Intel reveals 'the billion dollar lost laptop problem'

More than data loss

Another event panelist, security consultant Kevin Beaver of Principle Logic, pointed out that it's not merely the files on a laptop that can compromise security. Describing a recent test he did on an assortment of laptops from a variety or organizations, he said:

First of all, I was able to boot up [a laptop] with a boot CD and basically crack the passwords so I could log-in locally to the laptop. I found files that were stored locally, temp files that were stored by the application that the user doesn't even know about, [and] domain passwords. I was able to see some cached passwords that the user used to log onto the Windows domain — it didn't have the password itself, but it had a password hash, and I was able to crack that, so that in essence opens up the entire domain to potential intrusion.

VPN connections, remote desktop connections, wireless encryption keys — I found all of this stuff on just a couple of sample laptops. We're talking about data loss here, but we're also talking about further intrusions into the network. The odds that whoever comes across the laptop knows how to do this stuff may be low, but the reality is that you don't know.

Beaver also said that organizations are not paying enough attention to laptop security: "People are pouring tens of thousands, hundreds of thousands of dollars into preventing SQL injections and cross-site scripting into their web applications, they're trying to do whatever they can to protect their database. And meanwhile all their people are walking around with these unprotected laptops — be it unencrypted laptops, [a lack of] mobile tracking, remote wipe, and whatnot. It just doesn't add up."

Ponemon was equally blunt: "We do a lot of research and we see that a lot of organizations are incompetent in protecting information assets," he said. "Laptop computers and small, mobile, data-bearing devices are almost always at risk."

Beaver agreed, saying: "Laptops are always consistently the greatest risk that I find in any given security assessment."

The panel's host and general manager of Intel's anti-theft services Anand Pashupathy outlined the magnitude of the problem, citing survey results that showed that one in ten laptops go missing in an average three-year lifetime.

If a laptop is lost or stolen, your business is in trouble, said Pashupathy. "At the end of the day, data is what defines your business, it defines your company."

Keeping sensitive material off your laptop and instead using that laptop as a dumb terminal to access the cloud is no solution, said Harkins:

Even if you did that, that doesn't mean the data is protected, because if you lost the terminal and had the login credentials, it doesn't matter if it's in the cloud, you crack it and you'd still get access to it. You can't just think that shifting from having it on this device, or that device, or storing it on the network — it may change the risk dynamics, but it doesn't eliminate them.

Beaver said that the reason laptop security is such a problem is a simple one: "I would say that inaction is probably the biggest problem we have with security. [IT] management knows that we have problems with security — the network administrators, security managers and whatnot, compliance officers — they know that there's a problem with security, but we still have this issue of inaction. People are not willing to invest the time, money, and resources into fixing this problem."

He also laid the bulk of the problem at the feet of management: "It's an issue of management being overtrusting of their users and of their network administrators — their network admins are saying 'Everything is just fine, we've got it taken care of' — and trusting their users to always do the right thing to make sure that their laptops are not put in compromised positions."

Ponemon agreed:

I've seen issues where organizations' IT security is not involved in laptop loss — it's a help-desk problem. So when you ask to see someone — the security leader — and ask 'How many laptops are, lost, missing, or stolen every year?' they say: 'How would I know? That's not my job. That's this person's job.' But 'this person' may not have any security background at all.

There is a huge gap between the security folks and IT, and then [their] senior leadership. Basically [senior leadership] hears the positive stories — 'everything's okay'. When security is invisible to them, everything's okay. And then they learn about a breach and they get new religion, and that's when they start investing in things like whole-disk encryption and other security tools that may be available.