Lost Laptops = Lost Data Measuring Costs, Managing Threats by Glenn Kitteringham, CPP ABOUT the CRISP SERIES of REPORTS

ASIS FOUNDATION ASIS

Crisp Report Connecting Research in Security to Practice Lost Laptops = Lost Data Measuring Costs, Managing Threats by Glenn Kitteringham, CPP ABOUT THE CRISP SERIES OF REPORTS

Connecting Research in Security to Practice (CRISP) reports provide insights into how different types of security issues can be tackled effectively. Drawing on research and evidence from around the world, each report summarizes the prevailing knowledge about a specific aspect of security, and then recommends proven approaches to counter the threat. Connecting scientific research with existing security actions helps form good practices.

This series invites experts in specialist aspects of security to present their views on how to understand and tackle a security problem, using the best research evidence available.

Reports are written to appeal to security practitioners in different types of organizations and at different levels. Readers will inevitably adapt what is presented to meet their own requirements. They will also consider how they can integrate the recommended actions with existing or planned programs in their organizations.

In this CRISP report, Glen Kitteringham, CPP, analyzes strategies to protect laptops—and data—at the office, on the road, or at home. Practical checklists and classification schemes help the reader determine adequate levels of data protection. Replacing stolen units is just the start: lost productivity, damaged credibility, frayed customer relations, and heavy legal consequences can cripple both public and private sector organizations.

CRISP reports are sister publications to those produced by Community Oriented Policing Services (COPS) of the U.S. Department of Justice, which can be accessed at www.cops.usdoj.gov. While that series focused on policing, this one focuses on security.

Martin Gill Chair, Research Council ASIS International Foundation

ISBN-13: 978-1-887056-85-4

All rights reserved. Permission is hereby granted to individual users to download this document for their own personal use, with acknowledgement of ASIS International as the source. However, this document may not be downloaded for further copying or reproduction nor may it be sold, offered for sale, or otherwise used commercially. Crisp Report Connecting Research in Security to Practice

An ASIS International Foundation Research Council CRISP Report

Lost Laptops = Lost Data Measuring Costs, Managing Threats

Glen Kitteringham, CPP

ASIS International Foundation, Inc. : Alexandria, VA Contents

Executive Summary...... 3 Need for Research...... 19 Lost Laptops = Lost Data...... 4 References...... 20 Statistics on Stolen Laptops and Lost Data...... 5 Bibliography...... 25 Stolen laptops...... 5 About the Author...... 29 Stolen confidential information...... 5 Appendix A: Threat and Risk Matrix Model...... 30 Measuring the Cost...... 7 Lost productivity...... 7 Appendix B: Laptop Inventory Checklist...... 33 Damaged property...... 8 Replacing laptops...... 8 Appendix C: Data Identification and Recreating data...... 8 Classification Levels...... 34 Added Costs of a Data Breach...... 9 Appendix D: Stages and Steps in Laptop Theft; Customer notifications...... 9 Recommended Responses...... 35 Credit monitoring...... 9 Appendix E: Reducing the Threat from Liability...... 9 Determined Laptop Thieves—25 Situational Lost business...... 10 Prevention Techniques...... 36 Shareholder value...... 10 Appendix F: Implementing Physical Security Internal Factors Contributing to Stolen Laptops Measures—35 Strategies...... 39 and Lost Data...... 11 Accountability...... 11 Appendix G: Implementing Procedural Inadequate security...... 11 Security Measures—61 Strategies...... 44 Perception...... 11 Appendix H: Implementing Electronic External Factors Contributing to Stolen Laptops Security Measures—21 Strategies...... 55 and Lost Data ...... 12 Appendix I: Security Awareness Determined thieves...... 12 Employee Sign-off Sheets...... 59 Repeat victimization...... 13 Appendix J: Laptop Incident Reporting Form.... 64 Managing the Threat...... 13 Legislative recourse...... 14 Physical, electronic, and procedural security enhancements...... 14 Product design...... 15 Disrupting the markets for stolen goods...... 16 Recommended Responses...... 16 Setting goals...... 16 Seven steps to prevent loss ...... 17 An ASIS International Foundation Research Council CRISP Report Executive Summary

aptop computers are essential for organiza- product innovations may help to prevent thefts. tions to make sure their employees have Disrupting the ways thieves can unload their access to information they need wherever bounty is another deterrent. The appendices Lthey are working…at home, in a meeting, or on include exhaustive lists of physical, electronic, and the road. procedural security enhancement, so organizations have specific ways to discourage or A lost laptop creates a two-dimensional prob- prevent thefts. lem. First, the laptop itself must be recovered or replaced. Second, and even more unsettling, is the The report encourages companies to set goals prospect that critical information on the company, to counter laptop theft and then implement those its plans, and its customers could have been lost goals through situational prevention techniques as well. and the seven steps of loss prevention. This report looks at both types of losses, from a Additional research could aid in preventing statistical and cost point of view. It also examines the theft of laptops and the data that resides on the internal and external factors that contribute them. The report concludes with suggestions for to laptop theft. Who steals laptops? What moti- further exploration by academic and corporate vates their actions? Why are companies targeted investigators. repeatedly? Based on an extensive review of published research, the report explores the scope of the problem. A range of detailed solutions is offered. In a sample of worldwide jurisdictions, current legislative efforts impose new sanctions. Several

Lost Laptops = Lost Data Lost Laptops = Lost Data

aptop computers are essential tools in In their attempts to stay competitive in the today’s global economy. Employees at world marketplace, companies cannot afford to all levels, in all business sectors, must be overlook the seemingly insignificant loss of a lap- Lmobile. They must have access to information top. Details on the scope of the problem, the high whether they are at home, on a sales call, or in a price of ignorance, and the determined thieves hotel. looking for loopholes will convince even the most ardent skeptic to take the actions recommended in Because laptops are portable, they are highly this report. susceptible to theft. The theft of business laptops and the loss of the confidential and propriety information residing on them can occur when the user is in the office or on the road. Researchers at Credant Technologies have determined that 25% of laptops are stolen from the office or the owner’s car. Another 14% are lost in airports or on airplanes. Laptop theft is a two-dimensional problem. On the surface, companies must devise ways to secure the actual devices from crafty thieves with easy access to pawnshops and fences. Even more sinister, the data on a stolen laptop has enormous value among the illicit networks that prey on unsuspecting consumers, or reap rewards from insider information.

Researchers at Credant Technologies have determined that 25% of laptops are stolen from the office or the owner’s car. Another 14% are lost in airports or on airplanes.

An ASIS International Foundation Research Council CRISP Report Statistics on Stolen Laptops and Lost Data

ince the mid 1990s, private sector and Between 2005 and 2007, 4,700 laptops were government researchers as well as the media stolen from offices in Calgary, Canada, accord- have tracked not only the growth of the lap- ing to a 2007 survey by the Calgary Public Safety Stop market but also frequent losses. At the same Committee of the Building Owners and Managers time, law enforcement and security professionals Association (BOMA). Medical, financial, oil and quickly realized that laptop theft was a swift portal gas, legal, engineering, transportation, person- to even more valuable confidential information. nel, and property management industries were Researchers began to amass alarming statistics on included in the study. Appendix A is a checklist the scope of both problems. that can be used to track a company’s laptop inventory and monitor how the laptops are being Stolen laptops used. The chance that a laptop will be stolen or lost In a sobering note, Credant Technologies during any twelve months is one in ten, according found that 82% of stolen or lost laptops are never to a 2002 Gartner Group study. Estimates among recovered. Other estimates are even more pessi- industry analysts confirm the frequency with mistic. According to the FBI, for example, 97% of which laptops disappear. A 2004 InfoWorld article, stolen laptops are never recovered. for example, estimated that the annual number of stolen laptops ranges from 700,000 to 1 million. Stolen confidential information That same year, anEntrepreneur Magazine article Statistics that measure the loss of business and used an FBI estimate to report that 1.5 million lap- personal information residing on laptops are even tops had been stolen in 2004, a 50% increase from more alarming. A 2006 Ponemon Institute survey the year before. found that 81% of the U.S. companies studied Both public and private sector organiza- reported the loss of one or more laptops con- tions are at risk worldwide. In a 2006 report, the taining sensitive information in a twelve-month Committee on Government Reform noted that period. The computer security Web site, in the previous five years 1,137 U.S. Department www.attrition.org, includes an extensive list of lap- of Commerce laptops had been lost, stolen, or top and data thefts. In early 2008, the site reported reported missing. A 2006 Australian Computer more than 900 data breaches yielding 310 million Emergency Response Team survey of 17 industries records. found that 58% of the 389 respondents detected laptop thefts during the year of the survey.

Lost Laptops = Lost Data As stated by Credant Technologies research- data they control, they can then determine what ers, “most users are in denial about the severity should or should not reside on a laptop—know- of the information stored on their laptops” and ing that putting data on a laptop increases the are unaware of the real risk involved in losing a likelihood that it could be lost. laptop, which is “exposed corporate information Appendix C shows a threat and risk matrix and customer data.” model that can help organizations determine Authors of the Ponemon Institute’s 2006 U.S. the types of information that hold value to the Survey on Confidential Data at Risk concluded company and the likelihood that it could be lost. “both business and government organizations are By working through the model, management not taking appropriate steps to safeguard sensitive can rate the high, medium, or low probability or confidential information such as intellectual and criticality of an event. Answers can then be property, business confidential documents, cus- charted on the matrix. tomer data, and employee records.” For example, assume that a company’s man- The Committee on Government Reform agement determines that its classified secret reviewed data breaches among 19 U.S. gov- formula gives it a competitive advantage. Losing ernment agencies and observed “data loss is a it would cause the company to lose market share, government-wide occurrence.” The committee incur significant financial losses, and suffer a concluded that the agencies do not always know stock price reduction. So the company rates its what has been lost and that physical security of secret formula as highly critical. Management data is essential. also decides, based on available data, that it is highly likely the company will lose the data if it’s As a first step, then, companies must be aware on a laptop. of the important information that is available through laptops. Not all information needs the Armed with that information, management same level of security. Appendix B shows a clas- must determine whether the information either sification scheme for company information that does or should reside on a laptop. If the data is executives can use to determine adequate levels of available on a laptop, management must allocate data protection. Similar approaches can be found the appropriate levels of security to that unit. by searching the Internet under “classification of data.” Once managers have classified the types of

An ASIS International Foundation Research Council CRISP Report Measuring the Cost

or years, many international groups have The following studies report the costs of data studied the costs associated with laptop losses only: theft and data loss. In 2004, for example, FSafeware Insurance found that all laptop thefts 1. According to the 2003 Brigadoon Software in that year caused an estimated $720 million (BSI) Computer Theft Survey, proprietary data in hardware losses, but $5.4 billion in the loss of losses averaged $690,760 per incident. The proprietary information. survey involved 676 participants from around the world. Many studies focused on just one aspect of the monetary loss to businesses. Consider the follow- 2. In 2006, the Ponemon Institute estimated data ing statistics that deal specifically with the cost of breach losses at $4.8 million per incident. In laptop thefts: 35% of those incidents, a “lost laptop or other device” was listed as the breach source. 1. Authors Whitehead and Grey calculated that the cost of laptop theft between 1996 and 1997 Calculating the costs associated with lap- was £2,616 ($5,021) per incident. top and data losses includes many factors. A major issue is lost productivity, since the affected 2. In 2000, researchers in the United Kingdom employees can be prevented from perform- found the cost per laptop theft exceeded ing their normal duties for weeks. Other factors £60,000 ($115,158). include replacing or repairing damaged property, purchasing new hardware, and recreating data. 3. New Zealand researchers reported in 2005 that the average laptop loss cost $14,000. Lost productivity Productivity is the first victim of a stolen 4. A 2007 annual survey conducted jointly by laptop. Should an employee lose his or her laptop, the Computer Security Institute and the FBI that employee’s ability to work is compromised, found laptop losses averaged $345,000 per often for days. At one company, for example, eight incident. laptops used by key employees were stolen, including those in the firm’s finance and engineering 5. According to a 2008 article in Infoworld, the departments. It took three days for replacement cost of stolen laptops to businesses ranges units and back-up data discs to be found before from $700,000 to $1 million annually. the business could resume operations.

Lost Laptops = Lost Data Credent Technologies found that, in 50% of Replacing laptops the organizations participating in a 2005 survey, According to the BOMA study, of the roughly employees who had lost laptops were unproduc- 4,700 laptops stolen from downtown Calgary, tive for two weeks before they were able to resume Canada, from 2005 through 2007, fewer than 20 regular activities. were actually recovered. Productivity can also be compromised if In most cases, stolen laptops must be replaced. employees feel insecure in the workplace. After The complexity and unique qualities of the laptops were stolen in one large organization, machine, as well as specialized software for unique employees altered their work patterns for several applications, must be considered when searching weeks, fearing that they might encounter another for replacements. These factors further delay the theft in progress. To alleviate employees’ concerns, return to normalcy and add to costs. additional security personnel were hired. Even more unbudgeted costs were added to the Recreating data recovery effort. Depending on a company’s data back-up prac- Damaged property tices and its use of a central server for data storage, data may be replaced in a few minutes—or be lost In their attempts to gain access to laptops, forever. In developing adequate data replacement thieves may kick in walls, destroy doors, peel door and recreation strategies, company executives frames, attack locking hardware, snap astragals must resolve many questions, such as what proce- and latch guards, remove ceiling tiles, and smash dures must be developed to ensure that important windows. Repairing or replacing these items costs data is secured, as well as how quickly it can be money and time. replaced or retrieved, and at what cost.

An ASIS International Foundation Research Council CRISP Report Added Costs of a Data Breach

hould a company lose data that includes After the laptop was recovered and investiga- personal information on customers, the cost tors determined that it was highly unlikely that the of that breach escalates. Additional costs data had been accessed illegally, the department Smay include notifying customers, monitoring rescinded its offer. But the potential for incurring credit, paying fines and penalties, and accumulat- a similar cost is a scenario every company ing legal and investigative fees. must consider.

Two other important factors are the potential Liability loss of customer loyalty and the prospect of a dip in the value of the company’s stock. Should investigators, legislators, or lawyers determine that a laptop theft and resulting data Customer notifications loss is a result of an organization’s insufficient security practices, that organization may find itself Laws in many jurisdictions mandate that liable for fines and penalties levied by government companies notify customers when personal data is agencies or the courts. In the VA case, at least compromised. Companies, therefore, immediately three class action lawsuits were launched in 2006. incur the cost of preparing and disseminating let- ters and e-mails, adding notifications to web sites In addition to the potential for huge payments and media campaigns, and monitoring call center to victims, the company incurs the cost of launch- inquiries. Costs escalate quickly when thousands ing a defense. Investigating the extent of lost data and even millions of customers are affected. may include examining forensics, interviewing and interrogating potential perpetrators, and Credit monitoring preparing briefs for law enforcement. Employees from the specific business unit that incurred the After a laptop from the U. S. Department of data loss will certainly invest time, taking them Veterans Affairs (VA) was found to be missing, away from their regular duties. But a variety of potentially affecting 26.5 million constituents, the departments may become involved as well, includ- department pledged to monitor the credit rating ing legal, public relations, IT, and security, which of victims for one year. The VA estimated the cost will affect overall business operations. of the monitoring could exceed $160 million.

Lost Laptops = Lost Data reputation, corporate brand, and customer reten- The potential for employees to be injured dur- tion. When notified of a breach, almost 20% of ing the commission of a laptop theft cannot be customers terminated their relationship with the ignored. In an interview with a known laptop thief company. Another 40% considered termination. in Calgary, the thief revealed that employees had unknowingly confronted him during the actual Competitors can easily use any lost data inci- crime in numerous cases. Since laptop thieves dent to their advantage. Just underscoring the lack often carry tools to assist them in gaining entry of security that lead to the breach may be enough to a premises or vehicle, employees who encoun- to drive customers to their doors. If competitors ter a thief can quickly become victims. The legal are the recipients of the purloined information, consequences of such actions can be severe if they can adjust their own timelines and market- the injured worker levies charges of “inadequate ing strategies to gain an unfair advantage in the workplace security”. marketplace.

Lost business Shareholder value

When customers learn of a data breach, their If the theft and subsequent data breach is sig- faith in the company incurring the loss can be nificant, an organization may suffer a reduction in shaken. They may shift their business to competi- shareholder value. Recouping lost market share or tors. According to the 2007 Ponemon survey, data stock value can take years, and can permanently breaches exposing customer data can cost a com- damage a company’s relationship with creditors, pany $128 in lost business, per victim. In a similar suppliers, unions, and partners. Ponemon study conducted in 2005, researchers found data breaches seriously affected corporate

10 An ASIS International Foundation Research Council CRISP Report Internal Factors Contributing to Stolen Laptops and Lost Data

hy are laptops easy targets for gaining organizations are implementing protective mea- access to data? The answer involves sures for laptops because they have been forced to a combination of misperceptions on do so by law. Wthe part of the company and the users of the laptops. Some companies simply fail to maintain an Inadequate security adequate inventory of their laptops, while others When finally caught, one Calgary laptop thief completely refuse to invest in appropriate security responsible for hundreds of thefts over several policies and procedures. years admitted to the arresting officers, “compa- Users often fail to understand the value—not nies made it too easy for these types of crimes to only of the units themselves—but also of the be committed, because of the lack of appropriate information they contain. Consequently, they can security measures.” Even when adequate security resist applying appropriate security policies and measures are in place, they are often ignored for procedures when they are enacted. two reasons: the security staff is not available, not credible, or unable to sell the value of protective Accountability strategies; or employees are uninterested or have been poorly trained. A 2004 survey by Ernst & Young found that few organizations and individuals feel they should Perception be held accountable for failing to protect laptops and data. In many organizations, when a laptop The relatively low price of laptops can suggest is stolen, the affected employee simply acquires that they do not merit protection. Even though another from inventory. Even some security prac- many organizations spend thousands of dollars titioners hesitate to emphasize laptop theft. One on individual laptops, they are often viewed as a corporate security professional admitted that he minor part of a departmental or organizational had more global issues to confront than the theft budget. Organizations that embrace this think- of a laptop. ing fail to understand the true cost of a laptop, or the value of the data residing on it. Even privacy Current privacy and data breach laws promote legislation assigns a value to data by assessing fines enforced accountability. Organizations now must for losing it. take more responsibility to protect laptops and data, or face legal consequences. Simply put, many

Lost Laptops = Lost Data 11 External Factors Contributing to Stolen Laptops and Lost Data

ven a well-designed security program using cell phones and radios. One offender must be tweaked constantly to keep ahead indicated that he would conduct research on the of external factors that are determined to latest equipment and develop “want lists” before Euncover its weaknesses. The market for a compa- orchestrating a hit. ny’s proprietary information and personal data Organizations are vulnerable to laptop thefts on customers and clients is lucrative. Determined from both outsiders and employees. Research is thieves are more than willing to take the risks to contradictory about which poses a greater threat. reap the rewards. But there is no doubt that those inside organiza- Once thieves have been successful at one prop- tions are also stealing laptops. Authors Clarke erty, research shows that they are likely to return. and Eck posit that laptops are “CRAVED” by thieves. The acronym explains why. Determined thieves • Concealable: Because they are small, lap- According to the 2003 BSI Computer Theft tops are easy to hide beneath a jacket, layer Survey, 99% of survey respondents who experi- between other items, place in a backpack, or put in a gym bag. enced computer theft reported that the thief was never caught. Some thieves are simply opportu- • Removable: The portability of the device is nistic and take advantage of situations to steal partially what makes the laptop desirable to both companies and individuals. laptops. In interviews conducted for the 2007 BOMA survey, one thief admitted that he made • Available: Many individuals and companies between $500 and $600 per unit, and had stolen use laptops extensively. As a result, considerable numbers are available to be stolen. as many as fifteen laptops at a time. At the other end of the spectrum, thieves admitted they sold • Valuable: Many people are willing to pay laptops for as little as $40 of crack cocaine. large enough sums of money for stolen laptops. Thieves tapping into this lucrative Thieves intent on stealing laptops will put market are willing to go to extremes to sat- tremendous effort into overcoming significant isfy the demand. security measures. They will conduct security • Enjoyable: As computers become more assessments to look for weak entry points. They essential for both business and pleasure, the will bring props, such as maintenance, janitorial, demand continues to grow. or security uniforms, so they appear to fit in. They • Disposable: An illegal market is readily will make phony identification badges, develop available, allowing thieves to dispose of cover stories, and communicate with partners laptops easily.

12 An ASIS International Foundation Research Council CRISP Report Managing the Threat

Repeat victimization s identified in Appendix D, a laptop thief must take seven specific actions to be Experienced thieves realize that companies successful. They include identifying likely usually replace stolen laptops with new equip- Atargets through pre-theft surveillance, defeating ment, so they come back. They may even return to all security measures to gain items, leaving suc- steal what they missed the first time. cessfully with the items, and converting items to The Calgary Public Safety Committee survey something of usable value. Appendix E identifies found that when a laptop theft had occurred, situational prevention techniques that can be used almost all commercial properties were victim- to counter the seven steps: increasing the effort ized a second time (93%). Nearly two-thirds of and risk, reducing the rewards and incentives, and the companies reported a second loss (60%). implementing impediments. Whitehead and Grey found that 25% of commer- Ultimately, preventing laptop thefts and the cial properties were victimized again within 30 resulting data loss requires a permanent solution. days. According to the 2003 BSI Computer Theft Countering the threat requires company manage- Survey, 57% of respondents reported multiple ment to commit to a course of action prescribed incidents of theft in a twelve-month period. by basic security principles. These principles are Farrell and Pease identified two general used by corporations of all types, in all corners of themes in their study of repeat victimization: the world, to prevent and deter myriad risks to a crime prevention measures need to be imple- company’s well-being. Bringing these same prin- mented quickly once a company is victimized; ciples to bear on this specific crime can reduce the and temporary prevention measures are an threat from both internal and external sources. effective and efficient means of preventing -fur Implementing these principles requires ther crime during the high-risk period after a review of the many resources and options victimization. available, including: physical, electronic, and procedural security enhancements; legislation; and product design. In conjunction with law enforcement, preven- tive measures should also disrupt the market for the stolen goods.

Lost Laptops = Lost Data 13 Legislative recourse In Europe, no comprehensive laws exist that force organizations to inform individuals of data The loss of a laptop with confidential informa- breaches. However, as of December 2007, the tion is a privacy violation, which in turn can lead European Commission suggested implement- to civil liability. Many jurisdictions require busi- ing laws to force telecommunication providers to nesses to report data breaches. As of December inform consumers of data breaches. 2007, thirty-seven U. S. states have passed data breach legislation. In California, for example, the Physical, electronic, and procedural 2003 Security Breach Information Act states: security enhancements

“Any person or business that conducts busi- A comprehensive and converged physical, ness in California, and that owns or licenses procedural, and information security program is computerized data that includes personal infor- essential for every organization, regardless of size, mation, shall disclose any breach of the security of industry, or ownership. And part of that program the system following discovery or notification of must address laptop security and the related loss the breach in the security of the data to any resi- of potentially sensitive data. Implementing the dent of California whose unencrypted personal appropriate security measures requires money, information was, or is reasonably believed to have time, and effort. Companies must be committed been, acquired by an unauthorized person.” to supplying all three. Management must realize In a recent article in Canadian Security, Neil that a lack of funding is a serious impediment to a Sutton noted that a Canadian parliamentary com- comprehensive protection program. mittee recommended that “the law be updated Many companies have implemented successful to include a new requirement for corporations to strategies. But research shows that companies that notify individuals of security breaches that poten- have failed to do so lack a comprehensive, lay- tially compromised their personal information.” ered approach to security that takes into account He added that the chance for passage was positive, physical, electronic, and procedural measures. since “the Canadian federal government recently Also, these measures must be embraced by all said it plans to act on this recommendation.” employees, including laptop users, management, However, as late as April 2008, the government and security professionals from both physical and appeared to be considering letting businesses electronic disciplines. themselves determine if disclosure is required in cases of “high risk of significant harm.”

14 An ASIS International Foundation Research Council CRISP Report The range of costs associated with these tions—and be ignored. Employees inevitably find measures, including installation, maintenance, ways to work around security measures deemed and employee education, must be considered to be onerous, which can make devices, including as well. When a loss occurs, organizations must laptops, more susceptible to theft. acknowledge that existing security measures are Product design is one method under investiga- inadequate and must be willing to implement tion to counter theft. Two approaches have been additional security safeguards. put forward: one prevents offenses from occurring Appendices F, G, and H are detailed lists of in the first place; the second facilitates an effective the physical, procedural, and electronic security response. measures that can be considered. Clarke and Newman advocate a voluntary Product design code for manufacturers of electronic products, including laptops, whereby security features that The high volume of laptop thefts occurring meet an established standard are built directly into around the world can lead to the conclusion that the product. For example, a Home Office study existing security measures do not deter thieves. identified factory-installed radio frequency identi- Because thieves can come from both inside and fication (RFID) tags as a promising way to reduce outside an organization, measures that may stop laptop theft. one type of thief may be ineffective for another. New response techniques include installing a While many laptop theft prevention products, software program on a laptop that can be con- whether physical, procedural, or electronic, are nected to the Internet should that unit be stolen. effective when used appropriately, not all per- The software dials a monitoring station with form well in specific situations. Also, procedural information on the IP address the perpetrators security measures require discipline, auditing, are using on the stolen machine. Another type of and commitment on the part of users. If not well software program allows the data on the laptop to thought out, they may interfere with daily opera- be destroyed remotely.

Lost Laptops = Lost Data 15 Recommended Responses

Disrupting the markets for stolen goods he response to laptop losses from both public and private sectors is varied and Targeting the markets for stolen goods is one piecemeal. Case studies, interviews, potential response to the easy way thieves can Tliterature reviews, and media searches reveal dispose of laptops. In an interview, one laptop considerable inconsistencies. Unfortunately, the offender identified his key market for stolen response by the owner of a stolen laptop may laptops as employees who work in commercial depend upon whether the media reports the high-rises. A considerable amount of work by law incident, and whether any data of significant enforcement agencies would be required to reduce corporate value needs to be recovered. demand. Notable research on ways to disrupt theft markets is occurring in the United Kingdom. Quite often, organizations respond by simply replacing the laptop and continuing as if nothing had happened. In other cases, response will involve a full investigation and implementation of a range of physical, electronic, and procedural security enhancements. Legislation on data breaches that require organizations to notify victims when personal information is compromised definitely drives corporate responses.

Setting goals

Two distinct yet overlapping issues require attention from security professionals. First, the laptop itself must be protected. And second, the information on the laptop must be secured. To achieve both, the process of developing physical, procedural, and electronic strategies should meet the following two goals:

16 An ASIS International Foundation Research Council CRISP Report 1. Multiple security layers should be imple- they are being used in the organization, how many mented to prevent unauthorized users from are in the inventory, who is using them, for what gaining access to laptops at the office, on the purpose, and what type of data is residing on each road, and at home. one. 2. A combination of prevention methodologies Step 2: Determine whether specific employ- should be adopted to increase the likelihood ees need a laptop to do their jobs. If a laptop is that unauthorized users are denied access to not required, it should be replaced with a desk- the data on a stolen laptop. top unit. If the laptop is an essential part of the employee’s work, the next steps should be pursued. Seven steps to prevent loss Step 3: Classify data on the laptop according These two goals can be achieved by adopting to organizational guidelines. The classification the situational prevention techniques shown in scheme should be specific to the organization Appendix E. They can be implemented by adopt- and its culture. A number of classification models ing the following seven steps: are available. The one selected should be clearly Step 1: Conduct an audit to determine where understood, implemented, and followed by all laptops are used within the organization (see employees. The example of Sample Identification Appendix A). This audit determines specific infor- and Classification of Data Levels in Appendix B mation about a company’s laptops, such as where can help categorize the relative value of “Public Documents,” “Proprietary Information,” or “Highly Confidential Information.” The latter group includes human resources, financial,

Two distinct yet overlapping issues require attention from security professionals. First, the laptop itself must be protected. And second, the information on the laptop must be secured.

Lost Laptops = Lost Data 17 security, and organizational plans and strate- Protective strategies start with security aware- gies, as well as test results, assessments, surveys, ness programs; employees must understand their or other information the organization has spent obligation to use the security measures required money collecting or developing. to protect laptops and data. Employees should be required to indicate, in writing, that they under- Step 4: Determine if data residing on each lap- stand the established laptop and data protection top is necessary for employees to complete their guidelines (see Appendix I). Department man- jobs. If not, the data should be removed. If the agers and senior managers should show their data is necessary, the next step should be pursued. support for the policy by signing similar forms. Step 5: Conduct a risk assessment to deter- Both facility and IT security personnel have spe- mine possible theft scenarios for the data stored, cial responsibilities for implementing the policy, processed, or transmitted by laptop. Devise appro- and should indicate their willingness to assist on priate security measures to protect both the data the appropriate forms. and the laptop. The assessment puts the required Step 7: Create a loss response team to monitor physical, procedural, and electronic security laptops and data. Should a loss occur, the affected measures into perspective, as well as the necessary employees should be required to report the loss in security awareness training. Obviously, the higher writing (see Appendix J.) The team then responds the classification of the data, the more security to the report by investigating the losses and deter- measures should be in place. A number of risk mining the scope of the data breach. In addition, assessment methodologies are available, such as the team should be regularly educating users, the one shown in Appendix C. In addition, ASIS conducting audits to ensure compliance, annually International has published a General Security Risk assessing data needs, and destroying or removing Assessment Guideline, available to download for data when it is no longer required. This process free at www.asisonline.org. is cyclical, since new laptops and data enter and Step 6: Implement the required protection leave the organization on a regular basis. strategies. Appropriate physical, procedural, and electronic strategies are shown in Appendices F, G and H. These detailed lists provide templates for implementing a comprehensive security program.

18 An ASIS International Foundation Research Council CRISP Report Need for Research

iterature that specifically addresses pro- In reality, however, losses continue. tective measures for laptops and data can Identifying appropriate physical, electronic, be elusive, because it is spread out within and procedural security measures to protect Ldiverse organizations and documents. As a result, laptops and data is a never-ending process. Some many companies lack the proper understand- research has determined that multiple layers of ing—or even the desire—to implement effective security are effective in deterring thieves. Which security measures for laptops and data. These measures are most effective in specific situations, same organizations may also lack dedicated physi- and which strategies are most cost effective, has cal or IT security professionals who can conduct yet to be discovered. threat and risk assessments. What is known is that protecting laptops The connection between laptop thieves and and their data must be a corporate priority. And the stages of laptop and data protection requires finding adequate solutions calls for continuing constant exploration, study, and assessment. In security research and experimentation. theory, each action a thief must follow to obtain a laptop and use its data (Appendix D) has a corresponding countermeasure, either in the seven steps of loss prevention, or within situational prevention techniques (Appendix E).

Lost Laptops = Lost Data 19 References

Absolute Software. (2008).Endpoint security: Data Best, C., Bolli, S., Cole, L., Ellsworth, D., protection for IT, Freedom for laptop users. Honeoye Kitteringham, G., Parnell, L., Smith, P., & McPhee, Falls, NY: Author. R. (2006). Laptop theft in the commercial high-rise, 2005 survey. Calgary, Canada: Building Owners Adshead, A. (2006, May 9). Private life of data. and Managers Association Calgary Public Safety Computer Weekly, p. 39-40. Committee. Alpha-Omega Group, SA. (2005). New Zealand Best, C., Kitteringham, G. (2006, October). computer crime and security survey. Dunedin, New Preventative maintenance and the nuisance of Zealand: Author. access control systems. Presentation at Security Angelo, J. M. (2006). Protecting campus data. Forum, Alberta, Canada. Portability can have its price. Here’s how IT man- Brandt, A. (2006, June). This stolen laptop will agers deal with stolen laptops. University Business self-destruct in 5 seconds. PC World, (6), 46. 9(9), 75-76. Brigadoon Software. (2003).BSI computer theft ASIS International Guidelines Commission. survey results. Nanuet, NY: Author. (2003). General Security Risk Assessment Guideline. Alexandria, VA: ASIS International. Chipping of Goods Case Study: Laptop Computers. Retrieved February 17, 2007 from http://www. ASIS International Guidelines Commission. (2007). chippingofgoods.org.uk/download/casestudies/ Information Asset Protection Guideline. Alexandria, laptopcomputers.pdf. VA: ASIS International. Clarke, R.V., & Newman, G. R. (2005). Security Australia’s National Computer Emergency coding of electronic products. In R. V. Clarke & Response Team. (2006). 2006 Australian computer G. R. Newman (Eds.), Designing out crime from crime and security survey. Brisbane, Australia: products and systems (pp. 231-265). Monsey, NY: Author. Criminal Justice Press. Background investigations and pre-employ- Clarke, R., & Eck, J. (2003). Crime analysis for ment screening. In Protection of Assets Manual. problem solvers in 60 small steps. In Center for Alexandria, VA: ASIS International. problem orientated policing. Washington, DC: Bass, S. (2005, March). Stay secure at home and on U.S. Department of Justice, Office of Community the road. PC World, 23, 39. Oriented Policing Services.

20 An ASIS International Foundation Research Council CRISP Report Clarke, R. (1999). Hot products: Understanding, Demery, P. (2006, September). Safe driving? Is anticipating and reducing demand for stolen your lap strapped in? Accounting Technology, goods. In Policing & Reducing Crime, Police 22(8), 45-49. research series paper 112. London: Home Office. DLDOS: Data Loss Database – Open Source. Clark, R. (2002). Problem Oriented Guides for Retrieved April 15, 2008, from http://attrition. Police Series (No. 10). Washington, DC: U.S. org/dataloss/dldos.html Department of Justice. Ekblom, P. (1997). Gearing up against crime: A Credant Technologies. (2005). Corporate exposure dynamic framework to help designers keep up survey: Lost & stolen laptop edition. Addison, TX: with the adaptive criminal in a changing world. Author. International Journal of Risk Security and Crime Prevention, 2, 249-265. Computer Security Institute. (2007). The 12th annual computer crime and security survey. San Emigh, J. (2002, December 1). The incredible Francisco: Author. shrinking laptop. Access Control & Security Systems, 44 (12). Cook, J., & Seff, J. (2004, April). Laptop lockdown. Macworld, 21, 72-73. Ernst & Young. (2004). Global Information Security Survey 2004. New York: Author. Cornish, Derek. (1994). The procedural analysis of offending and its relevance for situational preven- European Commission plans security breach tion. Crime Prevention Studies (Vol. 3). New York: notification law.Retrieved April 12, 2008 from Criminal Justice Press. http://www.out-law.com/page-8741 Craighead, G. (2003). High-Rise Security and Farrell, G., and Pease, K. (1993). Once bitten, Fire Life Safety (2nd ed.). Boston: Elsevier twice bitten: Repeat victimization and its impli- Butterworth-Heinemann. cations for crime prevention. In Police Research Group: Crime Prevention Unit Series Paper 46. Davis, Tom, & Waxman, Henry. (2006, London: Home Office. October 13). Staff report: Agency data breaches since January 1, 2003. Washington, DC: Fay, J. (1993). Encyclopedia of Security Committee on Government Reform. Management (2nd ed.). Boston: Elsevier Butterworth-Heinemann.

Lost Laptops = Lost Data 21 Federal Trade Commission. (2008). Agency George, N. (2004). Cyber traps: An overview of Announces Settlement. Retrieved March 29, 2008 crime, misconduct and security risks in the cyber from http://www.ftc.gov/opa/2008/03/datasec. environment. In Building Capacity Series, shtm No. 3. Brisbane, Australia: Crime and Misconduct Commission. Fennelly, L. (Ed.). (2004). Effective Physical Security (2nd ed.). Boston: Elsevier Glass, B., & Gottesman, B. Z. (2003, August). Lock Butterworth-Heinemann. down your computer. PC Magazine, 72. Fennelly, L. (Ed.). (2004). Handbook of Loss Guard Force Operations. In Protection of Prevention and Crime Prevention (4th ed.). Boston: Assets Manual: Part 1. Alexandria, VA: ASIS Elsevier Butterworth-Heinemann. International. Finney, A. & Wilson, D. (2005.) Handling stolen Headley, A., Best, C., Ellsworth, D., Kitteringham, goods: Findings from the 2002/2003 British crime G., Cole, L., Parnell, et al. (2007). Laptop theft survey and the 2003 offending, crime and jus- in commercial buildings, 2006 Survey. Calgary, tice survey. In Home Office Online Report 38/05. Canada: Building Owners and Managers London: Home Office. Association, Calgary Public Safety Committee.

Fischer, R., and Green, G. Introduction Headley, A., Best, C., Ellsworth, D., Kitteringham, to Security (7th ed.). Boston: Elsevier G., Cole, L., Parnell, et al. (2008). Laptop theft Butterworth- Heinemann. in commercial buildings, 2007 Survey. Calgary, Canada: Building Owners and Managers Fixing broken windows. Retrieved Association Calgary Public Safety Committee. February 15, 2008, from http://en.wikipedia. org/wiki/Fixing_Broken_Windows Hesseldahl, A. (2006, October 30). Securing your laptop against theft.BusinessWeek Online. Frank, K. & Charron, D. (2002, January). Retrieved February 15, 2008 from http://www. Protecting information on laptops, PDAs and cell businessweek.com phones. Strategic Finance Magazine, 83(7), 24-29. Hines, M. (2006, August 7). Preparation eases pain Garcia, M.L. (2006). Vulnerability assessment of stolen laptops. eWeek, 23(31), 25, 27. of physical protection systems. Boston: Elsevier Butterworth-Heinemann. Home Office. (2000).Chipping of goods cases study: Laptop computers. London: Author.

22 An ASIS International Foundation Research Council CRISP Report The Information Security Glossary. Retrieved on Knoke, M., (2008). Protection of Assets Manual April 14, 2007 from http://www.yourwindow. (Vols. 1-4). Alexandria, VA: ASIS International. to/information-security/gl_dataclassification.htm Kovacich, G., & Halibozek, E. (2003). The Felson, M., & Clarke, R. V. (1998). Opportunity Manager’s Handbook for Corporate Security. makes the thief: Practical theory for crime preven- Boston: Elsevier Butterworth-Heinemann. tion. In Police Research Series, Paper 98. London: Levits, J., & Hechinger, J. (2006, March 24). Home Office. Laptops prove weakest link in data security. The The High Cost of Laptop Theft. Retrieved Wall Street Journal, p. B1, B2. April 13-14, 2008, from http://www.absolute.com/ Laptop Security Guidelines. Retrieved May 6, 2007, solutions-theft-recovery.asp from http://labmice.techtarget.com/articles/lap- How DataDot Protects and Identifies Personal topsecurity.htm Consumer Items. Retrieved May 11, 2008, from Louwers, T. J., VanDenburgh, W. M. (2003, http://www.datadotcanada.ca/video.php March). Data confidentiality in an electronic envi- James, Andrea. (2007, February 14) Biggest threat ronment. The CPA Journal, 24-27. to corporate information: Ignorance. Retrieved McQueen, M. P. (2006, June 28). Laptop March 29, 2008, from http://seattlepi.nwsource. lockdown—Companies start holding employees com/business/303569_security14.html responsible for security of portable devices they Kiernan, V. (2006). Locking up the laptops. use for work. The Wall Street Journal, pp. D1, D3. Chronicle of Higher Education, 52(48), 35. Latest Now RFID tags to track your laptops. Retrieved information on Veterans Affairs data security. May 7, 2007, from http://www.ciol.com/content/ Retrieved April 13, 2008, from http://www.usa. enterprise/204/104102902.asp gov/veteransinfo.shtml#credit Patterson, D., (2005). Implementing Physical Kitteringham, G. (2006, September 26). Laptop Protection Systems: A Practical Guide. Alexandria, Theft in the Commercial High-Rise. Presentation at VA: ASIS International. the meeting of ASIS International, San Diego, CA. Piazza, P. (2001, October). Securing laptop data Kitteringham, G. (2006). Security and Life Safety against losses. Security Management, 45, 37. in the Commercial High-Rise. Alexandria, VA: ASIS International.

Lost Laptops = Lost Data 23 Ponemon Institute. (2005). Lost customer informa- Sutton, M., Johnston, K., & Lockwood, H. (1998). tion: What does a data breach cost companies? Elk Handling stolen goods and theft: A market reduc- Rapids, MI: Author. tion approach. In Home Office Research Study (No. 69). London: Home Office. Ponemon Institute. (2006). 2006 annual study: U.S. cost of a data breach. Elk Rapids, MI: Author. Sutton, N. (2008, March). Data breach law doesn’t go far enough. Canadian Security, 30(2), 35. Ponemon Institute. (2006). U.S. Survey: Confidential data at risk. Elk Rapids, MI: Author. Taylor, C. (2003, February 3). Stop! Laptop thief! Time, 16(5), 71. Ponemon Institute. (2007). 2007 annual study: U.S. cost of a data breach. Elk Rapids, MI: Author. Ten Steps to a Layered Approach to Laptop Security. Retrieved October 17, 2007, from http://absolute. Research Concepts (2007). The State of Computer com/resources/laptop-security-tips.asp & Data Security in Corporations. Berlin, MA: Author. Theft and Fraud Prevention.In Protection of Assets Manual, Chapter 11. Alexandria, VA: ASIS Roberts, B. (2006, October). Risky business: International. Protect employee data from the security risks posed by the use of laptops and mobile devices. Viollis, P., Braunzell, S., Labardee, L., VandePol, B., HR Magazine, 51, 69-73. Kuh, D., & Davies, R. (Eds.). Workplace Security Handbook. Alexandria, VA: Jane’s Information Ryder, J. (2001, July 30). Laptop security, part one: Group. Preventing laptop theft. Retrieved February 12, 2007 from www.securityfocus.com/infocus/1186 What is laptop insurance? Retrieved December 17, 2007, from http://www.wisegeek.com/what-is-lap- Ryder, J. (2001, August 13). Laptop security, part top-insurance.htm two: Protecting information on a stolen laptop. Retrieved February 12, 2007, from www.security- Whitehead, P., & Grey, P. (1998). Pulling the plug focus.com/infocus/1187 on computer theft. InPolice Research Group: Series Paper 101. London: Home Office. Scott, M. (2002). Problem Oriented Guides for Police Series (No. 13). Washington, DC: U.S. WilonWood, L. (2006). Mobile defense forces. Department of Justice. Computerworld, 40(37), 32-33. Security and Criminal Law. In Protection of Assets Manual. Alexandria, VA: ASIS International.

24 An ASIS International Foundation Research Council CRISP Report Bibliography

Alpert, M. (2004). Security at your fingertips. Clarke, R.V., & Newman, G. R. (2005). Security Scientific American, 290(6), 108-110. coding of electronic products. In R. V. Clarke & G. R. Newman (Eds.), Designing out crime from ASIS International Guidelines Commission. products and systems (pp. 231-265). Monsey, NY: (2004). General Security Risk Assessment Criminal Justice Press. Guideline. Alexandria, VA: ASIS International. Clarke, R.V. & Newman G.R., (2005). Security Australia’s National Computer Emergency coding of electronic products. Crime Prevention Response Team. (2006). 2006 Australian computer Studies Vol. 18. Criminal Justice Press: Monsey, crime and security survey. Brisbane, Australia: New York. Author. Clarke, Ronald V. & Eck, John E. (2003). Crime Bennett, B. (2006, June 4). Just make it go away. analysis for problem solvers in 60 small steps. Time, 167, 17. Center for Problem Oriented Policing: Office of Bowen, P., Hash, J., & Wilson, M. (2006). Community Oriented Policing Services, U.S. Information security handbook: a guide for man- Department of Justice. agers. Gaithersburg, MD: National Institute Clarke, Ronald V. (1999). Hot Products: under- of Standards and Technology, Information standing, anticipating and reducing demand for Technology Laboratory, Computer Security stolen goods. Policing & Reducing Crime Police Division. Research Series Paper 112. Home Office, London, Brandt, A. (2006, June). This stolen laptop will England. self-destruct in 5 seconds. PC World, 24, 46. Clarke, Ronald V. (Ed.) (1997). Situational crime Brigadoon Software (2003).2003 BSI computer prevention: Successful case studies, (2nd ed.). theft survey results. Nanuet, NY: Author. Guilderland, New York: Harrow and Heston. Bumgarner, J. N. (2001, June). Hashing out Conkey, C. (2006, June 23). PTC reports laptop encryption solutions. Security Management 45, is stolen in the latest U.S. data breach. The Wall 66-71. Street Journal, p. B2. Caveo Technology (2001). Laptop computer secu- Credant Technologies (2005). Corporate exposure rity white paper. Cambridge, MA: Author. survey: Lost & stolen laptop edition. Addison, TX: Author.

Lost Laptops = Lost Data 25 Del’re, D. (2006, November 27). Studies find Farrell, G., and Pease, K. (1993). Once bitten, companies failing to secure data on laptops, PDAs; twice bitten: Repeat victimization and its impli- Many lack any policy; More portable devices cations for crime prevention. Police Research being used to carry key corporate information. Group: Crime Prevention Unit Series, Paper No. 46. Investor’s Business Daily, p. A4. London, England: Home Office. Demos, T. (2007, January). The biggest lost-laptop Felson, M., & Clarke, R. V. (1998). Opportunity incidents of 2006. Fortune, 155, 36. makes the thief: Practical theory for crime prevention. Police Research Series, Paper 98. London: Design Council (2003). Think thief: A designer’s Home Office. guide to designing out crime. London: Author. Fenton, J. (2001, March). Security at your finger- Dewberry, E. (2003). Designing out crime: tips—New notebooks offer biometric protection. Insights from ecodesign. Security Journal, 16(1), PC World, 19, 60. 39-49. Frank, K., & Charron, D. (2002, July). Protecting Dunn, R. (2003). Mitigating laptop theft.Security: information on laptops, PDAs, and cell phones. For Buyers of Products, Systems & Services. 40(10), Strategic Finance Magazine, 83, 24-29. 38-39. Friedberg, E., & McGowan, M. (2006). Lost back- Dvorak, P. (2006, June 22). Spike in laptop thefts up tapes, stolen laptops, and other tales of data stirs jitters over data. The Washington Post, p. B1. breach woe. Computer & Internet Lawyer, 23(10), Ecker, K. (2006, June). Hot hardware: Rise of 6-10. corporate laptop thefts creates need for increased Garcia, M.L. (2001). The design and evaluation security. InsideCounsel, 16, 40-42. of physical protection systems. Boston: Elsevier Ekblom, P. (1997). Gearing up against crime: A Butterworth-Heinemann. dynamic framework to help designers keep up Garcia, M.L. (2006). Vulnerability assessment with the adaptive criminal in a changing world. of physical protection systems. Boston: Elsevier International Journal of Risk Security and Crime Butterworth-Heinemann. Prevention, 2, 249-265. George, N., & Gordon, P. (2005). Information Erol, R., Press, M., & Cooper, R. (2002). security: Keeping sensitive information confi- Designing-out crime: Raising awareness of crime dential. Building Capacity Series, No. 7. Brisbane, reduction in the design industry. Security Journal, Australia: Crime and Misconduct Commission. 15(1), 49-61.

26 An ASIS International Foundation Research Council CRISP Report Glass, B., & Gottesman, B. Z. (2003, August). Lock Kandra, A. (2004, August). Keep your hands on down your computer. PC Magazine, 22, 72. your handhelds. PC World, 22, 49-51. Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Learmount, S., Anderson, J., & Haake, S. (2000). Richardson, R. (2006). Eleventh annual CSI/FBI Design against crime. Cambridge, UK: The Judge computer crime and security survey. San Francisco: Institute of Management Studies, University of Computer Security Institute. Cambridge. Gottesman, B. Z. (2006, May). Lock it down. PC Lester, A. (2001). Crime reduction through Magazine, 25, 85. product design. Trends and Issues in Crime and Criminal Justice, No. 206. Canberra: Australia. Greenemeier, L. (2006, December 4). Tomorrow’s Australian Institute of Criminology. security today—Security systems of the future must be smarter, faster, and, above all, proactive. Louwers, T. J., VanDenburgh, W. M. (2003). Data Information Week, 45, 1117. confidentiality in an electronic environment.The CPA Journal, 73(3), 24-27. Harrington, V., & Mayhew, P. (2001). Mobile phone theft.Home Office Research Study 235. McQuate, C. (2002, December). Penning effective London: Home Office. policies. Security Management, 46, 107-111. Headley, A., Best, C., Ellsworth, D., Kitteringham, Mitchell, R. L. (2005). Lost laptops sink data. G., Cole, L., Parnell, L., Smith, P., Bolli, S., and Computerworld, 39(29), 24. McPhee, R. (2007). Laptop theft in commercial Patterson, D.G. (2005). Implementing physical pro- buildings, 2006 survey. Calgary: Canada: Building tection systems: A practical guide. Boston: Elsevier Owners and Managers Association Calgary Public Butterworth-Heinemann. Safety Committee. PGP Research Report (2005). Lost customer infor- Hayes, F. (2006). Hey, Problem-solver. mation: What does a data breach cost companies? Computerworld, 40(36), 50. Menlo Park: CA: PGP Corporation. Hines, M. (2006). Preparation eases pain of stolen Phifer, L. (2004, December). Portable security: laptops. eWeek, 23(31), 25, 27. Safeguarding PDAs and smartphones. Business Hines, M. (2006). Experts: Response speed is key. Communications Review, 34, 19-23. eWeek, 23(31), 25, 27.

Lost Laptops = Lost Data 27 Phifer, L. (2003, September). Securing wire- Quinn, K. J. S. (2006). 2005 New Zealand computer less access to mobile applications. Business crime and security survey. Dunedin, New Zealand: Communications Review, 33, 47. Alpha-Omega Group, South Australia. Piazza, P. (2006, January). Arming the road war- Radding, A. (2007, February). Protecting Laptop rior. Security Management, 50, 78-85. Data. Storage Magazine. 7(1). Piscitello, D. M., & Phifer, L. (2002, December). Rapoza, J. (2006, November 6). Laptop losses Best practices for securing enterprise networks. loom. eWeek, 24, 50. Business Communications Review, 32, 32-37. Roberts, (2006, October). Risky Business: Ponemon Institute. (2005). Lost customer infor- Protecting Employee Data. HR Magazine. 51(10) mation: What does a data breach cost companies? 68-73. Traverse City, MI: Author. Sisk, M. (2006, October). Protecting laptops is Ponemon Institute. (2005). National survey on now affordable, easy.U.S. Banker, 116, 20-21. data security breach notification. Traverse City, Spangler, T. (2006, July). Don’t spring a data leak. MI: Author. Baseline, 61, 15-18. PR Newswire (2005, June 27). Absolute Software Stasiak, K. (2008, April). Avoiding mistakes. and LoJack Corporation announce branding part- Security, 45, 88-89. nership to introduce LoJack for Laptops. Retrieved February 5, 2007 from http://www.prnewswire. Stroud, J. (2006, February 7). What’s on your lap- com top? And if someone stole it, would it damage the company you work for? St. Louis Post Dispatch, PR Newswire (2006, October 23). Ponemon report p. A1. shows sharp rise in the cost of data breaches; Sponsored by PGP Corporation and Vontu, study Vijavan, J. (2006). Federal breaches spark security shows 31% increase in financial impact of data review push. Computerworld, 40(25), 12. loss incidents since 2005. Retrieved February 5, Weinberg, S. (2006). Software helps find stolen 2007 from http://www.prnewswire.com computers. The Wall Street Journal—Eastern Premo, R. (2001, March). Laptop locator. Security Edition, p. B3. Management, 45, 24-25. Whitehead, P., & Gray, P. (1998). Pulling the plug on computer theft.Police Research Series, Paper 101. London: Home Office.

28 An ASIS International Foundation Research Council CRISP Report About the Author

Glen W. Kitteringham, CPP, is a security professional, environmental criminologist, and writer with experience in the security industry dating back to 1990. He earned a Master of Science from the University of Leicester, and the Certified Protection Professional (CPP) designa- tion through ASIS International. Kitteringham has conducted research on a variety of security topics, including crime pattern analysis, retail theft, and laptop theft. He has been published in an array of media on security management, physical security, emergency response planning, and guard force operations. ASIS International published his first book,Security and Life Safety in the Commercial High-Rise, in 2006. Kitteringham is a member of the International Foundation for Protection Officers; Building Owners and Managers Association, Calgary; the National Fire Protection Association; and ASIS International.

Lost Laptops = Lost Data 29 Appendix A: Threat and Risk Matrix Model

The following model can help management define The following model, with related questions, can what level of risk they are willing to assume and help management make critical decisions that how various losses would affect ongoing opera- affect not only how the company will react to the tions. As a start, management must confront loss of a laptop and the data it contains but also its worst-case scenario and then sort through how it will establish its ongoing loss prevention alternatives. strategy. Answers that denote a high, medium, or low level of probability and criticality can be charted on the following graph.

Threat and Risk Matrix Model

High

Medium Risk level or probability of occurrence

Low

Low Medium High

Criticality/Impact to organization

30 An ASIS International Foundation Research Council CRISP Report Probability: Measures the level of risk 1. Replacement cost per individual laptop, that a theft will occur. recovery of data (if necessary), repair of physical damage (if required), downtime Low: There is no or little history of the threat of employees, other associated costs are occurring, and it is not considered likely. acceptable. 1. Laptops never leave work areas and are 2. The theft affects few people inside the inaccessible to unauthorized users. organization, and none outside the 2. Multiple levels of security are in place. organization. Medium: There is a moderate history of the threat Medium: Loss of $5,000 to $99,999 occurring, and/or information is available that 1. Vital personal and business informa- would lead management to reasonably believe that tion is lost that, if released to the public there is a 50/50 chance of the event reoccurring. or accessed by others, will have a serious 1. Laptops are only moved occasionally effect on individuals personally and the between home, road, and business. company financially. 2. Some security measures are in place. 2. The loss affects employee morale. High: There is a significant history of the threat High: Loss of $100,000 or more occurring, and/or available information leads 1. Privacy laws are breached. The organiza- management to reasonably believe the threat will tion is found to be negligent, is sued in occur in the foreseeable future. class action suits, and loses market share. 1. Laptops are highly mobile. The public is warned of the potential for 2. No security measures are in place. identity theft. 3. Other company laptops have been stolen. 2. The information lost is irreplaceable. 4. Company has been targeted in the past. 3. The company loses the confidence of the Criticality: Measures the financial impact public, media, and/or shareholders. to the organization. 4. Employees are physically assaulted or worse during the incident. (Note: Dollar values and categories assigned here 5. The loss compromises national security are subjective. One company may see a $5,000 loss and hinders ongoing investigations. as the cost of doing business, while another may 6. Organizational operations will have to be find the same value unacceptable.) suspended while laptops and/or data are Low: Loss of $1,000 to $4,999 replaced.

Lost Laptops = Lost Data 31 Questions to assist in determining Questions to assist in determining criticality of data: probability of a laptop loss: 1. What competitive advantage does this 1. How mobile is the laptop? information provide? 2. What protective security measures are in 2. What is the likelihood that competitors are place? seeking this information? 3. Do security measures consider avail- 3. What is the potential damage to able physical, electronic, and procedural • the organization’s operations? processes? • an individual? 4. Are employees trained in security • to the organization’s reputation or measures? image? 5. Does the company have a security aware- 4. What is the potential for the loss of ness program? • customer, shareholder, or business 6. Are employees and company senior partner confidence? management aware of the ramifications of • trade secret or patent protection? a loss? • ability to be first to market? 7. Is a data recovery team available? • market share? 8. Are other thefts occurring with coworkers? 5. What is the effect on stock value or venture 9. Are other thefts occurring on the capital support? premises? 6. What is the potential privacy violation 10. Is the company a potential target because impact? of the nature of its business? 7. What is the potential financial impact of 11. Has the organization considered that its fines the company may be subjected to? laptops could be stolen simply as laptops, 8. Can the data be easily recreated? regardless of the information on them? 9. What is the potential impact on employees 12. Is the organization aware that it could if data is exposed? suffer a loss in the future, even if one has 10. Does the loss of data compromise any kind not occurred so far? of investigation? 11. Must the data reside on a laptop?

32 An ASIS International Foundation Research Council CRISP Report Appendix B: Laptop Inventory Checklist

Laptop inventory number: ______

Laptop serial number: ______

Description of laptop: ______

Location of laptop: ______

Employee(s) using the laptop: ______

Purpose for which the laptop is being used: ______

______

Type of data residing on the laptop: ______

______

Classification of data type:______

Person conducting inventory: ______

Date: ______

Lost Laptops = Lost Data 33 Appendix C: Data Identification and Classification Levels

Level Classification of Identification/Description document/Data

3 Highly confidential Information that, if made public or even shared around the organization, could seriously impede the organization’s operations. Information considered critical to its ongoing operations and could seriously damage the organization if it were lost or made public.

Examples include accounting information, business plans, sensitive customer information, and medical records. Sensitive internal documents would also be included such as those describing pending mergers and acquisitions; invest- ment strategies; and architectural plans or designs.

Information classified as Highly Confidential has very restricted distribution and must be protected at all times. Security at this level is the highest possible.

2 Proprietary Information that is not approved for general circulation outside the organization. Its loss would inconvenience the organization or management, but disclosure is unlikely to result in financial loss or serious damage to credibility. Information of proprietary nature to be used by authorized personnel only.

Examples include procedures, operational work routines, project plans, and designs and specifications that define the way the organization operates. Security at this level is high.

Other examples include internal memos, minutes of meetings, and internal project reports. Security at this level is controlled but normal.

1 Public documents Information in the public domain that has been approved for public use, such as annual reports and press releases. Security at this level is minimal.

Implementing the 25 techniques of situational prevention described in Appendix E can reduce the chance that a determined thief will gain access to a company’s laptops and data.

34 An ASIS International Foundation Research Council CRISP Report Appendix D: Stages and Steps in Laptop Theft; Recommended Responses

To counter the stages of a laptop theft and implement an appropriate response, companies must institute specific security measures that meet the probability and criticality tests described in Appendix A and protect the proprietary and highly confidential information identified in Appendix C.

Stages in a theft Steps thief follows Company response 1. Preparation Develop access methods to defeat physi- Laptop owners and users must realize cal and procedural security measures. they are targets, and identify the thief’s Options include breaking and entering, tools and methods. Appropriate physical social engineering, and piggybacking on and procedural security countermeasures legitimate access cards. should be implemented. 2. Identify likely targets Conduct pre-theft surveillance to deter- Laptop owners and users must follow mine appropriate targets, test defenses, company security measures, challenge and access the site. This stage may and confront unauthorized users, and deny include observing and testing staff, tak- access to unauthorized users. ing photos, stealing uniforms, unlocking doors for later re-entry, and hiding in closets. 3. Access the target location: Travel to wherever the laptop is located. Harden the target by implementing work, home, road, vehicle, countermeasures. hotel room, person, etc. 4. Defeat all security mea- Defeat all physical and procedural secu- Harden the target by implementing sures to gain item rity defenses. countermeasures. 5. Successfully leave with Elude all remaining countermeasures, Harden the target by implementing item whether deliberate or accidental. countermeasures. 6. Defeat all electronic pro- Hack passwords; replace hard drive; un- Implement high levels of security, such tective measures encrypt programs and drives; find, erase, as password protection, encryption, and and/or remove security programs; make tracking software. laptop fully functional. 7. Convert product to a use- Sell or trade device; access and utilize Vital information must not be stored on lap- able value: drugs, money, data; deny equipment to owner; access tops. Owners and users should conduct an equipment, data/information, and utilize hardware. equipment and data risk profile and ensure revenge that laptops and data are useless if stolen. They should attempt to retrieve data and activate the loss team.

Lost Laptops = Lost Data 35 Appendix E: Reducing the Threat from Determined Laptop Thieves— 25 Situational Prevention Techniques

Increase the Effort • Install electronic turnstiles. 1. Target harden (both premise and laptop • Use security to monitor and control access. itself) • Program elevators to wait in the tower after • hours so thieves cannot jump onto waiting Install astragals and latch guards. elevators. • Install metal doors and frames. • Maintain strict key and access card control. • Harden doors and doorframes. • Install high-quality hardened steel lock devices. 3. Screen exits • Lock doors accessing secure spaces. • Consider installing electronic article surveil- • Lock laptops in secure areas. lance on laptops. • Install laminated glass on windows and doors. • Conduct searches of people exiting. • Use laptop-locking devices regularly. • Permanently lock perimeter doors. • Eliminate access to externally mounted electro- • Conduct audits of access control points and magnetic locks with a cover. CCTV to monitor door activity. • Watch for pre-theft surveillance. • Install local audible door alarms on doors, 4. Deflect offenders rooms, and device. • Conduct background checks on employees and • Keep all doors locked. contractors. • Reinforce doorjamb with screws. • Ensure that, if required, contractors and others • Install deadbolts on doors and screens. are appropriately licensed. • Lock washrooms/closets to deny hiding places. • Never leave laptop alone or unguarded. • Implement full disc encryption. • Stay informed of emerging theft schemes. • Repair any damage from a break-in • Keep laptops inconspicuous by using simple immediately. carrying cases. • Determine if a laptop is appropriate and necessary for employee. Use requirements. 5. Control tools/ weapons • Do not leave bags behind for thieves to carry 2. Control access to facilities laptops away in. • Reduce the number of access points. • Put away laptop paraphernalia such as docking • Install an access control system, including indi- stations, power cords, and cables. vidual floor select in elevators. • Lock tools and keys that can be used to cut • Install burglar alarm. cables or open drawers. • Investigate installation of barriers to all access • If possible, disable audible tones on card readers points. near stairwell doors. They can act as a signal for waiting thieves that the door will be opening. • Install main floor lobby doors to deny unauthorized after-hours access.

36 An ASIS International Foundation Research Council CRISP Report Increase the Risks 10. Strengthen formal surveillance • Install CCTV on main access points into space. 6. Extend guardianship • Actively monitor burglar alarms. • • Make department and/or employee responsible Monitor access control alarms. for laptops and replacements. • Institute or increase security guard patrols. • Secure devices when not in use. • Conduct audits on laptops regularly (daily, • Install GPS (Global Positioning System) moni- weekly, monthly) to ensure none has gone toring. missing. • • Arrest offenders. Implement policies and standards regarding information and laptop device protection. • Seize stolen property from offenders. • Restrict access to sensitive data. • Ban known offenders from premises. • Share theft information, techniques, and theft activities between business and law enforce- Reduce the Rewards ment. • Jointly with property management and tenants, 11. Conceal targets conduct lobby vulnerability assessments. • Determine what the real target is (data or • Reward contractors who enforce rules about device?) accessing company space. • Lock laptops and other electronic items in • Fix multiple I.D. labels on laptops. secure area after hours, and when left unat- • Have IT and facility security work together to tended for periods of time. secure data and devices. • Investigate use of security devices to ensure they work as promised. 7. Assist natural surveillance • Seek restitution. • Improve street and office lighting. • Back up data off laptop drive regularly. • Encourage staff to monitor work areas for suspi- • Store all vital information away from laptop cious activity. drive. • Call building security or police when suspicious • Conduct risk assessment on laptop and data activity is identified. to determine relative value and corresponding security measures. 8. Reduce anonymity • Identify and classify data. • • Challenge visitors. Keep confidential information confidential. • Institute visible I.D. program for employees and visitors. 12. Remove targets • Sign in all visitors. • Consider locking laptops in a secure vault. • Escort all visitors. • Evaluate company needs to ensure laptops are • Do not leave visitors unattended. necessary. • Report all thefts to security and police. • Conduct security laptop audits frequently to identify employees not following procedures. • Monitor personal information if laptop is stolen, as it has identity theft implications. • Have employees take laptops home. • Report data breaches. • Implement a reporting system for stolen and 13. Identify property lost laptops. • Mark company logo in more than one location. • Maintain specific records of laptops, including 9. Use place managers receipts, manufacturer, model, and serial number for recovery purposes. • Reward vigilant staff for informing security and/or police of incidents. • Keep user manuals and warranty cards. • Educate contractors to assist. • Register laptop with manufacturer. • Advise employees about thieves’ techniques. • Implement microdot serial number system.

• Train employees in protecting data and laptop devices. • Monitor use of laptops to ensure legitimate users are using them appropriately. Lost Laptops = Lost Data 37 14. Disrupt markets Remove Excuses • Monitor pawnshops. • Arrest fences. 21. Set rules • Seize stolen property. • Have documented and specific policies in place regarding responsible use of, and expectation 15. Deny benefits for, protecting company equipment (laptop security guidelines). • Install password protection devices using complex alphanumeric passwords. Change them • Enforce rules. regularly. • Hold employees accountable for failing to • Do not store vital company data directly on follow procedures. laptop. • Make individuals accountable for laptops. • Install software that dials a central monitoring • Establish and enforce property removal station if activated and reports IP address. procedures. • Install biometric protection on USB thumb • Investigate all laptop theft incidents. drive to secure against unauthorized software • Identify true value of data by conducting risk access. assessment of data and equipment. • Install BIOS password. • Investigate all theft and attempted theft • Activate login password. incidents. • Install ‘kill’ switches to erase data remotely and • Purchase laptop theft insurance. deactivate device requiring repair and activate ‘stolen property’ message. 22. Post instructions • Render machine unusable via endless reboot. • “Private property” • Use password-protected screensavers. • “Inspect badges” • Ensure all software patches are installed regularly. • “Lock up your valuables” • “Unauthorized entrance not allowed” Reduce Provocation • “All visitors must report to Reception” 23. Alert conscience 16. Reduce frustrations and stress • Submit “Victim Impact Statements” to courts. • Reduce workplace hostility. • Educate employees on company and personal responsibility. 17. Avoid disputes 24. Assist compliance 18. Reduce temptation • Educate employees on theft techniques. • Lock away equipment when not in use. • Institute a security awareness education program. 19. Neutralize peer pressure • Educate potential end users of stolen laptops. 25. Control drugs and alcohol

20. Discourage imitation • Punish thieves. • Seek restitution. • Punish employees who violate rules. • Hold management accountable.

38 An ASIS International Foundation Research Council CRISP Report Appendix F: Implementing Physical Security Measures—35 Strategies

# Response Resource Respon- How it works Considerations sible person 1 Install astragal Introduction to Security, Property Denies immediate Too much space between & latchguards. 7th Ed., owner access to lock mecha- mechanism and door still Fischer & Green, nism. allows thief to defeat door p. 171 hardware. Will slow down but not stop all thieves. 2 Install hard- Vulnerability Assessment Property Decreases “give” in Increased weight of door ened door and of Physical Protection owner door and frame. Mak- may mean adjustment to frame. Systems, Garcia, ing it harder to spread closure and door mecha- p. 216-222 frame apart keeps lock nisms. mechanism from being accessed. 3 Harden doors Effective Physical Security, Property Similar to #2. Similar to #2. and frames. 2nd Ed. owner Fennelly, p. 147

4 Install high- Effective Physical Security, Property Increases delay time Increased cost. Is not 100% quality hard- 2nd Ed. owner for thief to defeat door. guaranteed to stop all ened steel lock Fennelly, p. 148 Poorer quality mecha- thieves. hardware. nism is easier to break and penetrate. 5 Lock doors Effective Physical Security, Property Denies access to People must be trained accessing pri- 2nd Ed. owner opportunists. to always lock doors and vate space. Fennelly, p. 90 confirm regularly, especially at day’s end. 6 Lock laptops in Effective Physical Security, Laptop Adds an additional bar- Increased costs in creating secure areas. 2nd Ed. owner and rier thieves must defeat. secure area. Staff must be Fennelly, p. 90 property trained to use. Increases owner delays in staff accessing device. 7 Install laminate Vulnerability Assessment Property Increases delay time Increased cost. Quality of glazing on of Physical Protection owner to thief who may try laminate must be confir- glass. Systems to kick in doors and med. Garcia, p. 222-224 windows.

Lost Laptops = Lost Data 39 # Response Resource Respon- How it works Considerations sible person 8 Use laptop “Lock down your Laptop Adds additional barriers Increased cost. Decreased locking devices computer,” PC Magazine, owner/user for thieves to defeat. employee productivity. regularly. May 6, 2003, Glass, p. 72 Increases delay time, Some devices work better which increases risk for than others. Not 100% thief. guaranteed effective.

9 Eliminate Laptop Theft in Owner of Denies access to Additional cost. Aesthetics access to Commercial Buildings EML thieves who can eas- may be an issue. Equip- externally 2006 Survey, ily defeat EML if they ment must be correctly mounted elec- Headley, et al., p. 31 know how. In order to installed. tro-magnetic defeat it, they must be locks with a able to access it. By cover. covering it, access is severely reduced. 10 Consider lock- Laptop Security, Part 1, Senior Central vaults are Size and location of vault, ing laptops into Preventing Laptop Theft manage- one consideration a responsible party to a secure vault Ryder, p. 3 ment for protection. Adds manage access issues, or safe. another layer the thief how it is or can be secured, must defeat in order to accessing after hours, and access device. effectiveness. 11 Install local Effective Physical Security, Property Sends out an audi- Minor additional cost. Need audible door 2nd Ed. owner ble alarm when an a response procedure and alarms on Fennelly, p. 199 attempted theft is people to respond. doors, rooms, underway. Brings atten- and device. tion to location and thief. 12 Reinforce Handbook of Loss Property Stops door jamb from Minor additional cost. Long, doorjamb with Prevention and Crime owner being pried away from heavy-duty (2-4 inch) wood screws. Prevention, 4th Ed., frame, thereby expos- screws are required. Avoid Fennelly, p. 151 ing lock mechanism. wood screws longer than the width of the door frame, as they penetrate behind it. 13 Install long Handbook of Loss Property Adds additional barrier Minor additional cost. Staff throw dead- Prevention and Crime owner thief must defeat in must be trained to ensure bolts on doors Prevention, 4th Ed., order to access area. deadbolts are always used and screens. Fennelly, p. 176 properly. Self-locking deadbolts should be considered. Life safety may be an issue. 14 Lock lavatories Effective Physical Security, Property Denies hiding space Personal safety may be an and closets to 2nd Ed., Fennelly, p. 53-54 owner, to thieves waiting for issue for those confront- deny hiding employees employees to leave. ing thieves hiding. Locked places. washrooms cost money and require a code, card, or key. 15 If possible, Laptop Theft in Access Tones can act as a sig- Requires the system disable audible Commercial Buildings control sys- nal for waiting thieves administrator to disable the tones on card 2006 Survey, Headley, et tem owner that the door will be alarms. readers near al., p. 30-33 opening. By disabling stairwell doors. the tones, it will be difficult to access the door before it closes.

40 An ASIS International Foundation Research Council CRISP Report # Response Resource Respon- How it works Considerations sible person 16 Connect The Incredible Shrinking Laptop An audible alarm acti- Alarm must be activated audible motion Laptop, Access Control & owner/user vates when the laptop and installed. Some thieves sensor alarm to Security Systems is moved by an unau- may not be deterred. Alarm laptop. Emigh, p. 2 thorized person (thief). must be within hearing range of the laptop owner.

17 Have alarm The Incredible Shrinking Senior When laptops are Network must be monitored activated when Laptop, Access Control & manage- disconnected from in real time. Responder laptop discon- Security Systems, ment the network, an alarm must be dispatched. nected from Emigh, p. 2 activates information Procedure required, as network. monitoring staff. legitimate user could be disconnecting.

18 Repair any “Fixing Broken Windows” Property Eliminates an obvious Thieves may attempt or damage from a http://en.wikipedia. owner method of entry. succeed again, so simply break-in imme- org/wiki/Fixing_Broken_ repairing an existing weak- diately. Windows ness may not be enough deterrence. May be an opportunity to upgrade security features. 19 Reduce the Effective Physical Security, Property Reduces vulnerable May call for review and number of 2nd Ed., Fennelly, p. 97 owner points. Increases effort redesign of facility. Will access points on part of thieves. likely cost money. Will likely into property. change procedures.

20 Install elec- Vulnerability Assessment Property Creates defense-in- Designing and implement- tronic access of Physical Protection manager/ depth with additional ing will cost money. System control system. Systems, Garcia, owner layers and barriers. requires ongoing manage- p. 173-199 ment.

21 Install Vulnerability Assessment Property Provides real time Will cost money. Effective- interior of Physical Protection owner monitoring of property ness dependent upon intrusion Systems, Garcia, number of alarms being sensors with p. 87-112 monitored. Requires timely appropriate response usually from secu- response. rity force.

22 Install and Effective Physical Security, Property Creates obstacles for Thieves will attack barri- harden barriers 2nd Ed., Fennelly, p. 96 owner thieves to overcome. ers and, depending upon at all access the quality and quantity of points. barriers, may or may not be successful. Barriers should be considered delay only. 23 Install main Effective Physical Security, Property Before thieves get to Installation of barriers floor lobby 2nd Ed., Fennelly, p. 96 owner laptops or conduct potentially costly. May not doors to deny pre-theft surveillance, stop thieves from accessing unauthorized they face an additional space before closing hours. after hours barrier. access.

Lost Laptops = Lost Data 41 # Response Resource Respon- How it works Considerations sible person 24 Install elec- Vulnerability Assessment Property Controls pedestrian Waist-high turnstiles con- tronic turn- of Physical Protection owner traffic in and out of a sidered delay barriers only. stiles. Systems, Garcia, facility. Funnels pedes- p. 209-210 trians through specific points. 25 Install RFID “Now RFID Tags to Track Senior RFID tags can be RFID has been used exten- (Radio Your Laptops” manage- installed on laptops. sively in retail for many Frequency http://www.ciol.com/ ment When the laptop is years. Expensive equipment Identification) content/enterprise/2004/ moved past ‘gates,’ must be installed for the for tracking. 104102802.asp an alarm is generated, alarm to sound. There is bringing the theft to the the chance of false alarms. attention of employees. In addition, employees must be ready to respond. As seen in the retail field, employees can learn to ignore alarms. Requires administrative set-up and ongoing monitoring. 26 Install keychain “Stop! Laptop Thief!” Laptop An audible device Owners must be prepared alarm. Time, Taylor, p. 71 owner sounds when the to do something when see- keychain and laptop get ing their laptops walk away. more than 40 feet apart. 27 Lock laptops “Preparation eases pain of Laptop Laptop must not be left Inconvenient to constantly and other elec- stolen laptop” owner/user alone as this is when keep an eye on device or to tronic items eWeek, Hines, p. 25 it is most vulnerable to find fully secure area after in secure area theft. hours. after hours and when left unattended for short and extended periods of time. 28 Affix identifica- “Data Confidentiality in an Laptop A permanently affixed Labels may be a deterrent tion labels on Electronic Environment” owner label is attached using but are more seen as aiding laptops. The CPA Journal, a ‘superglue’ to the recovery. They clearly Louwers & VanDenburgh, body of the laptop identify ownership. p. 26 with clear identification marking on the steel plate. 29 Ensure Workplace Security Property Ensure doors have Can be inconvenient for perimeter Handbook owner permanently locked legitimate place users who doors have Viollis, et al., p. 66-74 function activated. will sometimes wedge permanently Increases access doors open for a variety of locked function control as it chan- reasons. Doors must be activated. nels people through a checked regularly to ensure central point where they they are locked. can be identified, and reduces access points for thieves to gain entrance.

42 An ASIS International Foundation Research Council CRISP Report # Response Resource Respon- How it works Considerations sible person 30 Install and con- Implementing Physical CCTV CCTV systems should Audits cost money and duct audit of Protection Systems: A system be designed to detect require repairs. Also, in the CCTV sys- Practical Guide, owner/user thieves. In order for order for CCTV to work tem to ensure Patterson, p. 60-63 them to achieve this as designed, people must system is in function, they must respond. CCTV does not proper working work as specified necessarily stop thefts from order. System and then periodically occurring but can be an needs to be audited to maintain this important investigative aid. monitoring expectation. specific laptop locations. 31 Improve street Protection of Assets Property Provides proper light- Proper lighting will not deter and office light- Manual, Vol. III owner/user ing for personnel and all thieves. Lighting outside ing to increase p. 19-IV-1 to 19-IV-17 CCTV identification the property line will be surveillance purposes. outside the control of the capabilities. property owner. If required to increase and/or upgrade lighting, there may be additional long-term costs. 32 Install device to Laptop For protecting laptop Device must be considered secure laptop owner/user on the road when it for delay purposes only. Car in trunk of car, must be left in a vehi- may be stolen. Not appro- if appropriate. cle, consider installing priate for rental vehicles. a safe or other securing Best to keep the laptop with device. the person but it may not always be realistic so securing it in the vehicle may be the best alternative. Each situation must be evaluated individually. 33 Keep laptop Laptop Keep the laptop Thieves may break into a out of sight. owner/user hidden when not vehicle just to look even if needed. Thieves they do not know there is a conduct pre-theft laptop in it. surveillance looking for laptops to steal. 34 Keep laptop Laptop The ideal situation is It may not always be appro- with user. Do owner/user to keep the laptop with priate to carry the laptop not leave in the person who uses it. with the person but the best vehicle. protection is to keep the laptop and person together. 35 Place micro- “How DataDot Protects Laptop Provides identification Product may be removed. dots with and Identifies Personal owner if laptop is stolen and Must be registered and in serial numbers Consumer Items.” recovered. place on unit. on units for http://www.datadotcanada. identification ca/video.php purposes.

Lost Laptops = Lost Data 43 Appendix G: Implementing Procedural Security Measures—61 Strategies

# Response Source and further Who is How it works Considerations information responsible 1 Develop written pro- Company Laptop owners and Every situation will not cedures for protect- users require written be covered so the laptop ing laptops in unique details for specific owner/user will have to settings: in the office, protection strategies. use common sense when on the road, and at Strategies are most following protective strate- home. effective when commu- gies. nicated in writing. 2 Ensure contractors “Guard Force Client and By ensuring contract Not all thieves have been are appropriately Operations, Part I” contractor staff are appropriately caught, arrested, and licensed. Protection of management licensed, an organiza- convicted so this will not Assets Manual, tion helps weed out eliminate everyone with a p. 9-I-7 to 9-I-8 contractors with crimi- propensity to steal, but it nal backgrounds. will go a long way in eliminating those with criminal tendencies from positions where they can steal. 3 Watch for pre-theft Laptop Theft Property Monitoring suspicious Not all thieves will be surveillance. in Commercial owner, laptop activities, challenging obvious and it may be Buildings 2006 owner thieves, and banning dangerous, depending Survey from sites, sends a upon location, to approach Headley, et al., message that secu- individuals. p. 25 rity and company are watching out for such activity. 4 Investigate use of “Safe Driving? Person Often products do Conducting tests of equip- security devices Is your laptop wishing to not live up to market- ment can be expensive and (hardware, software, strapped in?” implement ing. Therefore when take time but well worth and physical) to Accounting measures devices are used, they the effort. ensure they work as Technology, provide a false sense of promised. Demery, p. 47 security.

44 An ASIS International Foundation Research Council CRISP Report # Response Source and further Who is How it works Considerations information responsible 5 Search people “Security and Property Staff conducting There are legal and cultural exiting. Criminal Law,” owner searches may find (societal and company) Protection of stolen laptops. People ramifications to searching Assets Manual may not steal laptops if people. Chapter 20, they know they will be p. 20-24 to 20-26 searched upon exit.

6 Conduct risk assess- “Private Life of Company lap- Places laptops only May require periodic fine- ment to determine if Data” top distributor with those absolutely tuning. a laptop is appropri- Computer Weekly requiring one. Potential to impede work ate and necessary for Adshead, p. 2 Potentially reduces flow if not properly imple- employee, data, and target numbers. mented. use requirements. 7 Restrict access to Laptop Theft Company Denies access to Requires effective physical those on company in Commercial officials unauthorized users and security barriers as well as business only. Buildings 2005 also denies possible proper procedures rein- Survey pre-theft surveillance. forced by educated staff. Best, et al., p. 19 8 Conduct background “Background Employer and By conducting a Not all thieves have been checks on employees Investigations and contractor thorough background caught, arrested, and and contractors. Pre-employment management investigation, those convicted. So this will not Screening” with criminal back- eliminate everyone with a Protection of grounds will not be propensity to steal, but it Assets Manual, hired. will eliminate those with p. 1-IV-1 to 1-IV-18 criminal records from positions where they can steal. 9 Conduct an audit of “Preventative Access con- Ensures that the sys- Access control systems the access control Maintenance and trol system tem used to monitor require constant care and system to ensure it the Nuisance of owner/user door activity is working attention through preven- is in proper working Access Control properly. As many tive maintenance. Addition- order. Systems” nuisance alarms have ally, unless all devices and Best & been eliminated from points attached to the sys- Kitteringham the system, allows tem are confirmed to work security to quickly as designed, an audit is identify legitimate required to ensure they are alarms. in proper working order. Loud nuisance alarms can quickly overwhelm monitoring staff. 10 Maintain strict key Handbook of Loss System Keeps keys out of the Active key and card man- and access card Prevention and owner and hands of thieves who agement are vital aspects control. Crime Prevention, users can use such keys and of a protection program. 4th Ed. cards to easily access Requires discipline, time, Fennelly, secure areas. effort, and organizational p. 183-184 skills.

Lost Laptops = Lost Data 45 # Response Source and further Who is How it works Considerations information responsible 11 Use security to Vulnerability Property Security personnel Security department per- monitor and control Assessment of owner detect, deter, delay, sonnel required. access. Physical Protection and respond to Costs money and ongoing Systems, Garcia, suspected or real commitment. p. 87-112 security violations.

12 Conduct risk assess- Information Senior Laptop and data must There are a variety of pro- ments on laptop and Asset Protection management be considered two sep- tective strategies and the data to determine Guideline, ASIS arate yet inter-related owner/user must determine relative value and International, p. 11 assets. If non-vital the appropriate level of corresponding secu- information is stored protection for the assets. rity measures. on the laptop, then the There must be a consistent laptop becomes the approach to data clas- prime asset. If data is sification, which requires more vital and must be discipline. stored on laptop, then both assets must be There may be other con- protected equally. siderations to data beyond value of data. 13 Institute a security The Manager’s Senior By educating employ- An awareness program awareness education Handbook for management ees and contractors takes time, energy, com- program. Corporate Security about their duties rela- mitment, and a champion Kovacich and tive to asset protection, in order for it to succeed. Halibozek, all staff can be utilized p. 247-272 in protecting laptops and data. 14 Hold staff and man- “Laptop Senior Staff must be held Documentation is vital, for agement account- Lockdown” management accountable for follow- staff to be held accountable for not following The Wall Street ing policies; otherwise able. company policies. Journal policies are ineffective. Staff need written policies McQueen, Employees must follow and procedures to follow. p. 1-3 established procedures Staff must be educated and be taken to task if The Manager’s regarding company expec- they do not. Handbook for tations. Corporate Security Enforcing procedures will Kovacich and create a culture of protec- Halibozek, tion within the organization. p. 163-184

15 Have documented Information Senior Protective strategies Staff can be expected to and specific policies Asset Protection management are most effective when follow written policies and in place regarding Guideline, ASIS they are consistent, procedures. responsible use of, International, valid, and in writing. and expectation for, p. 12-14 It removes the guess- protecting company work. equipment (laptop security guidelines).

46 An ASIS International Foundation Research Council CRISP Report # Response Source and further Who is How it works Considerations information responsible 16 Enforce procedures. “Laptops Prove Company Laptop and data will be Guidelines must be in Weakest Link in management protected to a higher writing, available, logical, Data Security” degree when employ- reasonable, and auditable. The Wall Street ees follow established Journal, Levitz and guidelines. Hechinger 17 Establish and enforce High-Rise Security Company Property removal All staff, including secu- property removal and Fire Life management procedures should be rity, must be aware of the procedures. Safety, 2nd Ed. developed and written. policy in order for them to Craighead, follow and enforce it. p. 59 18 Investigate all theft The Manager’s Company By investigating thefts Someone with previous and attempted theft Handbook for management and attempted thefts, investigative experience is incidents, as well as Corporate Security the organization may best suited to conduct an all data breaches. Kovacich and find how, when, where, investigation. Halibozek, why, who, and what All answers may not be p. 323-327 happened to ensure found. thefts or attempts will not happen again. Countermeasures can then be developed. 19 Program elevators to Laptop Theft Property Stops unauthorized Programming change wait in tower and not in Commercial owner individuals from walk- required of elevator soft- sit with doors open Buildings 2005 ing into elevators and ware. on ground floor. Survey waiting for them to Some elevator software Best, et al., move up into office may be too old to accept p. 19 space. programming requirements. 20 Ensure that contrac- “Guard Force Client and If insured contract Staff have to be caught tors are appropriately Operations, Part I” contractor staff do steal and are stealing. insured. Protection of management caught, the victim has Assets Manual, the ability to sue for p. 9-I-18 damages. 21 Never leave laptop “Mobile Defense Laptop By having a guardian Can be inconvenient at alone or unguarded. Force” owner/user in direct view of the times and requires con- Computer World laptop at all times, it stant attention by laptop Wood, p. 33 reduces opportunity for owner to maintain thieves to steal without vigilance. being seen. 22 Stay informed of “Preparation eases Laptop Provides education to Theft schemes evolve and emerging theft pain of stolen owner/user users of how thieves change. Keeping informed schemes. laptops” eWeek are stealing laptops. requires work, time, and Hines, p. 25 Users can develop effort. This information then countermeasures to must be disseminated to theft schemes. other users.

Lost Laptops = Lost Data 47 # Response Source and further Who is How it works Considerations information responsible 23 Keep laptops “Mobile Defense Laptop Helps laptop user It can be difficult to hide inconspicuous by Forces,” Computer owner/user maintain low profile the fact that a user is carry- using simple carrying World, Wood, as thieves conduct ing/using a laptop. cases. p. 33 pre-theft surveillance. Thieves may not be If thieves do not know deterred by not knowing if user is carrying a lap- exactly what someone is top, they are less likely carrying. to target that individual. 24 Do not leave bags Kitteringham Laptop Thieves will conceal a Thieves may bring their behind for thieves to owner/user stolen laptop if pos- own bags. carry laptops away sible and they will use Not all laptop thieves will in. whatever is handy. be deterred by not finding Eliminating bags may bags to conceal laptops. reduce the number of laptops they are willing to steal at any one time. 25 Put laptop parapher- “Laptop Laptop Laptop paraphernalia It is not always conve- nalia such as docking lockdown,” owner/user signals that there are nient or easy to eliminate stations, power Macworld, Cook laptops in the vicinity. all traces of a laptop or cords, cables, away. and Seff, p. 1 Thieves will break into accessories. drawers and cabinets Even eliminating all traces looking for them. of the laptop may not be enough to dissuade the thief from looking. The absence of a desktop will indicate the use of a laptop. 26 Lock away tools and Kitteringham Laptop Thieves will often look Some thieves will be pre- keys that can be owner/user for tools at the location pared by bringing their own used to cut cables, of the crime to assist tools to the location. open drawers, etc. them in the act. However, there is no point making things easy for them. 27 Make department “Laptop Company Often neither depart- May be difficult to hold and/or employee Lockdown,” The which owns ments nor employees individuals accountable. responsible for Wall Street Journal, the laptops are held account- Depends upon labor laws, laptops and replacing McQueen, p. 1-3 able for lost or stolen collective agreements, and/ them. laptops. Making them or company culture. accountable, in theory, means they will take more responsibility for protection. 28 Secure devices when Laptop Security, Laptop Laptops should be Individuals, not depart- not in use. Part 1, Preventing owner/user locked up when not in ments or groups, should be Laptop Theft, use. They can ‘disap- made responsible for lap- Ryder, p. 1-4 pear’ and be gone for tops to ensure devices are a considerable time adequately looked after. before they are noticed missing or reported missing.

48 An ASIS International Foundation Research Council CRISP Report # Response Source and further Who is How it works Considerations information responsible 29 Register laptop with Laptop Security Laptop pur- An index card is usu- Nothing may come from manufacturer. Guidelines chaser ally provided upon identifying a laptop as http://labmice. the purchase of the being stolen. techtarget. laptop. All pertinent Registration must actually com/articles/ information requested take place. laptopsecurity.htm should be provided. It identifies the owner of the laptop. If the laptop goes missing and later contact is made with the manufacturer, then it can be determined to be stolen. Identification can be made. 30 Arrest offenders, Pulling the Plug on Police Police investigate Considerable amount of both laptop thieves Computer Theft crimes and arrest time and work required to and those receiving Police Research offenders. successfully complete a stolen goods. Papers 101, case. Whitehead and Potential high cost of Grey, p. 16-20 investigating. May be difficult to prove cases. 31 Prosecute offenders. Pulling the Plug on Police and Punishes offenders, Concentrated effort Computer Theft courts and keeps them off the required between police, Police Research streets for a certain prosecutors, and judges. Papers 101 amount of time. May Offenders are sometimes Whitehead and deter others. not deterred by sentencing. Grey, p. 24 Offenders share theft suc- cesses while incarcerated. 32 Seize stolen property Pulling the Plug on Police Recovery of laptops Identification often difficult from offenders. Computer Theft negates the effect of as many property owners Police Research stealing them. fail to record property. Papers 101, Potential to ‘mix and Whitehead and match’ equipment thereby Grey, p. 23 making it difficult to prove ownership. Lack of a central database may inhibit property identification and recovery. 33 Ban known offenders Panhandling Security, Banning offenders and It is sometimes difficult to from premises. POP Guide #13, property own- arresting them if they identify offenders. p. 32 ers, police, come back to the prop- Banning may not deter judges, and erty may avert thefts. some offenders. probation officials Confronting offenders may lead to potentially dangerous situations for security and property owners. Requires the cooperation of all parties.

Lost Laptops = Lost Data 49 # Response Source and further Who is How it works Considerations information responsible 34 Target persistent Thefts of and from Police and A relatively small num- Concentrated effort offenders for arrest Cars in Parking prosecutors ber of offenders can be required between police, and prosecution. Facilities responsible for a high prosecutors, and judges. POP Guide #10 number of incidents. Offenders are sometimes Clarke, Targeting persistent not deterred by sentencing. p. 22 and 23 offenders may likely Offenders share theft suc- have an impact on cesses while incarcerated. overall incidents. 35 Seek restitution. Encyclopedia Laptop Take away the financial Seeking restitution can be of Security owner/user incentive to steal. costly in time, effort, and Management human resources and may Fay, p. 448 not result in success as often thieves do not have money or other assets. 36 Submit “Victim Pulling the Plug on Laptop Courts must under- Victim impact statements Impact Statements” Computer Theft owner/user stand the financial take some time to prepare to courts. Police Research impact thefts have and submit. Papers 101 upon the business Whitehead and community. This may Grey, p. 24 lead to increased penalties.

37 Monitor pawnshops. Handling Stolen Police By monitoring pawn- Pawnshops are not the Goods and Theft: A shops, police can help only receivers of stolen Market Reduction eliminate a source goods. Approach where thieves take their Monitoring pawnshops Research Findings stolen goods. may be time consuming. No. 69 Sutton, p. 3 and 4 Can be effective if properly employed. 38 Share theft infor- Pulling the Plug on Property By sharing information, Privacy issues may impede mation, mode of Computer Theft owners and business can better sharing of information. operation, and theft Police Research law enforce- protect themselves Either party or both may activities between Papers 101 ment while law enforcement be hesitant about sharing business and law Whitehead and can gather intelligence intelligence and informa- enforcement. Grey, p. 24 in advance of launching tion. Positive working investigations. relationships must be built in advance. 39 A qualified person Laptop Theft Person(s) The lobby assessment The identification of vulner- should conduct a in Commercial responsible identifies vulnerabilities abilities should lead to lobby vulnerability Buildings 2006 for lobby that thieves can use to correcting them. This may assessment. Survey access office space. likely cost money. Headley, et al., p. 31 40 Search for your “Stop! Laptop Laptop owner Access: You need to record your stolen laptop on the Thief!” Time Stolencomputer.org serial number before the Stolen Computer Taylor, p. 71 laptop goes missing. Enter your serial num- Registry by entering ber to determine if your your serial number. laptop was recovered by the FBI.

50 An ASIS International Foundation Research Council CRISP Report # Response Source and further Who is How it works Considerations information responsible 41 Have IT and facil- Information Company Overlapping protective Strategies are less effective ity security work Asset Protection management strategies must work in if parties are not working together to secure Guideline tandem. as a team. data and device. ASIS International, Both departments must p. 9 recognize that laptop theft is a serious issue. Both physical and electronic strategies must be made in tandem.

42 Encourage staff to Handbook of Loss Senior man- Alert staff must feel There must be someone monitor work areas Prevention and agement empowered in report- to report the suspicious for suspicious activ- Crime Prevention, ing suspicious activity activity to. ity. 4th Ed. to police or security. There must also be a list of Fennelly, p. 73 what constitutes ‘suspicious behavior’. 43 Call building security The Design and All employees Staff must report suspi- Everyone: staff, police or police when Evaluation of cious activity when and/or security, must be suspicious activity is Physical Protection observed. It does no prepared for ‘false alarms’. identified. Systems good to call several Garcia, hours later. p. 223-238 44 Challenge visitors. Laptop Theft All employees Staff must be prepared Often, legitimate visitors in Commercial to challenge unknown are moving about. Incor- Buildings 2006 visitors to company rect challenges can lead to Survey space. Thieves often confrontations. Headley, et. al., take advantage of the Staff must be prepared to p. 21-22 anonymity of large deal with thieves who have offices. been stopped and chal- lenged. 45 Institute visible I.D. Workplace Security Business Identify all legitimate A process must be program for employ- Handbook, owner users authorized to implemented whereby all ees and visitors. p. 75 be on site through the place-users must wear effective use of pre- identification. This includes authorized credentials. an authorization process pre-approving place-users. In addition, a person or persons must be responsible to ensure that all staff adhere to the system. Appropriate sanctions must respond to those refusing to utilize the system.

46 Sign in all visitors. Workplace Security Business All visitors must report There must be a process in Handbook, owner to a central location, place for verifying identi- p. 76 provide identification of fication, i.e. the person is some sort for verifica- who they say they are. tion, then be provided with visitors’ badges.

Lost Laptops = Lost Data 51 # Response Source and further Who is How it works Considerations information responsible 47 Escort all visitors. Workplace Security Person being Preferably, those whom An authorization process Handbook, visited visitors are meeting system must be in place p. 76-77 must escort visitors. whereby the employee meeting with the visitor must be able to be con- tacted and to also make them responsible for main- taining constant supervi- sion of the visitor.

48 Do not leave visitors Workplace Security Person being Visitors must be Employees meeting with unattended. Handbook, visited escorted at all times. visitors must understand p. 76-77 their responsibilities as they relate to company policies and procedures.

49 Report all thefts to “Theft and Fraud Employees Informing security and Some employees, espe- security and police. Prevention” and senior police alerts them that cially if they are held Protection of company thefts are occurring. personally accountable for Assets Manual officials Countermeasures can lost or stolen laptops, may p. 11-1 to 11-18d, be developed to pro- be hesitant about reporting Chapter 11 tect company employ- incidents. ees and property. Some companies feel stolen laptops are the cost of doing business and may choose not to report. 50 Monitor personal “Laptops Prove Company By monitoring personal Monitoring personal infor- information if laptop Weakest Link in and/or indi- information, people will mation requires time, effort, is stolen. It has iden- Data Security” vidual who be alerted if their iden- and money. tity theft implications. Wall Street Journal had personal tity has been compro- It may be some time before Levitz and information mised. The sooner one compromised personal Hechinger, on stolen learns of the compro- information has actu- p. 2 laptop mise, the sooner one ally been accessed and can take steps to limit abused. exposure. 51 Implement a report- Security and Life Company Often, staff do not Thought must be given ing system for stolen Safety for the senior man- know how or where to to creating a reporting and lost laptops. Commercial High- agement report a laptop theft. system. Rise, Without a system for Senior management or Kitteringham, recording and respond- security must be prepared p. 32 ing to incidents, to respond to reported security or senior incidents. management may be inconsistent in their responses.

52 An ASIS International Foundation Research Council CRISP Report # Response Source and further Who is How it works Considerations information responsible 52 Educate contractors “Data Employees Clarifies expectations Policies and procedures to assist. Confidentiality who work for contractors as must be developed first. in an Electronic with contrac- to what policies and Employees must be given Environment” tors. procedures are relative responsibility to educate The CPA Journal Senior Man- to laptop security. contractors. Louwers & agement is VanDenburgh, responsible Contractors and employ- p. 26 to develop ees must be held account- education able for following them. material 53 Train employees in “Data Senior Staff must be educated An education program protecting data and Confidentiality company to help protect data must be developed, imple- laptop devices. in an Electronic management and laptop devices. mented, effective, and Environment” reinforced. The CPA Journal, Louwers & VanDenburgh, p. 26 54 Institute or increase Handbook of Loss Senior Provides a visible There are financial and security guards’ Prevention and company deterrent to potential operational considerations patrols. Crime Prevention management laptop thieves. The when instituting or increas- 4th Ed. physical presence of ing security patrols. Fennelly, uniformed officers adds Some staff may feel threat- p. 253-265 a layer of security. ened that their worksite requires uniformed security officers. Other employees may feel increased feelings of safety and security. 55 Conduct audits “Cyber Traps: Security staff While conduct- Staff need to be edu- on laptops regu- An Overview of ing their company cated about the existing larly (daily, weekly, Crime, Misconduct rounds, security staff company policy. They monthly) to ensure and Security makes a detailed list also must be given the they are being used Risks in the Cyber of all laptops left out appropriate tools to protect appropriately or are Environment” unprotected. This list the laptops after hours. still in place. George, is passed onto senior Further, employees must p. 4 management, who be encouraged to follow bring it to the employ- the rules. ee’s attention.

56 Implement poli- “Data Senior man- Creates expecta- Considerable thought must cies and standards Confidentiality agement tions and checklist for go into developing policies regarding information in an Electronic employees to follow. and standards to ensure and laptop device Environment” they are appropriate, effec- protection. The CPA Journal tive, and fair. Louwers & Staff must be informed and VanDenburgh, kept updated on a regular p. 26 basis.

Lost Laptops = Lost Data 53 # Response Source and further Who is How it works Considerations information responsible 57 Restrict access to “Data Senior man- A primary rule of pro- There must be policies and sensitive data. Confidentiality agement tection is to first ensure procedures in place and in an Electronic that as few people as enforced. Environment” possible know what the The challenge of protecting The CPA Journal asset is and where it data is that it is so easy to Louwers & resides. It is far easier move around. VanDenburgh, to protect something p. 26 that no one knows Data is often valuable exists. only because it can be accessed. 58 Purchase laptop theft What is laptop Laptop owner Insurance used if lap- Like other kinds of insur- insurance. insurance? top is stolen. ance, there are always http://www. conditions, which must be wisegeek.com/ thoroughly investigated what-is-laptop- before insurance is pur- insurance.htm chased.

59 Post instructions: “Laptop Theft in Senior man- Posting instructions There may be mixed feel- “Private property” the Commercial agement reinforces rule-setting ings. Some employees may “Inspect badges” High-Rise” for both employees object to the messages as “Lock up your valu- Kitteringham and thieves. It sends a they feel they create a ables” message to both about hostile or unsafe environ- “Unauthorized the level of security in ment. entrance not place. allowed” “All visitors must report to Reception” 60 Consider having “Protecting Employee The laptop is removed Laptop may be stolen on employees carry Information on entirely from the work- the way to or from the laptops instead Laptops, PDAs, place. office. of checking them and Cell Phones” May be inconvenient to or leaving in hotel Wilson, Web, take laptop home every rooms. Frank and Charron, night. p. 3 61 Mark more than one “The Incredible Person Company logo should Thief may not care. location with com- Shrinking Laptop” implementing be firmly attached in Logo may not be effective. pany logo Access Control & program more than one location Security Systems to make it more difficult The laptop may look less Emigh, p. 2 for thief to remove. attractive to employees.

54 An ASIS International Foundation Research Council CRISP Report Appendix H: Implementing Electronic Security Measures— 21 Strategies

# Response Source and further Who is How it works Considerations information responsible 1 Implement pass- “Securing Laptop Laptop owner/ Denies access to files People may forget password word protection on Data Against user without password. or fail to activate file protection files. Losses,” Security system. Management Is inconvenient and subject to Piazza, p. 37 defeat.

2 Install product “This Stolen Laptop Property ‘Dead on Demand’ A very drastic solution, which which, if activated, Will Self-Destruct in owner technology contains will not allow the data owner to will physically 5 Seconds” software which retrieve data. It will be destroyed. destroy the hard PC World, Brandt, detects tampering, As with any solution, it needs thor- drive. p. 46 and a canister filled ough investigation to ensure it will with a corrosive work as promised. chemical. 3 Back up data off “Preparation eases Laptop owner/ Data must be saved Requires discipline to back up laptop drive regu- pain of stolen user and backed up regularly. larly. laptop,” eWeek, regularly away from Does not stop data from the Hines, p. 25 the device. In case of laptop from being accessed and theft, data is not lost. compromised.

4 Install GPS (Global “Data Laptop owner In the eventuality of Installation will cost money. Positioning Sys- Confidentiality a loss, GPS can be May not be 100% effective in tem) monitoring. in an Electronic used to locate the retrieving laptop. Environment” device. The CPA Journal, Someone must physically retrieve Louwers & the laptop. VanDenburgh, GPS does not work everywhere. p. 26 5 Implement auto- “Risky Business” Senior man- Software monitors As with any software, there are matic data auditing HR Magazine agement laptop usage when administrative issues. capability. Roberts, p. 71 it is on the company Software must be purchased and network. Tells how tested. it is being used and if there is data that May be issues of ‘Big Brother’ should not be on it. monitoring. Organizational culture or collective agreement may pose challenges. Training is required, as are policies and procedures.

Lost Laptops = Lost Data 55 # Response Source and further Who is How it works Considerations information responsible 6 Maintain specific Pulling the Plug on Laptop pur- Records can be used Records must be kept in a secure records of laptops Laptop Theft chaser in the recovery of place but accessible when including receipts, Police Research stolen laptops. required. make, model, Series Paper 101 serial number, user Whitehead and manual, and war- Grey, p. 25 ranty card. 7 Password pro- “Preparation eases Laptop owner/ Password must be People often fail to activate pass- tect device using pain of stolen user used in order to be word protect. complex alphanu- laptop” eWeek. effective. Passwords can be defeated. meric passwords, Hines, p. 25 changed regularly.

8 Encrypt hard drive. “Locking up the Laptop owner Hard drive encryption Installing software can be Laptops” activated so if incor- complex and time consuming. Chronicle of Higher rect passwords are Requires dedicated staff to super- Education entered, data stays vise system. Kiernan, p. 1–4 encrypted. Users can forget passwords. There are various software available. All must be assessed before implementation. Encryption can be expensive. Data can be lost if user makes errors. Software failures can cause loss of data. Key management vital. If machine is stolen when it’s run- ning, thief may be able to access files. Machine is useless to thieves unless they swap out drive or re- format it. Loss of key will make it difficult to access information by legitimate users/owners. Some encryption programs are not user friendly and may lead to people not using it.

56 An ASIS International Foundation Research Council CRISP Report # Response Source and further Who is How it works Considerations information responsible 9 Install software “Protecting Laptop owner If stolen then con- Separately-purchased software that dials a central Campus Data” nected to the Internet, may be required. Some new lap- monitoring station University Business laptop will call auto- top manufacturers are installing it if activated and Angelo, p. 75-76 matically to a central in factories. reports IP address. monitoring station Laptop must be connected to the providing IP address. Internet for it to dial central monitoring station. Police services are required to retrieve laptops. Monitoring services require fees. 10 Install biometric “Stay Secure at Laptop owner/ A USB biometric Devices have varying prices. protection on Home and on the user fingerprint reader Can still be defeated. USB thumb drive Road” allows only those pre- to secure against PC World approved to access Lost or stolen readers make unauthorized Bass, p. 39 the files on the laptop. accessing the files difficult. access. Fingerprint reported to be relatively easy to copy. May reject legitimate thumbprint. 11 Install BIOS pass- “Locking down Laptop owner Prevents the laptop Can be bypassed by removing word. sensitive data” from booting without hard drive or battery. The CPA Journal a password. Methods of bypassing BIOS easily Louwers and found on Internet. VanDenburgh, p. 27 12 Activate login pass- Protection Laptop owner Prevents access to Methods to bypass passwords word. Information on laptop programs. easily found on Internet. Laptops, PDA’s, Password lockout Older software programs do not and Cell Phones program should be have password protection. Wilson Web activated to ensure Frank and Charron, Employees must be encouraged that, after only so p. 1–4 not to choose simple passwords. many attempts to enter a password, Hackers can use dictionary pro- the computer locks grams to crack passwords. up and sends a help “Shoulder surfers” watch for message to the IT people entering passwords. department. 13 Install ‘kill’ switches “Protecting Laptop owner If stolen laptop is Laptop must be connected to the to erase data Campus Data” monitored and con- Internet. remotely. University Business nected to the Internet, Angelo, data from hard p. 75–76 drive can be erased remotely.

Lost Laptops = Lost Data 57 # Response Source and further Who is How it works Considerations information responsible 14 Install software to “Protecting Laptop owner Laptop can be Laptop must be connected to the remotely deactivate Campus Data” remotely deactivated Internet. device requiring University so thief will take it to Thief must take laptop into repair repair, and activate Business a repair shop. Upon shop. “stolen property” Angelo, attempts to repair, message. p. 75–76 a message declar- Repair shop must inform authori- ing the laptop to be ties. stolen will activate.

15 Render machine Laptop owner Laptop can have Methods to bypass can easily be unusable via end- program installed. found on Internet. less reboot. 16 Use a biometric “The Incredible Laptop owner/ Voice-activated All biometrics are subject to voice identification Shrinking Laptop” user system acts much multiple conditions. Biometrics are system to activate Access Control & like USB fingerprint rapidly improving but not perfect. laptop. Security Systems scanner. Thorough investigation required to Emigh, p. 3 determine if solution suits users.

17 Ensure that all soft- The High Cost of Laptop owner/ Allows all up-to-date Requires discipline to update ware patches are Laptop Theft user security programs regularly. installed regularly. http://www. to be utilized to their Someone must be identified as absolute.com utmost. responsible.

18 Use a removable Protection Laptop owner/ The hard drive can Potential for the hard drive to be hard drive. Information on user be removed from stolen or lost. Laptops, PDAs, the laptop and kept Hard drive must still be fully and Cell Phones separately. protected. Wilson, Web, Frank, and Charron p. 3 19 Use an external “The Incredible Laptop owner/ Device plugs into Thorough investigation required to encryption device. Shrinking Laptop” user USB. determine user friendliness, and Access Control & whether encryption provides an When device is pulled Security Systems appropriate level of security. from laptop, screen Emigh, p. 3 goes blank while operating system works in background. 20 Install software that “Securing your Laptop owner/ Every few minutes, a Needs a camera in working order allows camera to laptop against user photo of the person connected to the laptop. take photo of thief theft” using the laptop is May only work on certain brands. using laptop. Business Week taken. Online Taking a photo will not retrieve a Hesseldahl, P. 4-4 laptop, but will identify thief.

21 Install RFID tags for Chipping of Goods Laptop owner/ With RFID read- Installation requires infrastructure asset protection. Case Study: user ers connected to of hardware, software, and proce- Laptop Computers the access control dures for it to be effective. Further Home Office system, access to exit exploration of anyone wishing to with a tagged laptop implement is strongly suggested. is denied without According to the study con- appropriate authoriza- ducted, was highly effective in its tion. first year of operation.

58 An ASIS International Foundation Research Council CRISP Report Appendix I: Security Awareness Employee Sign-off Sheets

Procedure: Staff members are expected to read and follow the [company’s name] Laptop and Data Protection Policy. Each employee is responsible to learn and become familiar with company and departmental expectations.

Laptop User

All employees using portable laptop devices shall abide by all written documentation. Laptop users are required to read, understand, and abide by all procedures as they relate to protecting the laptop and the information in it. Upon completion of review of this procedure, the employee shall sign off on the [company’s name] Laptop Device and Data Protection Policy.

I,______,(printed name of employee) have read and understand the responsible use and protection guidelines as they pertain to me. Date: ______Signature:______

Lost Laptops = Lost Data 59 Department Manager

Person designated with the responsibility to ensure that their staff members who are assigned laptop computers abide by all written documentation. Department managers are required to read, understand, and abide by all procedures as they relate to protecting the laptop and the information on it. Upon completion of review of this procedure, department managers should sign off on the [company’s name] Laptop Device and Data Protection Policy.

I, ______,(printed name of employee) have read and understand the responsible use and protection guidelines as they pertain to me.

Date: ______Signature:______

60 An ASIS International Foundation Research Council CRISP Report Senior Management

Senior managers designated with the responsibility to ensure the Laptop Device and Data Protection Policy is developed, implemented, and followed; and that all staff assigned various responsibilities abide by all written documentation. Senior management is required to read, understand, and abide by all procedures as they relate to protecting the laptop and the information on it. Upon completion of review of this procedure, the senior management representative shall sign off on the [Company’s Name] Laptop Device and Data Protection Policy. Senior managers are responsible for mandating written guidelines on: • Mobile data • Proprietary data • Employee responsibility towards laptops and data

Senior managers should also create a security awareness environment that includes: • Documentation • Education • Training

I, ______, (printed name of employee) have read and understand my responsibility towards ensuring the creation and implementation of the use and protection guidelines as they pertain to me. Date: ______Signature:______

Lost Laptops = Lost Data 61 Facility Security

Persons designated with the responsibility for the physical protection of portable devices shall abide by all written documentation. Facility security personnel are required to read, understand, and abide by all procedures as they relate to protecting the laptop and the information on it. Upon completion of review of this procedure, facility security personnel shall sign off on the [Company’s Name] Laptop Device and Data Protection Policy. Facility security personnel are responsible for the following: • Obtaining senior management support • Creating and providing physical and electronic security guidelines • Implementing physical and electronic security measures • Educating users through security awareness training • Conducting periodic audits • Updating security guidelines as required

I, ______,(printed name of employee) have read and understand the expectations of and responsible use and protection guidelines as they pertain to me. Date: ______Signature:______

62 An ASIS International Foundation Research Council CRISP Report Information Technology (IT) Security

Persons designated with the responsibility for the electronic protection of portable devices shall abide by all written documentation. IT security personnel are required to read, understand, and abide by all procedures as they relate to protecting the laptop and the information on it. Upon completion of review of this procedure, IT security personnel should sign off on the [Company’s Name] Laptop Device and Data Protection Policy. IT security personnel are responsible for the following: • Obtaining senior management support • Creating and providing physical and electronic security guidelines • Implementing physical and electronic security measures • Educating users through security awareness training • Conducting periodic audits • Updating security guidelines as required I, ______, (printed name of employee) have read and understand the expectations of and responsible use and protection guidelines as they pertain to me.

Date: ______Signature:______

Lost Laptops = Lost Data 63 Appendix J: Laptop Incident Reporting Form

The following three-part form should be used to report the loss and eventual recovery of laptops. Section A should be used by victims reporting the loss of the laptop. They should know who to report the theft to, what information was on the laptop, when they were first aware that the laptop was missing, and the circumstances surrounding the loss/theft. Section B should be filled out by the person to whom the loss is reported. That person should be aware of the security procedures in place for the missing laptop and the data on it. Section C should be filled out by the recovery team after the laptop is secured.

64 An ASIS International Foundation Research Council CRISP Report Section A: To be filled in by victim reporting the loss: Date: ______Name of report taker: ______

Name of victim: ______Date reported stolen: ______Description of laptop with serial number and other identifying marks:______Location where laptop was lost:______Circumstances of loss:______

Signature of person submitting report: ______Date: ______

Lost Laptops = Lost Data 65 Section B: To be filled out by security personnel or senior manager who receives the report of the laptop loss. Security measures in place: Electronic: ______Physical:______Procedural: ______Classification of data on laptop:______Specific files with description of information on laptop:______Does data reside elsewhere? (If so, provide location and file name)______

Signature of person submitting report: ______Date: ______

66 An ASIS International Foundation Research Council CRISP Report Section C: To be filled out by the recovery team: Recovery team members: ______What implemented security measures will facilitate recovery? ______Who will facilitate recovery?______Has local law enforcement been alerted and called in to investigate? What actions have they taken? ______Has senior management been alerted?______What is the (potential) scope of the laptop loss?______What is the (potential) scope of the data breach?______Person authorizing decision to terminate: ______Actions taken: ______Disposition (laptop destroyed, recovered or irretrievable?): ______Decision to terminate recovery, with reason(s)? ______

Signature of person submitting report: ______Date: ______

Lost Laptops = Lost Data 67

ASIS International (ASIS) is the preeminent organization for security professionals, with more than 36,000 members worldwide. Founded in 1955, ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s number one magazine—Security Management—ASIS leads the way for advanced and improved security performance.

ASIS International Foundation

The ASIS International Foundation, a 501(c)3 charitable organization, provides funding and manages endowments for a wide range of academic, strategic, and professional development activities. The purpose of the Foundation is to enhance the security profession worldwide by establishing, developing, delivering, and promoting programs that advance security through education, research, and training. Foundation scholarships ensure that those pursuing a career in security management are able to realize the highest academic achievements. Financial contributions from individuals, chapters, companies employing ASIS members, and corporations with an interest in security support the Foundation.

FOUNDATION TM

1625 Prince Street Alexandria, VA 22314-2818 USA 703-519-6200 TM FOUNDATION Fax: 703-519-6299 www.asisonline.org