Home > Uncategorized > Lost and Stolen Laptops: An Embarrassing Case Study

Lost and Stolen Laptops: An Embarrassing Case Study

I recently read a news item that stated that Ponemon Institute survey results show that nearly 640,000 laptop computers are lost at airports every year. Two thirds of the lost laptops are never returned to their owners. Worse yet, slightly more than half of the lost laptops held confidential data, and only 42 percent of the lost laptops have been backed up.

With respect to lost laptops, I stand among the guilty. About five years ago I had a flight from San Francisco to Chicago. The flight, originally scheduled for early one Sunday afternoon, kept getting delayed to the point that it was finally rescheduled to leave well after dinner time, something that more or less made it a “red eye” flight. I left the airport to have dinner at a nearby restaurant, and after coming back I had to go through airport security once again. After my hand luggage was x-rayed, I gathered my things together and walked down to the departure gate, boarded the airplane, and got what sleep I could get until the flight finally landed in Chicago sometime around three o’clock the next morning. I then had to get a rental car and drive it more than 100 miles. Around six o’clock I arrived at the building at which I was supposed to teach a Windows security course, and after getting a tall, strong cup of coffee, I went inside to start setting up for the course. I reached inside my computer bag to pull out my laptop only to find that it was not there. I wondered what could have happened to it; I then remembered that the last time I saw it was at the SFO security line. I thus figured that must have left it there. Waiting for a few hours because of the time difference between the Midwest and West Coast, I called my wife and asked her to call SFO airport security while I was teaching to see if my computer had been found. Sure enough—my computer was in the hands of the TSA security staff. Fortunately, I had attached a label with my name, address and phone number on it. Interestingly, however, when my wife drove to the airport to pick up my laptop, she was not allowed to take it with her. Instead it had to be mailed to the postal address on the label that I had affixed to the laptop.

The point of this story is that it is downright easy to leave a laptop somewhere. According to most of the survey statistics I have seen over the years, there are far more lost than stolen computers. Regardless of whether a computer is lost or stolen, however, the threat of personal and financial data and source code falling into the wrong hands has greatly escalated over the years because of laptop disappearance. Regretfully, my laptop did not at the time have whole disk encryption. At the same time, however, the information on my hard drive was (as far as I can remember) anything but sensitive or proprietary because at the time I was a university employee. I’m not making excuses for myself—all I am saying is that despite my blunders, everything could have been much worse.

As I look back on the ugly incident I caused, a few applications for information security practices stand out in my mind. First, we as information security professionals do not for the most part conduct enough security awareness and training concerning avoiding lost and stolen laptops. Given the high levels of risk associated with this problem, we really ought to be doing much more in helping users with laptops to become more aware of the problem and what they should be doing about it. Included in training and awareness efforts ought to be information regarding what users should do if they discover that their laptops are missing. Second, as I have said numerous times in previous blog postings, we need whole disk encryption on laptops (as well as other computers). In my mind, failure to use whole disk encryption on laptops is increasingly equating to a lack of due diligence. Third, every laptop needs to have a label containing information necessary to return a laptop to its owner. After all, in this world of ours there are many honest people who, if they find a laptop, will attempt to return it to its owner if they have some information concerning how to do so. One thing though—I do not recommend putting any information that might indicate the identity of the organization to which a lost or stolen laptop belongs. This kind of information might actually lessen the likelihood that the finder of a lost or stolen laptop will return it because the finder might realize that the laptop could be very valuable. Fourth, be sure that laptops are backed up frequently. And finally, consider using third party tools that can greatly reduce risk (e.g., by rendering the missing machine incapable of remotely connecting to any organization’s network) if laptops are lost or stolen.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.