Lately, I have started to hear more noise around tracking lost mobile data devices. I know of a few very large deployments of Absolute Software's Computrace that have worked well integrated with Utimaco through Dell. zTrace provided a similar service to their customers but for some reason, is not running in the US, Canada, UK, Germany, or Australia anymore (if anyone knows what the story is, let me know). I mention mobile tracking because there is an interesting article about how the U.S. Department of Energy's Counterintelligence Directorate is "missing 20 computers that may contain classified data."
Now for any sufficiently large organization, losing 20 laptops is no big deal, just look at the average of forty a year that the FBI loses. Luckily, the FBI can confirm that only 10 contained sensitive data and that another only 51 others may have contained secret data. Whew, that's a relief. Considering they lost 317 laptops from 2002 to 2004, it appears they have really gotten a handle on the whole security thing.
Well, truth be told, we're all human and these things happen. Of course, when you have 26,000 laptops, this only represents a loss rate of .15% per year.
So, if you expect the FBI to be one of the the more secure organizations out there, then we would safely be able to extrapolate that .15% represents the baseline for laptop loss in organizations with a similar amount of devices.
Now nothing is going to stop people from losing their laptops, so organizations that really are concerned about where the devices go must look at their options. Personally, I say backup your data frequently and encrypt the whole hard drive. If you lose it, the company is out the cost of the hardware and the downtime that you are out, but there is no exposure and no nasty press releases.
Of course, I'm not saying the Computrace/zTrace is without merit. For a certain few organizations, the yearly expense of the service is a small price to pay for a 75% recovery rate and the ability to remotely perform a secure swipe on the hard drive. For the vast majority though, I think it is overkill.
There is one additionaly element that I would like to point out. Throughout the audit, the Consulate Directorate was confronted with devices that were supposed to be destroyed that were still in use, devices that were not where they were supposed to be, and devices that were not listed that were being used.
This harkens back to my article this morning about the dangers of not implementing or following well-defined, effective processes within large organizations. Ultimately, we cannot use the size of the organization as an excuse for our failings. The larger organinzations have to live up to the responsibility that has been entrusted in them by their customers.
Michael Mongold
Recent Comments