How to Stop a Laptop Thief

Your data is more at risk than ever as easily stolen laptops become more and more prevalent.

Daniel Robinson looked like just another job candidate. With his dark grey suit, wingtips, no-nonsense red tie and neatly trimmed hair, he was so utterly unremarkable that, when he asked the receptionist if he might slip into a restricted area of the building to use the bathroom, she let him in without thinking twice. Only minutes later, a brand-new laptop - and not coincidentally, Robinson - had vanished.

This story is a made-up one for our purposes, but the crime is real enough. In Australia, AusCERT's 2004 Australian Computer Crime and Security Survey showed that for two years in a row more than half of respondents (58 percent in 2004 and 53 percent in 2003) reported that they had been victimized. In addition, 63 percent of respondents claimed that laptop theft had caused their organization some financial loss in the previous 12 months.

And the real anecdotes are pervasive: A large insurer had two of its laptops stolen from a locked car. They contained data on about 200,000 customers, who then had to be informed that they were at risk of identity theft. At a banking giant, a laptop containing data on thousands of the bank's mortgage customers was stolen from a rental car's boot when two employees travelling together stopped at a convenience store and left the car unlocked with the keys in the ignition. In another incident, the Australian government revealed that over the past several years it lost more than 1000 laptops, 537 of those from the Department of Defence. And police in Delaware and Pennsylvania joined forces to bust a fencing operation that specialized in car break-ins. Police raided the ringleader's business and confiscated 35 stolen laptops and 20 PDAs.

Safeware, a computer insurance provider, estimates that in 2002, US PC owners filed 620,000 claims for computer thefts - most of them for stolen laptops. And those numbers only promise to increase. IDC predicts that, by 2008, 50 percent of the PCs in the United States will be laptops (up from 29 percent in 2004), which means there'll be plenty of targets out there. Many PC owners seem oblivious to the risks surrounding their equipment; a good number of thefts occur because people carelessly leave their computers in places where they are likely to be stolen.

The dollar amount of such losses isn't easily determined. The AusCERT survey pegs losses by Australian companies from laptop theft in 2003 at $1,484,244, but that doesn't necessarily include the value of data lost. The survey also showed 97 Australian organizations reported that they lost time recovering from laptop theft - and one organization said it may never recover. Gartner estimates that a single stolen laptop can cost a company more than $US6000 for hardware, software, restoring data (assuming it was backed up in the first place) and user downtime. Gartner analyst Leslie Fiering notes that this number doesn't account for the cost of any data lost or exposed.

What can companies do to stop computers from being stolen? "Security today is what quality was in the 80s," says Gerry McCartney, CIO at the Wharton School. "People say: 'Yeah, I don't have to worry about that, we have a team that does that.' So they leave their offices open all the time. It goes back to the mentality that security is someone else's problem, not mine."

But, like quality, "these virtues are either [ingrained] in an organization or they're not", McCartney says. "You can't put up a sign and create them."

At least, not overnight, says Tim McKnight, senior director and CISO of Northrop Grumman. While he acknowledges that company cultures are hard to change, McKnight says that they can become more security-conscious - though only if top management leads the way. "There's no silver bullet for the issue," he notes, saying companies must pay attention to four areas: user awareness, physical security, new and old technologies, and policy.

Page Break

"You have to consistently enforce all of that or you lose control," McKnight says. Accordingly, Northrop Grumman constantly drives home the security point. The company has a mandatory security awareness program for all its employees and prohibits employees, including the CEO, from taking laptops with them when travelling to a set list of countries. And company security policy strongly discourages employees from putting data on any devices that leave the borders of the physical corporate building.

Even so, the company occasionally sees laptops stolen, but not from classic "smash and grab" actions; they've been taken almost exclusively from hotels when employees are travelling on business. Hotels are magnets for laptop thieves: They look for weary business travellers who aren't paying attention or who set their laptop cases down for a moment in an unoccupied conference room.

At McKesson, the company has password-protected the hard drives in its notebooks to ensure that if they're removed, they can't be read. Patrick Heim, McKesson's vice president of enterprise security, says: "It's a minor inconvenience for users", but worth it overall to the company. He says that the company encrypts data only for users who carry sensitive information. Heim notes that McKesson's policies can't prevent someone from leaving a laptop in his car, but password protecting the hard drive limits the company's liability, and it's something the company can enforce.

In McKnight's case, he adds that it helps that Northrop Grumman is a defence contractor. Over half of its employees hold some level of government clearance and attend a security refresher yearly to maintain their clearance levels. Many of its buildings require clearance to enter - an automatic barrier to the Daniel Robinsons of the world. But even in buildings that don't, escorts are assigned to all visitors (even when they're headed to the bathroom) and surveillance cameras monitor the premises.

That kind of talk would please Richard Leon, a seen-it-all inspector with the burglary and fencing detail in the San Francisco police department (SFPD). Leon thinks companies should never let visitors in without escorts and should issue badges that clearly show someone is an outsider. In addition, employees should also challenge people they don't recognize who don't have a badge visible. (He recommends that company security guards do badgeless walk-throughs and reward employees who challenge them.)

Law enforcement officials also believe in policy. Leon and his boss, lieutenant Tom Buckley, think simple measures make all the difference. By using visitor escorts, enforcing use of badges and employing surveillance systems where someone actually watches the monitors, most companies would drastically reduce their potential losses for laptop theft, says Leon. Buckley also notes that most companies have no record of their laptops' serial numbers, which means that there's almost zero chance of recovering the computers if stolen. "Look, you can't stop all of it. But if there's no policy, it's wide open," Buckley says.

So policy can work. Again, though, companies must be disciplined about it. Here's what they should do:

• Educate users. Bombard new users with the statistics on theft and the horror stories. Remind them of the need for Sarbanes-Oxley and HIPAA compliance. Drill the fear of laptop theft into their heads.

• Establish data policies. For users with sensitive data access, make sure they need a password to access their hard drives. Encrypt sensitive data and use automated backup. For notebooks with sensitive data on them, try motion alarms.

• Do not leave company visitors unattended.

• Finally, remember that policy is also not something a company adopts solely to prevent theft. In fact, Harold Hendershot, section chief of the computer intrusion section of the FBI's cyberdivision, says policy must extend to what happens when a laptop is stolen, starting with whether to report it to law enforcement.

"As a security officer, you're going to want to do an assessment: What was on the laptop? Was the password for the corporate network written anywhere? Does the laptop have remote access software?" says Hendershot. Companies need to ask these questions to see how vulnerable they are.

Though most laptops are stolen simply for the hardware to be fenced, exceptions will exist. Hendershot says the FBI was recently involved in tracing laptop thefts from a national laboratory. It suspected the worst for lab data. But it turned out that drug dealers just wanted to use the stolen computers for running navigation software. They plotted the locations where police usually set up their roadblocks and mapped alternate routes for drug runners. Still, Hendershot recommends finding out whether there's proprietary data, especially financial data, on the hard disk of any stolen laptop.

Companies should know that the number-one reason why laptops are not recovered is that the laptop's serial number exists only on the laptop. Gartner's Fiering says that many companies have tried to use asset tags to counter this problem. But these are easy to remove, so that doesn't work. She recommends asset management software for keeping the serial number separate from the notebook.

Page Break

Meet Your Perp

Think a Daniel Robinson could never walk into your office? The SFPD's Leon has repeatedly watched perps wander around offices unchallenged. Leon says companies should have surveillance cameras monitoring their floor space, but agrees that's obviously not enough. In seven years of battling laptop theft, Leon's got shelves of surveillance video stored in SFPD's evidence library, filled with scenes of perps probing office spaces and walking off with laptops. Occasionally, a company will watch in shock as an employee caught on tape commits the crime. Usually, however, the perp is an outsider. And he or she is not likely to get caught except by chance.

Leon says laptop thieves typically do not operate alone, but in small groups or rings. They case office buildings to see when they can slip past security guards and to figure out when reception desks are unoccupied. They pretend to have job interviews or simply ask to fill out an application for employment. If the receptionist leaves the area, the perp will slip in, swipe a notebook and then duck out. The perp can be observed on surveillance video, popping in and out of offices, and then becoming just another cube dweller casually carrying a laptop, seemingly en route to his next meeting.

Leon says laptops are the number-one item stolen in San Francisco, surpassing even bicycles. Such statistics likely hold true for most major cities, as both items are easy to transport and resell. Leon doesn't have any hard numbers, but estimates that SFPD gets at least 100 calls per month about stolen laptops. He says even though the machines have dropped in price, high-quality laptops will still draw at least $US500 on the black market. The outlets are numerous: Stolen laptops pop up on eBay and Craigslist, at flea markets and pawn shops. Sometimes they're just hustled on the streets, like watches or necklaces.

Stealing a laptop is typically a felony. But for a first offence, the perpetrator is probably going to get off with probation, making it a crime without stiff consequences. The exception to that rule (at least in San Francisco) is if the computer is taken from a hotel, which falls under stricter burglary codes.

Leon says people on the road need to treat their laptops as if they were hefty, bulky wallets. That means not leaving them in cars (like the British intelligence agent who had a laptop with Gulf War plans stolen in 1990), or on a lectern when mingling with the audience after a speech (a la Qualcomm CEO Irwin Jacobs, whose laptop, replete with valuable company data, was stolen in just such fashion in 2000).

"Familiarity breeds contempt," Leon shrugs. Or at least forgetfulness. And that's all a criminal needs to make off with a laptop.

SIDEBAR: Keep It Close to the Vest

Here are some tips for travelling safely with your laptop and protecting the intellectual property contained therein

• Never leave your laptop unattended. This may seem basic, but unattended also includes the boot of your car, your hotel room, others' offices or in your luggage.
• Restrict password access. There's software that can quickly do this for you. To review your options, get reports on the latest products at www.cnet.com.
• Encrypt stored files. Software can do this for you too. But be sure to do your homework on this one.
• Beware of shoulder surfers. When people peer over your shoulder in the airport, they may be trying to see the sports scores that you have scrolling on streaming video, but they may also be trying to steal the data off your confidential company earnings report. Use a polarizing screen cover. Better yet, use your laptop in a more private location.
• Change passwords often. It's hard to remember them all, let alone change them. But it only takes a minute, and it's effective.
• Before your laptop is stolen, take preventive measures by adding tracking software. Visit these sites for information: www.sentryinc.com and www.computrace.com.
• Finally, if your laptop is stolen, report it to the local police.

For more information, visit www.amcoex.com/stolen/default.html and www.stolencomputers.org.