not only protects them from threats on all levels, but also provides interoperability, seamless implementation, and centralised management. Symantec’s approach to endpoint protection provides advanced threat prevention that protects endpoints from targeted attacks as well as attacks not seen before. It includes proactive technologies that automatically analyse application behaviours and network communications to detect and block suspicious activities, as well as administrative control features that allow administrators to deny specific device and application activities deemed as high risk for the organisation. They can even block specific actions based on the location of the user. In the case of an infected endpoint, security products repair the damage by disinfecting or quarantining the system. The remediation process is then completed by deploying the necessary patch.
This approach calls for consolidating endpoint protection technologies in a single, integrated agent that can be administered from a central management console. The goal is to increase endpoint protection while eliminating the administrative overhead and costs associated with multiple security products.
Consider the thin client computing model for, at the very least, remote users – The reason, of course, that you provide laptops to mobile workers is because they require mobility to get their jobs done while on the road. However, servers and desktops within the corporate network are almost always more secure than laptops. Since high speed Internet connections can now be found in most hotels, airports, coffee shops, and bookstores, it is possible to set up a remote connectivity solution in which an end user simply connects to Terminal Services (or Citrix) or uses Remote Desktop to connect (over VPN) to a dedicated desktop machine within the corporate network. This prevents any work from actually being done on the laptop itself. Instead the laptops simply functions as a temporary terminal. While not feasible for every IT department, this can prevent data loss by separating storage from the device.