Intel is trumpeting a recent study that shows businesses and other organizations risking billions of dollars annually due to lost or stolen laptops. But worry not: it has a "third pillar" to prop up those losses.
"Looking at these results, you can barely fathom the significant financial impact of missing laptops," the general manager of Intel Anti-Theft Services Anand Pashupathy said in a release announcing the study.
"More astonishing," Pashupathy added, "considering the vulnerability of laptops and their data is that the majority of these companies aren't taking even basic precautions to protect them."
Intel, of course, has its own reasons for raising the specter of laptop security breaches — 7.68 billion reasons, to be exact. That's how many simoleans Chipzilla shelled out for security firm McAfee, which it acquired this August.
When discussing that acquisition with reporters and analysts, Intel CEO Paul Otellini said: "We have concluded that security has now become the third pillar of computing, joining energy-efficient performance and Internet connectivity in importance."
And so now Intel has released a study — "The Billion Dollar Lost Laptop Problem" (PDF) — that it conducted in conjunction with the independent privacy and information-security researchers at the Ponemon Institute.
The study surveyed 329 private and public US organizations, which taken together reported a total of 86,455 lost or missing laptops.
Those numbers are firm. The total dollar amount put at risk by those lost, missing, or stolen laptops is a bit fuzzier, however — that is, if you consider statistical wizardry such as Bayesian probabilistic analysis to be fuzzy.
Speaking with reporters in San Francisco on Thursday, the Ponemon Institute's chairman and founder Larry Ponemon said that a 2009 study he conducted entitled, appropriately enough, "Cost of a Lost Laptop" (PDF), determined that an organization would be out an average of $49,246 per lost laptop.
That survey's cost average was a weighted one, calculated to reflect such factors as different combinations of encryption and confidential material in those 86,455 missing laptops. The costs — stat-speak for "risks" — includes such factors as "replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses."
Ponemon was clear that such a high weighted average doesn't indicate that most — or even many — laptops are of that value. "In some cases, a laptop is going to contain no information," he told reporters, "but in some cases it's going to contain the trade secrets of the universe. The probability of that laptop being lost or stolen is probably very low, because there's very few laptops that would fall into that category.
"So when we actually calculate the number — the average — there are some laptops that are probably unbelievably expensive, millions of dollar of potential loss, because that laptop is unique. But many laptops, the majority of laptops, are not that expensive."
Despite those caveats, the report claims that the total amount at risk in the 329 organizations surveyed is "a staggering $2.1bn."
Joining Ponemon at Thursday's event was Intel's chief information security officer Malcolm Harkins, who said that it was the rare user who even knew that there was valuable or confidential information on his or her laptop. "When you ask somebody, 'Hey was there anything sensitive on [your laptop]?'," he said, "most of the time you get the answer of 'No'. Probably 75 per cent of the folks don't really recognize that they have sensitive content on there."
More than data loss
Another event panelist, security consultant Kevin Beaver of Principle Logic, pointed out that it's not merely the files on a laptop that can compromise security. Describing a recent test he did on an assortment of laptops from a variety or organizations, he said:
First of all, I was able to boot up [a laptop] with a boot CD and basically crack the passwords so I could log-in locally to the laptop. I found files that were stored locally, temp files that were stored by the application that the user doesn't even know about, [and] domain passwords. I was able to see some cached passwords that the user used to log onto the Windows domain — it didn't have the password itself, but it had a password hash, and I was able to crack that, so that in essence opens up the entire domain to potential intrusion.
VPN connections, remote desktop connections, wireless encryption keys — I found all of this stuff on just a couple of sample laptops. We're talking about data loss here, but we're also talking about further intrusions into the network. The odds that whoever comes across the laptop knows how to do this stuff may be low, but the reality is that you don't know.
Beaver also said that organizations are not paying enough attention to laptop security: "People are pouring tens of thousands, hundreds of thousands of dollars into preventing SQL injections and cross-site scripting into their web applications, they're trying to do whatever they can to protect their database. And meanwhile all their people are walking around with these unprotected laptops — be it unencrypted laptops, [a lack of] mobile tracking, remote wipe, and whatnot. It just doesn't add up."
Ponemon was equally blunt: "We do a lot of research and we see that a lot of organizations are incompetent in protecting information assets," he said. "Laptop computers and small, mobile, data-bearing devices are almost always at risk."
Beaver agreed, saying: "Laptops are always consistently the greatest risk that I find in any given security assessment."
The panel's host and general manager of Intel's anti-theft services Anand Pashupathy outlined the magnitude of the problem, citing survey results that showed that one in ten laptops go missing in an average three-year lifetime.
If a laptop is lost or stolen, your business is in trouble, said Pashupathy. "At the end of the day, data is what defines your business, it defines your company."
Keeping sensitive material off your laptop and instead using that laptop as a dumb terminal to access the cloud is no solution, said Harkins:
Even if you did that, that doesn't mean the data is protected, because if you lost the terminal and had the login credentials, it doesn't matter if it's in the cloud, you crack it and you'd still get access to it. You can't just think that shifting from having it on this device, or that device, or storing it on the network — it may change the risk dynamics, but it doesn't eliminate them.
Beaver said that the reason laptop security is such a problem is a simple one: "I would say that inaction is probably the biggest problem we have with security. [IT] management knows that we have problems with security — the network administrators, security managers and whatnot, compliance officers — they know that there's a problem with security, but we still have this issue of inaction. People are not willing to invest the time, money, and resources into fixing this problem."
He also laid the bulk of the problem at the feet of management: "It's an issue of management being overtrusting of their users and of their network administrators — their network admins are saying 'Everything is just fine, we've got it taken care of' — and trusting their users to always do the right thing to make sure that their laptops are not put in compromised positions."
I've seen issues where organizations' IT security is not involved in laptop loss — it's a help-desk problem. So when you ask to see someone — the security leader — and ask 'How many laptops are, lost, missing, or stolen every year?' they say: 'How would I know? That's not my job. That's this person's job.' But 'this person' may not have any security background at all.
There is a huge gap between the security folks and IT, and then [their] senior leadership. Basically [senior leadership] hears the positive stories — 'everything's okay'. When security is invisible to them, everything's okay. And then they learn about a breach and they get new religion, and that's when they start investing in things like whole-disk encryption and other security tools that may be available.
Users came in for their share of blame, as well. Ponemon said those worthies often muck about with IT-installed security measures: "Even things like encryption, for example — file encryption, not whole-disk encryption — it's pretty easy to turn it off. And a lot of end users are saying, 'How can I circumvent the security system? My booting up everyday, it's another 10 seconds — or the degradation is a nanosecond — I don't want to live with that.'
"So the company thinks everything's okay," he said, "but the end user is really carrying a loaded gun."
But users' lackadaisical attitude is easily understood, said Ponemon: "For the most part end users aren't security people, and they don't care about security, and they see it as an incovenience."
The solution — and here's where Intel's "third pillar" comes in — is to make laptop security a no-brainer. "The more you can 'idiot proof' — excuse that statement — or make it easy or invisible to the user," Ponemon said, "the more successful you're going to be."
Beaver think that hardware-based security is inevitable. "It might be next year, it might be five or 10 years from now, but I do think there will be a general expectation from people across the board, like 'Hey you, Mr. Hardware Vendor, what are you doing to protect my data?'"
Despite the clear connection of the panel's message to Intel's McAfee aquisition, Beaver was the only panelist to mention it, even in passing:
One of the things I've always said is that unless and until the hardware vendors implement security at that level — in the factory — I think we're going to continue having data-security probllems. Be it something like anti-theft technology ... [or] something related to an acquisition recently, I think that is going to help facilitate a lot of security and help fulfill a lot of exectations down the road.
Pashupathy may not have spoken directly about Intel's third pillar, but he did wax rhapsodically about the promise of hardware-based laptop security: "Our goal — at least my product's goal — is to embed [security] in hardware, and build out an ecosystem such that it does become a standard over time. It's not a standard today, but that would be nirvana." ®
Ponemon also spoke of one immediate and low-tech way to increase the security of your company's laptops: "Some companies now require you to put a label, a company label, like 'I work for Accenture'," onto employees' laptops, he said. "It's probably a bad idea to do that, even though it might make it easier for you to say, 'That is my Dell,' and not somebody else's and by accident take someone's computer that looks the same. But it may, in fact, increase the risk of theft, and we have some early evidence that suggests that."