Daniel Robinson looked like just another job candidate. With his dark gray suit, wingtips, no-nonsense red tie and neatly trimmed hair, he was so utterly unremarkable that, when he asked the receptionist if he might slip into a restricted area of the building to use the bathroom, she let him in without thinking twice. Only minutes later, a brand-new laptop and not coincidentally, Robinson had vanished.
This story is a made-up one for our purposes, but the crime is real enough. And even though the 2003 annual CSI/FBI computer crime and security survey showed a drop in the number of companies reporting stolen laptops, more than half of respondents in the past several years reported that they had been victimized.
And the real anecdotes are pervasive: A large insurer had two of its laptops stolen from a locked car. They contained data on about 200,000 customers, who then had to be informed that they were at risk of identity theft. At a banking giant, a laptop containing data on thousands of the bank's mortgage customers was stolen from a rental car's trunk when two employees traveling together stopped at a convenience store and left the car unlocked with the keys in the ignition. In another incident, the Australian government revealed that over the past several years it lost more than 1,000 laptops, 537 of those from its department of defense. And police in Delaware and Pennsylvania joined forces to bust a fencing operation that specialized in car break-ins. Police raided the ringleader's business and confiscated 35 stolen laptops and 20 PDAs.
Safeware, a computer insurance provider, estimates that in 2002, U.S. PC owners filed 620,000 claims for computer thefts most of them for stolen laptops. And those numbers only promise to increase. IDC predicts that, by 2008, 50 percent of the PCs in the United States will be laptops (up from 29 percent in 2004), which means there'll be plenty of targets out there. Many PC owners seem oblivious to the risks surrounding their equipment; a good number of thefts occur because people carelessly leave their computers in places where they are likely to be stolen.
The dollar amount of such losses isn't easily determined. The CSI/FBI survey pegs losses by U.S. companies from laptop theft in 2003 at $6.8 million, but that doesn't necessarily include the value of the data lost. Gartner estimates that a single stolen laptop can cost a company more than $6,000 for hardware, software, restoring data (assuming it was backed up in the first place) and user downtime. Gartner analyst Leslie Fiering notes that this number doesn't account for the cost of any data lost or exposed.
What can companies do to stop computers from being stolen? "Security today is what quality was in the '80s," says Gerry McCartney, CIO at the Wharton School. "People say, 'Yeah, I don't have to worry about that, we have a team that does that.' So they leave their offices open all the time. It goes back to the mentality that security is someone else's problem, not mine."
But, like quality, "these virtues are either [ingrained] in an organization or they're not," McCartney says. "You can't put up a sign and create them."
At least, not overnight, says Tim McKnight, senior director and CISO of Northrop Grumman. While he acknowledges that company cultures are hard to change, McKnight says that they can become more security-conscious though only if top management leads the way. "There's no silver bullet for the issue," he notes, saying companies must pay attention to four areas: user awareness, physical security, new and old technologies, and policy.
"You have to consistently enforce all of that or you lose control," McKnight says. Accordingly, Northrop Grumman constantly drives home the security point. The company has a mandatory security awareness program for all its employees and prohibits employees, including the CEO, from taking laptops with them when traveling to a set list of countries. And company security policy strongly discourages employees from putting data on any devices that leave the borders of the physical corporate building.
Even so, the company occasionally sees laptops stolen, but not from classic "smash and grab" actions; they've been taken almost exclusively from hotels when employees are traveling on business. Hotels are magnets for laptop thieves: They look for weary business travelers who aren't paying attention or who set their laptop cases down for a moment in an unoccupied conference room.
At McKesson, the company has password-protected the hard drives in its notebooks to ensure that if they're removed, they can't be read. Patrick Heim, McKesson's vice president of enterprise security, says, "It's a minor inconvenience for users," but worth it overall to the company. He says that the company encrypts data only for users who carry sensitive information. Heim notes that McKesson's policies can't prevent someone from leaving a laptop in his car, but password protecting the hard drive limits the company's liability, and it's something the company can enforce.
In McKnight's case, he adds that it helps that Northrop Grumman is a defense contractor. Over half of its employees hold some level of government clearance and attend a security refresher yearly to maintain their clearance levels. Many of its buildings require clearance to enter an automatic barrier to the Daniel Robinsons of the world. But even in buildings that don't, escorts are assigned to all visitors (even when they're headed to the bathroom) and surveillance cameras monitor the premises.
That kind of talk would please Richard Leon, a seen-it-all inspector with the burglary and fencing detail in the San Francisco police department (SFPD). Leon thinks companies should never let visitors in without escorts and should issue badges that clearly show someone is an outsider. In addition, employees should also challenge people they don't recognize who don't have a badge visible. (He recommends that company security guards do badgeless walk-throughs and reward employees who challenge them.)
Most companies have no record of their laptops' serial numbers, which means that there's almost zero chance of recovering the computers if stolen. Law enforcement officials also believe in policy. Leon and his boss, Lt. Tom Buckley, think simple measures make all the difference. By using visitor escorts, enforcing use of badges and employing surveillance systems where someone actually watches the monitors, most companies would drastically reduce their potential losses for laptop theft, says Leon. Buckley also notes that most companies have no record of their laptops' serial numbers, which means that there's almost zero chance of recovering the computers if stolen. "Look, you can't stop all of it. But if there's no policy, it's wide open," Buckley says.
So policy can work. Again, though, companies must be disciplined about it. Here's what they should do:
* Educate users. Bombard new users with the statistics on theft and the horror stories. Remind them of the need for Sarbanes-Oxley and HIPAA
compliance. Drill the fear of laptop theft into their heads.
* Establish data policies. For users with sensitive data access, make sure they need a password to access their hard drives. Encrypt sensitive
data and use automated backup. For notebooks with sensitive data on them, try motion alarms.
* Do not leave company visitors unattended.
* Finally, remember that policy is also not something a company adopts solely to prevent theft. In fact, Harold Hendershot, section chief of
the computer intrusion section of the FBI's cyberdivision, says policy must extend to what happens when a laptop is stolen, starting with whether to
report it to law enforcement.
"As a security officer, you're going to want to do an assessment: What was on the laptop? Was the password for the corporate network written anywhere? Does the laptop have remote access software?" says Hendershot. Companies need to ask these questions to see how vulnerable they are.
Though most laptops are stolen simply for the hardware to be fenced, exceptions will exist. Hendershot says the FBI was recently involved in tracing laptop thefts from a national laboratory. It suspected the worst for lab data. But it turned out that drug dealers just wanted to use the stolen computers for running navigation software. They plotted the locations where police usually set up their roadblocks and mapped alternate routes for drug runners. Still, Hendershot recommends finding out whether there's proprietary data, especially financial data, on the hard disk of any stolen laptop.
Companies should know that the number-one reason why laptops are not recovered is that the laptop's serial number exists only on the laptop. Gartner's Fiering says that many companies have tried to use asset tags to counter this problem. But these are easy to remove, so that doesn't work. She recommends asset management software for keeping the serial number separate from the notebook.
Meet Your Perp
Think a Daniel Robinson could never walk into your office? The SFPD's Leon has repeatedly watched perps wander around offices unchallenged. Leon says companies should have surveillance cameras monitoring their floor space, but agrees that's obviously not enough. In seven years of battling laptop theft, Leon's got shelves of surveillance video stored in SFPD's evidence library, filled with scenes of perps probing office spaces and walking off with laptops. Occasionally, a company will watch in shock as an employee caught on tape commits the crime. Usually, however, the perp is an outsider. And he or she is not likely to get caught except by chance.
Leon says laptop thieves typically do not operate alone, but in small groups or rings. They case office buildings to see when they can slip past security guards and to figure out when reception desks are unoccupied. They pretend to have job interviews or simply ask to fill out an application for employment. If the receptionist leaves the area, the perp will slip in, swipe a notebook and then duck out. The perp can be observed on surveillance video, popping in and out of offices, and then becoming just another cube dweller casually carrying a laptop, seemingly en route to his next meeting.
Leon says laptops are the number-one item stolen in San Francisco, surpassing even bicycles. Such statistics likely hold true for most major cities, as both items are easy to transport and resell. Leon doesn't have any hard numbers, but estimates that SFPD gets at least 100 calls per month about stolen laptops. He says even though the machines have dropped in price, high-quality laptops will still draw at least $500 on the black market. The outlets are numerous: Stolen laptops pop up on eBay and Craigslist, at flea markets and pawn shops. Sometimes they're just hustled on the streets, like watches or necklaces.
Stealing a laptop is typically a felony. But for a first offense, the perpetrator is probably going to get off with probation, making it a crime without stiff consequences. The exception to that rule (at least in San Francisco) is if the computer is taken from a hotel, which falls under stricter burglary codes.
Leon says people on the road need to treat their laptops as if they were hefty, bulky wallets. That means not leaving them in cars (like the British intelligence agent who had a laptop with Gulf War plans stolen in 1990), or on a lectern when mingling with the audience after a speech (à la Qualcomm CEO Irwin Jacobs, whose laptop, replete with valuable company data, was stolen in just such fashion in 2000).
"Familiarity breeds contempt," Leon shrugs. Or at least forgetfulness. And that's all a criminal needs to make off with a laptop.