IT SECURITY
The true cost
of a laptop Today s business laptops are much more than just tools, they are important IT assets containing valuable corporate information. However, an increasing amount go missing each year, something which RFID can help remedy
by Prof. David C. Wyld, Southeastern Louisiana University
40
A
ll of us now dread the familiar ritual of the airport security line. Shoes off, belts off, jackets off, jewelry off, drinks thrown away, and of course, laptops out of their cases. We always see the unknowing: like the grandmother from Poughkeepsie who hasn t flown since the days of propellers and flight attendants offering real meals with actual
Global Identification - September 2008
silverware en route, or even the tremendously inconvenienced, say the gentleman in a wheelchair and the mother with three kids struggling to comply. Still, Americans and others who travel routinely comply with various airport security drills knowing that it is now just part of life in a post 9/11 world. Airports are even trying to make the process fast-
er, by adding more lanes, and dare we say, a bit fun, as anyone who has seen the video instructions at Las Vegas McCarran International Airport can attest ‒ for those who haven t seen it, it features noted entertainers from the Las Vegas Strip, such as the Blue Man Group and Cirque du Soleil acrobats, trying to comply with Transportation Security Administration (TSA) guidelines.
Still, there is that moment of fear when placing your laptop ‒ laden with your work, your iTunes library, your copy of The Matrix , and in most cases, valuable corporate data and client info ‒ on the screening belt. What if you get distracted by other passengers and their travails? What if you get selected for the special, more intense screening? What if your carry-on has to be hand-inspected for having too big a bottle of shampoo? What if you shouldn t have had that last overpriced beer in the airport bar? The ultimate what if question that lingers in the mind of every business traveler is ultimately, what if I lose my laptop? In late June, the Ponemon Institute, an independent information technology research organization, released an astonishing report detailing the extent of the problem of lost laptops in the airport environment. It answers the what if question with data suggesting that the problem of lost ‒ and most commonly, stolen ‒ laptops is reaching epidemic proportions at U.S. airports. They found that, on average, at the nation s 106 largest commercial airports, over 12,000 laptops are lost or stolen each week ‒ a staggering 600,000 laptops annually. While some have criticized the institute s study for extrapolating figures to overestimate the size of the laptop security issue, the findings have found support from a variety of computer security and airport industry experts.
Charles Chambers, Senior Vice President of Security for the Airports Council International North America, believes the loss of 12,000 laptops per week to be very plausible, considering that there are 3.5 million business travelers flying each week.
out the owner needing to remove the laptop from its case at security checkpoints. It is expected that in early fall, we will see the introduction of checkpoint-friendly laptop cases on the market. This could indeed work to greatly lessen the problem of laptops being lost, sto-
Corporate and governmental interest in acquiring RFID-based laptop security systems is accelerating As can be seen in table 1, there is no direct correlation between the size of the airport and the rate of laptop losses. In fact, while Atlanta s airport is the busiest in the nation ‒ and indeed the entire world ‒ it is tied for eighth overall in the rate of laptop disappearances. In fact, the rate of laptop losses in Atlanta is equal to that of Ronald Reagan Washington National Airport, the 29th busiest in the nation, an airport that handles less than a quarter of the passengers traveling through HartsfieldJackson Atlanta International. Looking at the diagram for laptop losses by location, we can see that 40% of all airport laptop losses take place at the security checkpoint. Hardly surprising, as by design this is where a traveler must be separated from his or her laptop. Earlier this spring, the TSA announced that it was working with laptop bag manufacturers to create designs that would allow for full scanning with-
len, or just forgotten at airport security lines. Still, until such approved laptop cases become commonplace, for the vast majority of all air travelers the airport security line may be the place where one s corporate laptop ‒ and thus the valuable corporate data contained inside ‒ is most vulnerable. Perhaps the most astonishing statistics in the Ponemon
Do nothing? Commenting on the Ponemon Institute finding that 16% of surveyed business travelers would do nothing if they discovered their laptop was missing, Victor Godinez of the Dallas Morning News remarked: A question for those who said they would do nothing, and remember, this was a survey of business travelers who presumably rely on their laptops to, you know, stay gainfully employed. What do you do when you show up to the big meeting sans laptop? Pretend to type on an invisible computer? Act like you re suffering from amnesia? Seriously, who does nothing when they discover their laptop is missing? I know laptops are getting cheap, but this seems like a stunning lack of concern for the whereabouts of a machine worth several hundred dollars at least, and presumably storing important documents, valuable photos and so forth.
www.global-identification.com
41
IT Security
tions before seeking to find the laptop themselves.
The high cost of laptop losses
Institute s study concern what happens after the traveler discovers that his or her laptop has gone missing.
Laptop Losses by Location in Airports (below) Source Data: The Ponemon Institute, Airport Insecurity: The Case of Lost Laptops, June 30, 2008, p. 7.
42
Quite worrying for corporate IT managers is the fact that in over two-thirds of all loss cases ‒ 69% of the time ‒ the laptop is not reunited with its owner. What was even more surprising perhaps was the fact that among the business travelers surveyed by the Ponemon Institute for their report, when asked what they would do upon the discovery of a missing laptop, 16% responded that they would do nothing, and over half would contact their company for help or instruc-
Global Identification - September 2008
Of course, unfortunately, laptops are lost or stolen not just in airports, but everywhere and anywhere. In fact, in the U.S., it has been estimated that upwards of a million laptops are stolen annually, with an estimated hardware loss alone totaling over a billion dollars. And it is not just companies that are affected. Indeed, across federal agencies, leading universities, and all facets of healthcare and education, there is increasing focus on laptop theft, as surveys of IT executives across organizations of all types show such occurrences happening on a routine basis ‒ often with dire consequences potentially impacting thousands of employees, customers, patients, and students. Until recently, a common misconception was that the impact of a lost or stolen laptop was merely the cost of replacing the hardware, a replacement cost that could be assumed to continue to decline over time. However, in 2000, the respected Rand Corporation released a study that pegged the actual replacement cost of a lost laptop at an average of over $6,000. The Rand researchers included not just the replacement cost for a new unit plus any payments owed on the missing item, but the data and software lost on the
laptop, as well as the added costs to the organization in terms of procuring and setting-up the replacement computer. When including potential loss of corporate data and legal liability, the dollar loss can be quite high. There are wide variances in the estimates of the financial losses stemming from laptop theft, with losses ranging from simple replacement costs of a few thousand dollars to estimates ranging into the millions. Beyond replacement costs, there may be far greater ‒ and more costly impacts ‒ from loss of customer information and records to loss of confidential business information and intellectual property, such as marketing plans, software code and product renderings. In 2004, a joint study issued by the Computer Security Institute and the Federal Bureau of Investigation (FBI) estimated the cost per incident to be approximately $48,000. iBahn, a leading provider of secure broadband services to hotels and conference centers, found that the average business traveler has over $330,000 worth of personal information on their laptop. Last year, in a white paper entitled, Datagate: The Next Inevitable Corporate Disaster? , McAfee and Datamonitor pegged the value of a lost notebook computer, in terms of confidential consumer information and company data, at almost $9 million. In fact, a recent study has projected that when confi-
dential personal information is lost or stolen, the average cost to a company is actually $197 per record. Overall, the National Hi-Tech Crime Unit has pegged stolen laptops as having a greater impact on organizations than any other computer threat, including viruses and hackers. Finally, in today s 24/7 media environment, there is also a hit on the company s name brand and image from the negative public relations garnered from such cases, which can translate into declining consumer trust in doing business with the firm and actual negative impact on sales and revenue at least in the short-term, and in some extreme cases, also in the long-term. The FBI itself is not immune from the problem, for it has been estimated that the agency loses 3 to 4 laptops each month.
RFID solutions for laptop security There is a wide array of data protection measures available today for laptops, from data backups to password protection to encryption and even biometrics. There are also software-based products, which can be built into the BIOS of the machine at the factory. However, RFIDbased solutions are just now beginning to enter the marketplace. In the United States, corporate and governmental interest in acquiring RFID-based laptop security systems is accelerating. In the private sec-
tor, clients range from Fortune 500 companies to even smaller businesses. Across higher education, colleges and universities are seeking to replace their laborious paper and barcode based systems for inventorying laptops and other IT assets with RFID installations. In the federal government, a number of cabinet-level agencies have begun looking at RFID solutions. Carrollton, Texasbased Axcess International is working with three federal agencies on RFID tracking of their laptop assets within their facilities using the com-
protection market. Cognizant Technology Solutions RFID Center of Excellence recently reported that it has developed and implemented an RFID-based laptop tracking system for internal use across its 45,000 plus employees, who use more than 10,000 laptops across its worldwide locations. This rollout could serve as the basis for a commercially-available solution in the future. Saratoga, California-based AssetPulse recently introduced its own AssetGather solution for tracking laptops
Colleges and universities are seeking to introduce RFID IT asset monitoring and tracking pany s ActiveTag solution. This spring, Profitable Inventory Control Systems (PICS), based in Bogart, Georgia, began installing their AssetTrakker system at the headquarters of the U.S. Army National Guard in Washington, DC. The National Guard has approximately ten thousand electronic assets ‒ with up to 8 per employee ‒ and each will be tagged as part of the PICS installation. The move will begin with the use of hand-held readers for inventory purposes and expand to include readers at building doorways and the parking garage to track movements and send alerts for unauthorized movements.
and other electronic equipment with RFID. The system is designed to work with any type or brand of tags (passive, semi-passive or active) and various forms of readers. The system s software is webbased, and it can provide
There are other new entrants in the emerging RFID laptop
www.global-identification.com
43
IT Security An increasing amount of U.S business travelers each year lose valuable corporate information in their laptops while transiting through airports
44
dashboard controls and realtime visibility on a client s IT assets across multiple locations, including map, graph and list views, based on user preferences. It can also provide IT managers with reporting and audit controls and users with programmed alerts on specific suspect laptop movements, such as perimeter alerts, when an asset goes outside a permitted zone, delinquency alert, when it is not seen back within a configured time and serial number alert when a specific asset is seen.
Global Identification - September 2008
Interest in laptop security is quickly becoming a global marketplace. In India, Orizin Technologies has recently introduced a system for laptop tracking that uses active RFID tags to track laptops and other IT assets in an organization s premises with a range of up to 20 meters. Finally, perhaps the coolest RFID solution to date comes from the United Kingdom. Sheffield-based Virtuity has introduced a data protection solution under the brand name BackStopp. In short, the solution uses RFID tags
to ensure that laptops are securely maintained within the allowable range of a client s facilities. So, as long as the laptop is within range, it operates normally. However, if it is removed on an unauthorized basis from the permitted range, the BackStopp server attempts to locate the laptop, using both the internet and the laptop s internal GSM card. Protection goes beyond that, as the system immediately blocks any unauthorized user from accessing the computer and sends out a self-destruct message to the laptop to securely and permanently delete the data on the hard drive of the computer. BackStopp also has what Virtuity terms a culprit identification capability in that the built-in webcam capabilities found in many laptops today are prompted to take and transmit digital images that might very well capture the laptop thief.
IT departments on the line Much of IT security is based on knowing that a threat is foreseeable, and unfortunately, corporate expenditures against known and continuing threats, from spyware, computer virus, hackers, denial of service attacks, and other cyber threats, are just a cost of doing business in the Internet Age . Today, laptop theft is a similar foreseeable, ongoing threat. Experts have pegged the probability of a given laptop being lost or stolen at between 1 and 4%. Using the FBI s $48,000 laptop
loss estimate, and assuming just a 1% loss probability, the expected loss per laptop, per year is $480. If one uses higher probabilities in the range ‒ between 3 and 4% ‒ the expected loss would easily equal or exceed the actual hardware replacement costs of 95% of all laptops on the market. Thus, even with significant investments for hardware and software to implement an RFID-based security, when considering the potential demonstrated costs of the loss of even a single laptop, the ROI equation for RFID protection is clearly demonstrable. And, as we have seen in cases involving companies like IBM and Pfizer and governmental agencies ranging from the U.S. military to leading universities, the larger the organization, the larger the potential vulnerability. Indeed, a 2006 theft of a single laptop from a Department of Veterans Affairs employee exposed personal information on 2.5 million active and retired military personnel. Finally, the funny thing about statistics is that the chance of a laptop loss occurring for any one company or any one individual goes up over time. So, to guard against this foreseeable threat is not just being proactive, it may even be a necessity in today s legal environment. Courts are increasingly looking at steps that a company has taken to better secure its data in case of a security breach as a mitigating factor in cases stemming from such data loss. Further, legal ana-
lysts believe that the muchdiscussed Sarbanes-Oxley Act may indeed impose new legal requirements on corporate IT departments to safeguard its mobile devices as part of its fiduciary duty to maintain a system of adequate internal controls. Today s concerns over laptop security may indeed be just the tip of a data-security iceberg, especially when one considers the panoply of mobile devices used in business today: cell phones, PDAs, Blackberries, etc... What s more, the shape of all such electronic devices continues to shrink across the board. While fixed computers still outsell laptops (with just over 150 million desktops sold in 2007), laptop sales are themselves surging, with approximately 110 million units shipped worldwide last year. In fact, global laptop shipments grew by 33% between 2006 and 2007, while PC shipments grew just 4% year on year during the same time period. So, there will be no abating the challenge ‒ and market prospects ‒ for laptop security.
no way to remotely locate it simply because it is a location outside of any closed-loop of protection. The company that can find a way to create such location systems, available on demand in high traffic areas such as airports, will find significant interest worldwide. With scary statistics such as those conveyed in this report, the marketing should be an easy sell ‒ namely to take away the holy $#&*! fears of traveling executives and their IT managers.
Table 1 ‒ The Top Ten U.S. Airports for Laptop Loss. Airports are ranked by total annual enplanements for the entire 2007 calendar year. Source Data: The Ponemon Institute, Airport Insecurity: The Case of Lost Laptops, June 30, 2008, p. 3 and Bureau of Transportation Statistics Data, July 2008.
The challenge now is to move beyond the closedloop, four wall-delimited solutions being introduced and marketed today to more open system solutions that would enable tracking and location of laptops on a global basis. Let s face it, we have systems on the market today for tracking down golf balls in the woods, but if you lose your laptop in an airport, hotel or restaurant you have
www.global-identification.com
45