BlogConsumer Influences on Most Trusted for Privacy Use What Works to Create a Culture of Privacy Training Is the Strongest Link |
RSS Feed
RSS Feed
Gambling with Laptop SecurityApril 27, 2009In recent weeks the Ponemon Institute has issued two studies related to the risks inherent with poor laptop computer security. The first of these studies, conducted in partnership with Dell, looked into the business risk of poor laptop security. Media coverage of the report seemed to focus on a handful of interesting findings related to laptop use and abuse, and included the percentage of computers found to have various types of inappropriate content as well as the number of laptops damaged by spills (34%), drops (28%), unprotected travel (25%), or frustrated users (13%). The following week we released a study in partnership with Intel detailing the various costs inherent with losing a laptop computer. Media coverage of that study seemed to focus on the bottom-line average cost of nearly $50,000 for each incident. Of that figure, the average cost of the lost hardware accounted for just over $1,500. What was overlooked in all the coverage was the apparent failure of organizations – in spite of the overwhelming evidence – to grasp that the value of data stored on a laptop computer represents the greatest risk to the company. In the Dell study, 49% of those responding to the survey thought the laptop computer was of greater (34%) or equal (15%) value when compared to the cost of the lost data. In other words, despite all the costs that come with a data breach (such as: investigation and forensics, customer support and potential credit monitoring subscriptions, legal services, marketing and communications, customer and opportunity loss), half of all companies see their biggest risk as the price of a $1,500 replacement computer. Clearly we are still at a point in the data security cycle where the emphasis has to be on basic education and awareness. While there are many organizations that understand the risks and that have progressive and effective data security programs underway, there are still far too many who simply don’t get it – or don’t want to get it. Perhaps they’ve incorrectly calculated that doing nothing will save them more over time than investing in training and preventative measures. That’s a poor gamble – one that can put the company and the financial well being of individuals at stake. Posted by Mike Spinney at 9:55 amAdd Comment (3 comments) Comments
(Data Security Reminders) - April 28, 2009 4:33pm Robert Bagwell
A certain company that I consult for put out a data security reminder last year, as follows: Company Data Security Reminder 4/11/08 A friendly message from your I.T. team - Stolen laptops are a significant cause for data breaches in America today. According to the FBI, stolen laptops account for over 47 percent of breach attacks. A laptop that contains sensitive customer data could cost the company an average of $268,000 to inform their customers, even if the lost data is never used. What you think is not sensitive company or customer data might actually be sensitive. We have an obligation to keep our data secure and accurate. Even more surprising, a recent survey by McAfee found that an ordinary laptop holds content valued on average of $972,000, and that some could store as much as $8.8 million in commercially sensitive data and intellectual property. It’s important to be mindful of the following top 10, but the most important security reminder of all is to mind your laptops! For those of us who travel, take precautions to keep your laptop safe. Don’t check your laptop. Change your laptop passwords often and don’t let others use your laptop. Common sense but worth reminding! Top 10 - Information Security Management Checklist 1. Review your parking areas and other public places and nearby businesses looking for physical signs of Wi-Fi tapping. 2. Physically secure access to all routers, access points, servers, and workstations from unauthorized access or removal. 3. Screen lock (software lock, such as ctrl-alt-delete) workstations that are required to be “on the floor” in customer areas. Train your employees to always log off workstations when not in use. 4. Review workstations for written notes with logon ID and/or passwords, such as sticky notes on monitors or under keyboards. 5. Maintain a physical inventory of IT equipment and log to assure rogue devices are not added to the network. This will also help with the reporting of stolen assets as well. 6. Prevent hazards near sensitive IT equipment, such as removal of soda cans, ensure charged and properly rated fire extinguishers are nearby, and climate control is working properly. 7. Removal of sensitive and confidential documents left unattended at printers and workstations. 8. Identify, train, and familiarize yourself along with your employees on your company’s information security policy, incident response plan, and business continuity plan. 9. Secure removable media, such as CD-ROMs, DVDs, backup tapes, and floppy disks. 10. Audit use of systems, including not sharing IDs and passwords, logging off terminals when not in use, proper use of Internet by checking history in browser, among others. This type of reminder helps raise awareness with employees.
June 9, 2009 11:04am Neil Spellman
I think the written word is only part of the solution of awareness, and I agree that we are still in the early stages of awareness. I also think that we should be considering some videos that focus on problems and solutions, and that these can be humorous and still be effective. As an example a traveler asking another to watch his laptop for a few minutes at the airport and then having the laptop disappear! As an analyst at a .edu I recognize that awareness programs have to have multiple formats to reach a majority of our communities, because we all learn differently. |
Very, very well said. We are indeed still at a point where folks simply do not get it--raising awareness via the excellent Ponemon studies, and other means, remains crucial. This is brought home even more by your comments that even after the studies, the lapse is there--and the media coverage itself neglected it to boot. Even organizations that should know better still look like a deer caught in the headlights when it comes to even basic laptop security. Thanks for your work, Ponemon Institute--it is extremely helpful. Regards, Dan Yost Chief Technology Officer, MyLaptopGPS www.MyLaptopGPS.com