Laptops are designed to be mobile, which means they are carried on to buses, trains and aeroplanes, to meetings, home in a taxi or even down to the pub if you crave a much-needed post-work pint. Even the best of us can be fallible at times, and all-too-often these laptops are forgotten, left behind, lost or stolen.
Those same machines inevitably contain immensely valuable information which, in the wrong hands, could well have disastrous implications for the host organisation.
So what does happen to a laptop when it's lost or stolen? The truth of what actually occurs when a laptop accidentally falls into the wrong hands makes for pretty shocking reading.
The lifecycle begins...
Let's say that, in a few weeks' time, you lose your laptop and – as is usually the case – it stays lost. Either it's picked up and carried off by opportunists, or (if you're lucky) it'll be handed in at a lost property office. At Gatwick Airport, for example, something in the region of 40 laptops are handed over every year. 32 were reclaimed in 2003. The rest aren't reclaimed because executives are often too busy to go back and collect them, particularly if they're based in another city or country. It's usually cheaper for their company to purchase another, perhaps more up-to-date machine.
After all, if the lost laptop is password-protected why worry about the information it holds? All those brand new business plans and client details will be safe, won't they? Alas, the answer to that question is a resounding: "No!"
According to staff at Eurostar's Waterloo lost property office, most people do reclaim their mislaid laptops. However, last year two were ignored. One of them was originally owned by a major accountancy and auditing outfit. How did the Eurostar employees know this? Simple. In less time than it would take to munch your way through a croissant and gulp down a coffee on your way to Paris, one of the company's IT specialists bypassed the password, accessed the files and – after some lengthy reading – found out to whom the laptop belonged.
So much for security! Needless to say the company in question was only too happy to hear that the laptop had been found and appeared at the lost property desk before you could say: "Mot de Passe"!
What happens if a laptop isn't claimed, and no-one thinks to spend ten minutes getting past the password? Whether it's Strathclyde Police, Heathrow Airport or Paddington station, all lost property items are held for around three months and then auctioned off to the highest bidder. Where does that leave the company laptop, with its cache of sensitive data?
You'll be pleased to hear that the laptop's fine... and so is your data. All still there on the hard drive. In fact, in almost all cases neither the lost property office nor the subsequent auction house makes any attempt to delete or destroy data, let alone wipe the hard drive. It's not their responsibility and they're not liable.
Next up in our chain of events, we find ourselves at the auction house. It's a case of: "Buy what you see". You have a quick look to make sure the laptop works, and to see what software's on there. But what's this? Looks like there's a whole load of credit card details present, or maybe some design plans. Turns out this laptop came from the lost property office at a major London airport.
You are entrusted with the confidential data held on your laptop, and it’s your responsibility to implement suitable measures to ensure that information doesn’t fall into the wrong hands
Similarly, it wouldn't take much for an extortionist to do the same. They'll pop down to the auction house, spend a few minutes scouring the laptops until they find ones holding valuable company information and download it there and then. It costs them nothing. If the used laptop has to be bought for £300 or so, it doesn't matter. The end result could be a veritable goldmine.
Using some password recovery software – easily obtainable from a peer-to-peer sharing network like Kazoo or Emule – it's simplicity itself to decrypt and reset the Security Admin Machine database password. Once they have the admin rights, the data thief then has access to all the information on that machine.
Being held to ransom!
Our keyboard crook now has a whole host of opportunities. Should he or she threaten to expose the company in question, and demand hundreds of thousands of pounds in blackmail, sell off the information to a rival company for more money or use it to access customer and/or employee accounts? If that weren't fun enough, maybe the crook could also use the laptop's access codes to log directly into the company's IT system and make a few changes. Or shut it down altogether!
All of this might sound a tad far-fetched, but think again. It has already happened. Recent examples include a cache of patient medical records discovered only last month when a former NHS doctor's laptop was sold at auction for £10. The doctor concerned was employed by the Royal Berkshire Hospital, and the laptop contained details of confidential letters that had been sent out to patients.
Then there was the case of the obsolete PC sold on by a blue-blood bank which "contained 108 files relating to Sir Paul McCartney's private cash dealings". The PC had been released into what's known as the 'second user market' without first being wiped clean of such important and confidential data.
As if that weren't enough, last year two graduates at MIT in the States bought 158 used hard drives from e-Bay, swap shops and other second hand suppliers to check for unsecured data. Many surrendered their data cache in minutes. That data included over 5,000 credit card numbers, detailed personnel and corporate financial records, medical files and Gigabytes of personal e-mail.
Who will be liable?
Still convinced that your laptop data's safe and sound? How about liability? Who's liable under the Data Protection Act 1998? You are! It's your company's laptop. You are entrusted with the confidential data, and it's your responsibility to implement suitable measures to ensure that information doesn't fall into the wrong hands. If it does, you could be facing unlimited fines or even a term spent at Her Majesty's pleasure.
So what can security professionals do with an old laptop – or indeed a working laptop – to prevent the data from being accessed by an opportunist thief?
There are numerous products available that can encrypt data, protect access to it or that can securely destroy the information held if you ever did decide to sell the computer or happened to lose it. The best advice is to never let the responsibility for securing the information on mobile devices reside with the individual. Ask your IT department to centrally install encryption and access control, and make sure that users aren't able to circumvent it.
Also, use a security product that's totally seamless and doesn't impede the machine. If it's invisible to the user then security need never be an issue. Every computer that leaves your company's offices should have encryption on it such that the data is secure. Make sure that you build 'virtual walls' and instil the virtual equivalent of the physical security measures you have in your office environment.
Source
SMT
No comments yet