About fifteen years ago, my husband and his colleague had their laptop computers stolen out of a car. They were fearful of reporting the incident to their boss, largely because the laptops had cost the company about US$7,000 each. A $14,000 hit to the departmental budget was a serious blow. And back in those days, no one gave much thought to exposure of the data on the stolen devices.
My, how times have changed!
Today, companies don't sweat much over the loss of the hardware, which has dramatically come down in price. The real cost of a lost laptop is in the potential or actual exposure of the data on the PC, especially if it is customer records or intellectual property.
In April 2009, Ponemon Institute released an Intel-sponsored report entitled "The Cost of a Lost Laptop." Ponemon interviewed 29 organizations that had experienced 138 separates cases of a lost laptop that was used by an employee, temporary employee or contractor. The cases represented missing or stolen computers belonging to companies in a wide range of industry classifications.
In this study, the average value of a lost laptop is $49,246. This figure is derived from a calculation involving seven cost components, including: laptop replacement; detection and escalation; forensics and investigation; data breach reporting and mitigation; intellectual property loss; lost productivity; and other legal or regulatory costs.
The study reveals that the cost of a lost laptop varies greatly by industry. The top four industries with the highest average cost of a lost laptop are services, financial services, healthcare and pharmaceutical. The bottom four industries are manufacturing, consumer products, retail and communications.
Since the hardware costs don't vary much by industry, it's obvious that the data loss costs are the differential. In the cases covered by this study, the occurrence of a data breach accounted for 80 percent of the total cost. And while the average cost is just over $49,000, it's possible for actual costs to reach much higher if the loss involves a data breach of thousands of sensitive records.
One factor in the cost of a lost laptop is how fast the company discovers and reacts to the loss. The study reports that if a company becomes aware of the loss the same day it happens, the average cost is only $8,950. If it takes more than a week to discover the loss, the cost jumps to an average of $115,849.
There are many other interesting -- and some surprising -- bits of information in this study. (See the full report here.) If your organization is looking for good statistics and other information to help you justify an investment in stronger laptop security measures, do have a look at this report.
As I mentioned, Intel Corporation sponsored this study, although Ponemon Institute conducted the research independently. Of course, Intel has a big interest in protecting lost or stolen laptops. Certain laptops powered by the Intel Centrino 2 chipset have a core set of technologies known as the the vPro technologies. One such technology is the Intel Anti-Theft Technology -- PC Protection (Intel-AT), which uses a set of programmable and interdependent hardware-based triggers and responses to identify unauthorized attempts to access encrypted data or the operating system. Third-party software products, such as those described below, can send signals to the lost laptop to disable it from use by unauthorized people.
One product you can use in conjunction with Intel-AT is the Altiris Manageability Toolkit for Intel vPro Technology from Symantec. Another is Computrace from Absolute Software, which allows you to delete data on missing computers and produce an audit log of the deleted files to prove your compliance with government and corporate regulations.
Certain models of Lenovo ThinkPad laptops offer a technology called Constant Secure Remote Disable. This BIOS update allows for the remote shut down of a lost or stolen PC when an SMS message is sent via a designated cell phone. This solution also requires an embedded wireless WAN card in the PC as well as a mobile communications subscription to allow the PC to receive text messages. If the computer is lost or stolen, your text message will lock it down at the hardware level, turning it into a brick. Should the PC turn up again, you can unlock it without loss of data.
SystemTrack is a managed service offered by Dell. SystemTrack links with a missing PC the next time it connects to the Internet and enables IT administrators to perform data and device security activities, including deletion of sensitive data, system lockdown and emergency retrieval of key files. If you report a stolen device to Dell, Dell can forensically mine the PC over the Internet using a variety of procedures.
All the solutions I've just described take some forethought to prepare a PC before it's ever lost or stolen. What's more, these solutions often rely on multiple services or technologies to work just right. Still, as the old saying goes, an ounce of prevention is worth a pound of cure. Perhaps a little forethought on what to do about sensitive data on a lost or stolen laptop is better than the experience of a costly data breach.