On December 14, 2002, burglars stole computer equipment from TriWest Healthcare Alliance office in Phoenix, Arizona. The result was a short, sharp lesson on the dangers of computer theft and a nightmare for TriWest and hundreds of thousands of American servicemen and women.
The value of the equipment wasn't all that great, and the company had backups, but the computers' hard drives contained personal data on about 500,000 military personnel and their dependents, raising the specter of identity theft on an unprecedented scale.
Computer theft, especially of desktop and notebook systems, is increasingly common. Computers are fairly compact, valuable and can be disposed of readily at pawn shops, flea markets and other venues. For most of the victimized companies, the problem isn't so much the physical loss, which is usually covered by insurance, but the disruption and security issues caused because data has been stolen as well as computers.
The first step is to limit the amount and kind of data kept on the desktop and notebook systems. Wherever possible, critical files should be stored on servers, which are (presumably) better protected than the computers on employees' desks.
Of course you need adequate backups that can be quickly and completely restored to replacement systems. Make sure you understand the procedures for doing a complete restore over your network to a new computer, and make sure you have the appropriate licenses to install the requisite
Encryption won't keep your computers safe, but it will make it harder for anyone to use the information on stolen computers. Many versions of Windows and some applications come with built-in encryption options, and programs such as PGP and Encryption Plus from PCGuardian are also available. Files with any level of sensitivity at all should be encrypted and progressively stronger encryption should be used for more sensitive information. "Sensitive" in this case doesn't just mean sensitive to your business. Customer information that could be used in identity theft, such as credit card and social security numbers, should be heavily secured.
Make sure your records are up to date and you know which computers, hard drives, etc. are where. That includes having a complete record of the serial numbers, not only of the computer, but of the hard drives as well.
Mark your equipment plainly with metal tags or other methods that are not easy to remove. In addition you may want to use software like Mares and Co.'s "Brandit" to put an internal fingerprint on hard disks so they can be identified.
Computers can be secured physically with a variety of locks and enclosure devices that range from the unobtrusive and fairly easy to defeat (useful to keep someone from walking off with a computer in a temporarily deserted office) to more obtrusive and more secure (which will complicate life for service techs).
Finally, there is old-fashioned premises security, including proper locks on doors and windows, key control, alarm systems and other standard security devices.
As with any other kind of physical security, there is no absolute method of preventing thieves from stealing computers, but you can make it harder for them. And with the use of proper encryption and related technologies you can be reasonably sure no one this side of a government is going to be able to read the data on the hard disks.
Rick Cook has been writing about mass storage since the days when the term meant an 80K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last twenty years he has been a freelance writer specializing in storage and other computer issues.
This was first published in January 2003