Intel Says Businesses Must Do More To Protect Their Mobile PCs

Intel says most companies whose employees carry around laptops with significant amounts of confidential data have not put in place even the most basic security practices.

Intel on Thursday brought together a panel of technology security experts to discuss the findings of a recent survey it sponsored, entitled, "The Billion Dollar Lost Laptop Problem." Conducted by Ponemon Institute, the survey gathered data from 329 organizations that have lost a total of more than 86,000 laptops worth a combined $2.1 billion in the past year. Forty-six percent of these systems contained confidential data, but 70 percent lacked basic precautions including encryption, back-up and anti-theft technology.

"For a relatively small sample of companies, that's a huge loss," Kevin Beaver, information security consultant at Principle Logic, said during the panel. "But it doesn't surprise me. I see a lot of security issues that are managed very loosely."

The study found that data breach, lost intellectual property and reduced productivity were among the main consequences of lost laptops, and recommended broader application of security precautions, increased training and awareness programs for employees with company-issued laptops.

"Most of the cost is the data. When you add intellectual property and confidential information, the problem becomes the data breach rather than the device itself," Larry Ponemon, chairman and founder of Ponemon Institute, said at the event.

The scenarios in which laptops were either lost or stolen varied statistically, as did the riskiest locations. Even the workplace involves an unexpectedly high incidence of theft, according to Ponemon. However, Ponemon said lax management and lack of oversight accounted for up to 90 percent of the problem.

Beaver said management needs to take a more proactive role in addressing the issue. "Inaction is probably the biggest problem," Beaver said. "Management knows there's a problem, but they're not willing to take the initiative and put the resources into fixing the problem."

Midsize organizations -- those with between 10,000 and 25,000 employees -- incurred the most losses, between 7.5 and 8.25 percent, according to the study. "Midsize companies are stuck," Beaver said. "They're not established like larger companies, which have a better handle on security."

According to the study, 71 percent of laptops lost were not backed up, meaning that companies lost work in progress in addition to sensitive data.

Company executives are responsible for ensuring that the proper security measures are in place to protect data on employee laptops, but in some cases they don’t fulfill this obligation. "They don't want to know about the problem. It's the ostrich syndrome," Beaver said.

Next: Fiduciary Duty And Data Protection

Beaver also said executives who are aware of these risks have a fiduciary duty to prevent the loss of sensitive data -- which explains why they would rather not know about security issues that haven't been addressed. "They have an easy fix if they just use the proper controls on these laptops," he added.

Malcolm Harkins, CISO and general manager of enterprise capabilities, controls and compliance at Intel, said the biggest threat that companies face today is misperceiving risk. "Companies don't want to reveal their security issues, they don't want to reveal the findings of their investigations into how many laptops they lost," Harkins said. "A lot of security teams are not willing to free up the data and put it out there."

Ponemon said part of the problem was coming up with technology that doesn't require user interaction. "It's becoming more of a senior executive issue. But you also have to make it accessible to end-users, who aren't necessarily interested in security. You have to make it idiot-proof."

Anand Pashupathy, general manager of Intel Anti-Theft Services said Intel is developing technology to help reduce the financial impact of missing laptops. "Intel is propagating the word about technology building out of a broader security ecosystem, so that it may become an industry standard over time," Pashupathy said.

After the panel, Pashupathy told CRN that Intel would soon offer processors with the built-in ability to kill a device once it's reported as stolen over a network such as 3G. In case the user has switched off the system's wireless capability, Pashupathy says Intel will make it possible to disable the device locally.

"We want the data protection and the asset protection to become a standard feature," he said.

Despite immediate plans to increase awareness and develop these capabilities, Beaver said data and device protection would require a long-term effort. "This is going to probably take decades until we get to the point of enforcing these policies," he said. "You've got to get the user on your side too."