Threat of information theft grows for employees who work remotelyPosted On: May. 20, 2007 12:00 AM CST
In as little as two pounds of convenient, compact and portable plastic and wiring lie chunks of private data, confidential corporate documents and personal information.
It's all too easy for information thieves seeking to exploit personal data, experts say, and companies are looking for ways to protect sensitive data on such easy-to-snatch devices.
"The ballistic things right now are laptops," said Emily Q. Freeman, London-based executive director for Lockton Cos. Inc.'s technology risks professions division. "There are burglaries in the office, people lose their laptops, have them stolen out of their cars or in airports."
In 2006, more than a dozen companies and other organizations--Sovereign Bank, General Electric Co. and the Internal Revenue Service, to name a few--reportedly had laptop computers stolen, compromising private information such as social security and credit card numbers of thousands of clients or employees.
Threats to other devices--BlackBerries, personal digital assistants and even mobile phones--also are gaining momentum.
"Sometimes the technology advances at a faster rate than the security of these devices," Ms. Freeman said.
The risks extend beyond the lost or stolen device.
Increasingly, savvy Internet hackers are making it a risky venture to work remotely, as they access public wireless networks that are becoming more available at locations ranging from airports to coffee shops. Information, unbeknownst to the worker typing away, can be tapped by thieves setting up phony wireless networks to track and steal data.
"We have all these road warriors and they are whipping out their laptops and PDAs for work and they really don't think there might be any risk associated with working in a public place," said Peter Davis, principal at Peter Davis & Associates, a Toronto-based information security consultant.
"You see people in Starbucks and they don't know if they are really on the Starbucks network," Mr. Davis said. "Sometimes people don't even know it's happening to them."
"Using the right tools that are free on the Internet, anyone gaining access to a laptop can crack practically any logon password within a matter of minutes and have a free-for-all," said Kevin Beaver, an information security consultant with Atlanta-based information security firm Principle Logic L.L.C. "You wouldn't believe the amount of information that can be gleaned off a laptop...to be used for ill-gotten gains."
Sometimes, however, a company may not even discover a data breach if it occurred over a bogus wireless network or if an employee fails to report an incident.
The threats, along with breach notification laws enacted in 26 U.S. states, are forcing companies to pay attention.
"We think companies are acting more strategically than tactically," said John Dasher, director of product management for PGP Corp., a Palo Alto, Calif.-based company that provides information and technology security for companies. "(Breach notification laws) have really driven the industry."
Previously, Mr. Dasher said, companies focused on IT risk management usually after a breach. "Now we are getting more phone calls before an incident happens," he said.
There are several practices now being deployed, including an overhaul of login procedures.
Lockton's Ms. Freeman said simple passwords are no longer an adequate line of defense. Procedures, such as thumb-print verification, and two-level signons are becoming popular.
In addition, Mr. Dasher said, some companies are being urged by security consultants to use "pass phrases" instead of passwords. "Passwords are poor security," he said. "So we say instead of using 'fox' as a password, use, 'The fox jumped over the fence."'
Products already exist in the market that automatically shut down a device if the user is not authenticated, he added.
Experts say encryption, a more technologically advanced tactic, is one of the best ways to mitigate the risk of a data breach when a laptop or other device is stolen.
Encryption scrambles valuable data into indecipherable code when it is in transit or stored. If a laptop with encryption software is stolen, the thief will be unable to understand the information, thus lessening the risk.
Encryption, however, may not help if a person is working on a device while logged on to a public wireless fidelity, or WiFi, network, experts say.
To protect information in these instances, a virtual private network is one solution. Companies with employees working remotely can set up a VPN--a private, password-protected network--that blocks hackers.
Such networks can work for most portable devices including laptops, BlackBerries and PDAs, Mr. Davis said.
With all the security measures currently available and evolving, could data theft via portable devices soon be a crime of the past?
Not likely, experts say.
"There's a lot of security issues that people just haven't addressed," said Michael Flanagan, Chicago-based managing director for Gallagher CyberRisk, a division of Arthur J. Gallagher RMS Inc.
Many companies are forgoing such practices as encryption because it can slow performance on devices such as laptops, making it more time consuming for work to be completed.
"There are IT people out there that will fight to the end, saying they'd rather set up employee manuals that say, 'You're fired if you lose your laptop' than slow things down," Mr. Flanagan said.
According to a 2006 study by Forrester Research, a Cambridge, Mass.-based technology research firm, nearly 40% of companies surveyed said they had no immediate plans to use encryption tools on laptops.
Most companies rely too much on logon procedures as a front-line defense, Mr. Flanagan added. Without encryption, a hard drive from a password-protected laptop can be removed and placed in another computer, providing access to data, he and others said.
Sean McDermott, a New York-based manager of computer forensics with Aon Consulting, said cost has much to do with companies' slow adoption of encryption. It can cost up to $250 to install encryption on any one device, and the cost can add up quickly for corporations with armies of employees who conduct business on the road.
"Cost is the problem with the C-level executives who say their IT budgets are already high," Mr. McDermott said. "They ask, 'OK, do we really need this?"'
Principle Logic's Mr. Beaver said another top issue regarding information security is the "lack of management taking the problem seriously.
"The bottom line is that companies, nonprofits and government entities all have to meet various government and industry regulations to protect sensitive information," Mr. Beaver said. "Any time systems are there to be taken advantage of, they will be eventually."