privacy update

Tips for Protecting Laptops from Theft

With a rash of laptop thefts recently occurring, here some timely security reminders from leading security experts.

Recently, Aetna, Ernst & Young, Fidelity Investments, and the Vermont State Colleges system, each reported thefts of employee laptops, which cumulatively exposed more than 450,000 individuals' Social Security numbers and other identification. Though none of the thefts apparently were spurred by the desire to steal the information on the laptop, they highlight the continuing challenges that businesses have about laptops.

Experts say that the two most important security measures are being careful about what is put on the laptop in the first place and encrypting sensitive information.

'Proprietary information on a laptop is never a good idea,' said Robert Siciliano, author of the blog, www.idtheftsecurity.blogspot.com. 'Always consider storing important data on a biometric USB' that is removed from the laptop.

Companies should carefully devise data security plans that assess which information can be accessed by which employees. 'Confidential company/customer data should not be distributed to unauthorized personnel,' said Ariel Coro, CISSP, offering a basic piece of advice that is all-too-often ignored.

Encryption is a must, and biometric security systems are rapidly becoming the new standard. 'Biometric sensors reduce the risk of PC theft and fraud ' allowing authorized users to easily and quickly access their files by simply touching or sliding their finger across the sensor surface, while restricting access to the computer and its files to only those enrolled,' said Rachel Kingery, representing AuthenTec, a manufacturer of biometric systems that are now in more than 100 PC models.

'Biometrics make PCs easier to use [by] eliminating the need to remember cumbersome passwords,' Kingery said. 'Every laptop manufacturer, except Apple, to my knowledge, has released at least one laptop model with an embedded biometric fingerprint sensor.'

Yet the following simple steps can enhance laptop security without converting laptops to biometric-enabled protection devices:

•   Use a locking cable and an alarm for your laptop, available at any computer store. 'I don't always lock my laptop at home, but I often lock it in hotel rooms and even in my private office when leaving for extended periods of time,' said Ted Demopoulos, a security consultant and co-author of Blogging for Business, February 2006.
• Carry your laptop in something other than a laptop bag, for example a briefcase or backpack. Don't make it obvious that your bag contains a laptop.
• Try not to leave laptops in a car. 'This isn't always practical,' Demopoulos admits, 'But minimize it as much as practical. Never leave a laptop, laptop case, or briefcase in plain sight in a car.'
• Watch your laptop carefully in airports and train stations, and watch out for 'distraction theft' attempts. That's the lesson from the recent Fidelity incident. Demopoulos advises against putting laptops in checked luggage, either.
•   'Use complex passwords [combination of letters and numbers], and change them regularly,' said John Livingston, CEO of Absolute Software, which helps companies track ownership and usage of their computers. 'Never leave your password in obvious places on or near the computer.'
• Consider purchasing software that will locate a stolen laptop, similar to the LoJack systems installed on many vehicles.
• Don't leave your laptop or any laptop accessories visible in your hotel. In a drawer covered by clothes might be better than an in-room safe. 'Hotel safes have zero security,' said Siciliano.
• Don't leave a laptop unattended, whether at a trade show, at a meeting in another office, or even on an airport shuttle, said Coro.

And a final reminder: Back up data often, said Ira Winkler, a security consultant who co-created with Office Depot a small-business security educational program. If a laptop is lost or stolen, having up-to-date backups has two critical benefits, Winkler said: 1) the backup will enable the company to quickly determine whether sensitive information was compromised, and who needs to be informed; and 2) information the company needs to keep operating will not be lost along with the laptop.

Iron Mountain Loses Tapes with Data on 17,000 Railroad Workers

Iron Mountain, Inc., one of the leading data storage firms in the nation, confirmed that it lost personal data, including Social Security numbers, for as many as 17,000 current and former employees of the Long Island Rail Road. The loss occurred on April 6 when the company was transferring physical backup tapes from an Iron Mountain storage location to an LIRR office in Queens, NY.

New York police are continuing to search for the data tapes and are treating it as a theft. But in a published statement, Iron Mountain said that the loss was not necessarily a theft. Iron Mountain would not indicate whether the information was encrypted, but it did note that 'it is extremely unlikely that any person who found these tapes could access the information stored on them because access would require highly specialized expertise.”