It happens so often that it rarely makes the headlines.
But when it happens to a huge financial institution such as Fidelity Investments, which admitted last week that a laptop computer containing sensitive personal information on about 196,000 clients was stolen, people stop and take notice.
And CIOs (and CISOs) everywhere start wondering, 'Is anyone reading the laptop security policy?'
Unattended laptops are easy to steal. But because mobile access is critical to conducting business, CIOs need to find a way to mitigate risk while still allowing a company's workers to do business.
Eric Maiwald, senior analyst at Midvale, Utah-based Burton Group, said the only way to completely eliminate the risk of data being stolen from a laptop is to lock that data down and forbid it from ever leaving the company. However, for business to occur, data must be accessible, he said. Employees often need mobile access to data to make a sale.
"You've made a risk management decision," Maiwald said. "You can't be 100% secure. There is no way to do that and still conduct business."
Maiwald said there are several steps a CIO can take to mitigate the risk of allowing mobile access to data.
Probably the most important step is have authentication and encryption technology on mobile computers. But that alone is not going to protect data on a stolen laptop. In reality, encryption will only slow the sophisticated thief from accessing data on a stolen laptop.
"Encryption delays an attacker's ability to get to the information," Maiwald said. "Eventually they can brute-force it. Computers get faster and algorithms get better. But if I'm going to attack, I'm not going to attack the algorithm; I'm going to look for a weak link."
While it's likely that the culprit who stole Fidelity's laptop wasn't out to get sensitive data, it doesn't make the deed any less frustrating to CIOs.
It may seem obvious, but the best way to protect the data on a laptop is to prevent it from being stolen in the first place.
Companies must have good policies about protecting data and using laptops. More importantly, they must enforce that policy.
"I see a lot of organizations have a policy that says 'don't do this,' and then people do it anyway because there is no enforcement," Maiwald said.
Stuart McIrvine, director of global security strategy at IBM, said his company regularly makes automated checks to see if employees are in compliance with security policies. An automated system will verify that an employee's computer has updated antivirus software and an active firewall. It also checks that all sensitive information is encrypted. If these conditions aren't met, the employee's supervisor is automatically notified.
A company must emphasize the importance of security policy with its employees, Maiwald said. "Security awareness is often one of the last things that's done. It is something that can get you a pretty big bang for the buck, as far as better security polices in an organization. Because when employees completely mess up, it costs millions and millions of dollars."
As it turns out, the data stolen from Fidelity could be safe. According to Crowley, police believe the theft of the laptop was a property crime. The thief probably has no idea what sort of information he has on the computer, which is why Fidelity has been so careful to give out as few details about the circumstances of the crime as possible.
Anne Crowley, senior vice president of media relations and public affairs at Fidelity, would not offer details of last week's theft. She would say only that a group of Fidelity employees took the laptop to a business meeting outside of Fidelity and Hewlett-Packard Co. offices. At some point after that meeting the computer was stolen.
Crowley would not comment on Fidelity's policies regarding the storage of sensitive data on mobile devices. However, she did say, "It is not our practice to have that level of data on a laptop. We limit significantly the use of such confidential data outside of Fidelity."
Crowley described the data on the stolen computer as "scrambled" and said the license for the software used to read the data on the laptop has expired, making it extremely unlikely anyone could use the information.
This article originally appeared on SearchCIO.com
Dig Deeper on Information Security Policies, Procedures and Guidelines