Perhaps you followed the dramatic headlines in May as the US Department of Veterans Affairs came to grips with the fact that it had lost a laptop – which has since been recovered - with personal information on 26.5 million veterans and active-duty soldiers, potentially exposing them to identity theft.
Since then, you might have overlooked the missing New York state government laptop with 540,000 names. Or the US Federal Trade Commission laptops with 110 names. Or the Ernst & Young Global laptop with 243,000 names. Or the YMCA of Greater Providence laptop with 68,000 names. Or the Equifax laptop with 2,900 names. Or the ING Group laptop with 13,000 names. Or the US Internal Revenue Service laptop with 291 names. Or the Ahold USA laptop with an undisclosed number of names.
And those were just some cases that surfaced in June.
Yet technology is available that would allow the words laptop and security to be spoken in the same breath without triggering gales of cynical laughter. Securing laptops generally depends on either internet tracking, "kill switches" or encryption – or, more commonly, a combination of the three.
Canadian firm Absolute Software offers a service called Computrace, through which subscribers' laptops connect with an internet server once a day. If a machine is reported stolen, it will be told to start checking in every 15 minutes the next time it connects to the server, explains Absolute Software’s marketing manager Les Jickling. Using various databases, the laptop’s IP address will be matched to a street address. The next knock on that door may be the police arriving to recover the machine.
Thomas Schuetz, president of consultancy MDx Medical Management, signed up for the Computrace service in November 2005 to keep track of 20 laptops. Two months later, his own laptop went missing.
"I sent the Computrace people a copy of the police report, but the machine did not start polling the internet until the end of March, from a location in Florida," Schuetz says.
"The recovery team contacted me in early April. They had tracked it to Yonkers, New York, and then to downtown Manhattan, where it settled into one IP address, a person's home. They were able to watch what was being done with the laptop and asked me if I knew that person. They offered to erase the hard disk remotely, but I would have had to reconstruct certain things, so I said no."
After the laptop was seized, Schuetz went to the police station to pick it up, and everything was intact, he says. The person from whom the laptop was recovered now faces charges of possessing stolen property.
"The service would be worth twice what it costs us, and we recommend to our doctor clients that they get this service," he says.
By special arrangement, links to Computrace are contained in the BIOS chips of Hewlett-Packard, Gateway, Lenovo Group, Dell and Fujitsu laptops so that even reinstalling the operating system will not stop the machines from reporting in, Jickling says.
Pricing for the full Computrace service starts at $128.95 (£64.50) per unit for three years. A consumer version, called LoJack for Laptops, is priced at $49.99 (£25) for one year.
Meanwhile, CyberAngel Security Solutions offers a combination of encryption and tracking. The CyberAngel system creates an encrypted partition on the hard drive. Anyone who boots the system but gives the wrong password will be able to use the machine but will not see the encrypted partition, says CyberAngel spokesman Bradley Lide. While an unsuspecting thief uses the machine, the laptop will start sending out tracking pings in the background.
"We got the CyberAngel service when we first started getting laptops two years ago and have needed it twice," says Jodea Johnson, a systems administrator at a US hospital.
Johnson says she chose the service because she liked the encryption it offered and the likelihood that a thief would not be aware of it. Also, the price seemed right – $62.60 (£31) per three-year licence for organisations buying coverage for 100 to 500 devices.
It took about six weeks before the first missing laptop started transmitting and the police could recover it, while the second took less than a week, Johnson says.
Kill switches, along with encryption, are the weapons of choice of Beachhead Solutions. When a machine using Beachhead's Lost Data Destruction service connects with the server after it has been reported stolen, the service begins erasing pre-selected files, overwriting them multiple times to preclude file recovery, says Jeff Rubin, Beachhead's vice president of marketing. Lost Data Destruction can also trigger other actions to make the stolen machine unusable, such as repeatedly rebooting it.
Machines using the Lost Data Destruction service are periodically taken through a checklist, which notes things such as whether they have been booted up using legitimate access controls. If they have not, procedures can be launched to thwart illicit use, Rubin says. Single-user pricing is $129 (£65) a year.
"Tracking is a great idea if you are concerned about the hardware, but a $1,500 (£750) laptop is no big deal compared to the damaged reputation that could result from a breach," says Corey Jenrich, IT manager at a branch of California’s Community Bank. He uses Beachhead's product for his bank's 80 machines. He has never had one stolen and so has never used the kill switch.
In the meantime, Jenrich uses the automated encryption facilities that the Beachhead software also offers. "We could have just rolled out the Encrypting File System on Windows XP, but we thought it put too much reliance on the end user to put the right files in an encrypted folder, and if the laptop gets into the wild, I can't prove that a given file was encrypted," he says.
With Beachhead, all files with user-specified extensions will be encrypted. Jenrich also says he likes the way the software can delete files and close down the computer even if it never connects online again.
"We're covered," he says. "It would be worth it if it cost four times as much. We like it for the control it gives us over the end-user environment, extending to situations when the machine is not in our physical control."
And being covered is the main reason more companies are adopting some form of encryption as well as tracking, says Eric Maiwald, an analyst at Burton Group. There is also increasing pressure to introduce legislation requiring notification of victims if a company suffers a breach of unencrypted personal data, with such a law already operating in the US state of California.
"They want that encryption, 'get out of jail free' card," Maiwald says. "Encryption products have been around since the 1980s but have not seen much adoption outside the government and financial institutions. But now, with the notification laws, we are seeing much larger deployments." He adds that there are dozens of products that fall into either the file encryption or whole-disk encryption categories.
But Maiwald advises against depending on the encryption tools built directly into some applications, such as Microsoft Word. "There are a lot of programs out there that will break them," he warns.
Tools and commonsense
Encouraging users to follow these tips, as well as using security technologies, can keep laptops more secure.
1. Avoid using computer bags. They make it obvious that someone is carrying a laptop.
2. Never leave access numbers or passwords in the carrying case.
3. Users should keep an eye on laptops, especially when going through airport security.
4. Avoid putting laptops on the floor. This is an easy way to forget it or lose track of it. Encourage users to try to place the laptop between their feet or against their leg so they are always aware it is there.
5. Use a screen guard. These guards help prevent people from peeking over the user’s shoulder as they work on sensitive information in a public place. This is especially helpful when users are travelling or need to work in a crowded area. Secure-It is just one of the companies that offers screen guards.
6. Try not to leave laptops in hotel rooms or with the front desk. If the must be left in a hotel room, it should be put in the safe or a drawer and the "do not disturb" sign should be put on the door.
Lamont Wood writes for Computerworld (US)