sign in sign up
<<
Home , Cabinet (file format)

Risk Control Bulletin Laptop Computer Security

RISK CONTROL

Laptop Security conducted in 2009 was that the average value of a lost laptop was $49,246. This value is based on seven cost components: replacement Laptop computers are vital tools used by a wide population of cost, detection, forensics, data breach, lost intellectual property technology-industry workers. Since laptop computers and handheld costs, lost productivity and legal, consulting and regulatory expenses. devices are not typically used in a fixed, securable location, additional Occurrence of a data breach represents 80 percent of the cost. measures are needed to protect them. Therefore, it is important to take additional steps to prevent losses • A formal security policy detailing end-user responsibility for related to data breaches associated with the theft of data storage securing these devices and the data they contain is essential. devices and media. Devices should never be left unattended. • Cable locks and docking stations should be used but only when • First, carefully evaluate the need for storage of sensitive information the device is left in a secure location, such as an office, for short on any of portable device or removable media. In many cases, periods. it will be determined that the need for storing information on these difficult-to-secure devices is not worth the benefit given today’s - These security methods are easily compromised and higher threat environment. security options should be used when leaving a laptop in an office overnight (locked in storage area, file cabinet, etc…) • Wher e possible, prohibit such storage in an information security policy but also evaluate technical means of preventing this data • T ravel procedures should address common high risk situations: leakage—disabling or monitoring usage of USB ports, content - A void storage in automobiles. filtering and other methods are possible. - Do not leave devices unattended in hotel rooms. • If it is determined that storage on portable devices or removable - Airport – security area, check-in counters, baggage claim, media is absolutely necessary, this data must be protected and restrooms, food courts and curbside pick-up areas are all high-risk encryption is the most common means of doing so. areas for theft of portable devices. Warn end-users to maintain Encryption is the process of making data unreadable except to those extra vigilance in these areas. who possess the appropriate key to decode and read the data. Many Potential losses associated with exposure of sensitive data stored of the state breach notification laws do not mandate notification of on stolen laptop and desktop computers can be much greater than affected parties if the data involved is encrypted. the cost associated with replacing the stolen equipment. A key finding of the Ponemon Institute’s The Cost of a Lost Laptop study RISK CONTROL

Resources for encryption of stored data:

EFS – The Encrypted File System has been available on professional versions of since Windows 2000. EFS allows file level encryption of sensitive files. Additionally, Microsoft BitLocker Drive Encryption is available on Microsoft Windows XP and Vista. With BitLocker, all data on a PC can be encrypted, preventing unauthorized users from being able to circumvent operating system passwords and access data.

The following link is to a “Data Encryption Toolkit for Mobile PCs,” which is provided by Microsoft. This toolkit provides guidance and software tools needed to effectively use both EFS and BitLocker for encryption of sensitive data. http://technet.microsoft.com/en-us/ library/cc500474.aspx

TrueCrypt – is a free open-source option for whole disk encryption for Windows Vista/XP, Mac OS X, and Linux operating systems. Details and downloads can be found the following link: http://www.truecrypt.org/

For information, contact your independent agent, CNA risk control consultant or visit www.cna.com today

The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. CNA is a registered trademark of CNA Financial Corporation. Copyright © 2016 CNA. All rights reserved.