Computersight -

Introduction

All of us now dread the familiar ritual of the airport security line. Shoes off, belts off, jackets off, jewelry off, drinks thrown away, and of course, laptops out of their cases. We always see the unknowing: like the grandmother from Wichita Falls who hasn’t flown since the days of propellers and flight attendants offering real meals with actual silverware en route, or even the tremendously inconvenienced, say the gentleman in a wheelchair and the mother with three kids struggling to comply.

Image by cliff1066™ via Flickr

Still, Americans and others who travel routinely comply with various airport security drills knowing that it is now just part of life in a post 9/11 world. Airports are even trying to make the process faster, by adding more lanes, and dare we say, a bit fun, as anyone who has seen the video instructions at Las Vegas McCarran International Airport can attest – for those who haven’t seen it, it features noted entertainers from the Las Vegas Strip, such as the Blue Man Group and Cirque du Soleil acrobats, trying to comply with Transportation Security Administration (TSA) guidelines.

Image via Wikipedia

Still, there is that moment of fear when placing your laptop – laden with your work, your iTunes library, your copy of ‘The Matrix’, and in most cases, valuable corporate data and client info – on the screening belt. What if you get distracted by other passengers and their travails? What if you get selected for the special, more intense screening? What if your carry-on has to be hand-inspected for having too big a bottle of shampoo? What if you shouldn’t have had that last overpriced beer in the airport bar? The ultimate “what if” question that lingers in the mind of every business traveler is ultimately, what if I lose my laptop?

The Ponemon Institute, an independent information technology research organization, recently released an astonishing report detailing the extent of the problem of lost laptops in the airport environment. It answers the “what if” question with data suggesting that the problem of lost – and most commonly, stolen – laptops is reaching epidemic proportions at U.S. airports. They found that, on average, at the nation’s 106 largest commercial airports, over 12,000 laptops are lost or stolen each week – a staggering 600,000 laptops annually. While some have criticized the institute’s study for extrapolating figures to overestimate the size of the laptop security issue, the findings have found support from a variety of computer security and airport industry experts.

Charles Chambers, Senior Vice President of Security for the Airports Council International North America, believes the loss of 12,000 laptops per week to be very plausible, considering that there are 3.5 million business travelers flying each week.

Image via Wikipedia

As can be seen in Table 1, there is no direct correlation between the size of the airport and the rate of laptop losses. In fact, while Atlanta’s airport is the busiest in the nation – and indeed the entire world – it is tied for eighth overall in the rate of laptop disappearances. In fact, the rate of laptop losses in Atlanta is equal to that of Ronald Reagan Washington National Airport, the 29th busiest in the nation, an airport that handles less than a quarter of the passengers traveling through Hartsfield-Jackson Atlanta International.

Table 1: The Top Ten U.S. Airports for Laptop Loss

Source Data: The Ponemon Institute, July 2008.

40% of all airport laptop losses take place at the security checkpoint. This is hardly surprising, as by design this is where a traveler must be separated from his or her laptop. The TSA has announced that it is working with laptop bag manufacturers to create designs that would allow for full scanning without the owner needing to remove the laptop from its case at security checkpoints. It is expected that we will soon see the introduction of “checkpoint-friendly” laptop cases on the market. This could indeed work to greatly lessen the problem of laptops being lost, stolen, or just forgotten at airport security lines. Still, until such approved laptop cases become commonplace, for the vast majority of all air travelers the airport security line may be the place where one’s corporate laptop – and thus the valuable corporate data contained inside – is most vulnerable.

Perhaps the most astonishing statistics in the Ponemon Institute’s study concern what happens after the traveler discovers that his or her laptop has gone missing. Quite worrying for corporate IT managers is the fact that in over two-thirds of all loss cases – 69% of the time – the laptop is not reunited with its owner. What was even more surprising perhaps was the fact that among the business travelers surveyed by the Ponemon Institute for their report, when asked what they would do upon the discovery of a missing laptop, 16% responded that they would do nothing, and over half would contact their company for help or instructions before seeking to find the laptop themselves.

The High Cost of Laptop Losses

Of course, unfortunately, laptops are lost or stolen not just in airports, but everywhere and anywhere. In fact, in the U.S., it has been estimated that upwards of a million laptops are stolen annually, with an estimated hardware loss alone totaling over a billion dollars. And it is not just companies that are affected. Indeed, across federal agencies, leading universities, and all facets of health care and education, there is increasing focus on laptop theft, as surveys of IT executives across organizations of all types show such occurrences happening on a routine basis – often with dire consequences potentially impacting thousands of employees, customers, patients, and students.

Until recently, a common misconception was that the impact of a lost or stolen laptop was merely the cost of replacing the hardware, a replacement cost that could be assumed to continue to decline over time. However, in 2000, the respected Rand Corporation released a study that pegged the actual replacement cost of a lost laptop at an average of over $6,000. The Rand researchers included not just the replacement cost for a new unit plus any payments owed on the missing item, but the data and software lost on the laptop, as well as the added costs to the organization in terms of procuring and setting-up the replacement computer. When including potential loss of corporate data and legal liability, the dollar loss can be quite high. There are wide variances in the estimates of the financial losses stemming from laptop theft, with losses ranging from simple replacement costs of a few thousand dollars to estimates ranging into the millions. Beyond replacement costs, there may be far greater – and more costly impacts – from loss of customer information and records to loss of confidential business information and intellectual property, such as marketing plans, software code and product renderings.

In 2004, a joint study issued by the Computer Security Institute and the Federal Bureau of Investigation (FBI) estimated the cost per incident to be approximately $48,000. iBahn, a leading provider of secure broadband services to hotels and conference centers, found that the average business traveler has over $330,000 worth of personal information on their laptop. Last year, in a white paper entitled, ‘Datagate: The Next Inevitable Corporate Disaster?’, McAfee and Datamonitor pegged the value of a lost notebook computer, in terms of confidential consumer information and company data, at almost $9 million.

In fact, a recent study has projected that when confidential personal information is lost or stolen, the average cost to a company is actually $197 per record. Overall, the National Hi-Tech Crime Unit has pegged stolen laptops as having a greater impact on organizations than any other computer threat, including viruses and hackers. Finally, in today’s 24/7 media environment, there is also a “hit” on the company’s name brand and image from the negative public relations garnered from such cases, which can translate into declining consumer trust in doing business with the firm and actual negative impact on sales and revenue at least in the short-term, and in some extreme cases, also in the long-term. The FBI itself is not immune from the problem, for it has been estimated that the agency loses 3 to 4 laptops each month.

RFID Solutions for Laptop Security

There is a wide array of data protection measures available today for laptops, from data backups to password protection to encryption and even biometrics. There are also software-based products, which can be built into the BIOS of the machine at the factory. However, RFID-based solutions are just now beginning to enter the marketplace.

In the United States, corporate and governmental interest in acquiring RFID-based laptop security systems is accelerating. In the private sector, clients range from Fortune 500 companies to even smaller businesses. Across higher education, colleges and universities are seeking to replace their laborious paper and bar code based systems for inventorying laptops and other IT assets with RFID installations. In the federal government, a number of cabinet-level agencies have begun looking at RFID solutions. Carrollton, Texas-based Axcess International is working with three federal agencies on RFID tracking of their laptop assets within their facilities using the company’s ActiveTag solution.

Profitable Inventory Control Systems (PICS), based in Bogart, Georgia, has begun installing their AssetTrakker system at the headquarters of the U.S. Army National Guard in Washington, DC. The National Guard has approximately ten thousand electronic assets – with up to 8 per employee – and each will be tagged as part of the PICS installation. The move will begin with the use of hand-held readers for inventory purposes and expand to include readers at building doorways and the parking garage to track movements and send alerts for unauthorized movements.

There are other new entrants in the emerging RFID laptop protection market. Cognizant Technology Solutions RFID Center of Excellence recently reported that it has developed and implemented an RFID-based laptop tracking system for internal use across its 45,000 plus employees, who use more than 10,000 laptops across its worldwide locations. This roll-out could serve as the basis for a commercially-available solution in the future.

Saratoga, California-based AssetPulse recently introduced its own AssetGather solution for tracking laptops and other electronic equipment with RFID. The system is designed to work with any type or brand of tags (passive, semi-passive or active) and various forms of readers. The system’s software is web-based, and it can provide dashboard controls and real-time visibility on a client’s IT assets across multiple locations, including map, graph and list views, based on user preferences. It can also provide IT managers with reporting and audit controls and users with programmed alerts on specific suspect laptop movements, such as perimeter alerts, when an asset goes outside a permitted zone, delinquency alert, when it is not seen back within a configured time and serial number alert when a specific asset is seen.

Interest in laptop security is quickly becoming a global marketplace. In India, Orizin Technologies has recently introduced a system for laptop tracking that uses active RFID tags to track laptops and other IT assets in an organization’s premises with a range of up to 20 meters.

Finally, perhaps the “coolest” RFID solution to date comes from the United Kingdom. Sheffield-based Virtuity has introduced a data protection solution under the brand name BackStopp. In short, the solution uses RFID tags to ensure that laptops are securely maintained within the allowable range of a client’s facilities. So, as long as the laptop is within range, it operates normally. However, if it is removed on an unauthorized basis from the permitted range, the BackStopp server attempts to locate the laptop, using both the Internet and the laptop’s internal GSM card. Protection goes beyond that, as the system immediately blocks any unauthorized user from accessing the computer and sends out a “self-destruct” message to the laptop to securely and permanently delete the data on the hard drive of the computer. BackStopp also has what Virtuity terms a “culprit identification capability” in that the built-in web-cam capabilities found in many laptops today are prompted to take and transmit digital images that might very well capture the laptop thief. 

Analysis

Much of IT security is based on knowing that a threat is foreseeable, and unfortunately, corporate expenditures against known and continuing threats, from spy-ware, computer virus, hackers, denial of service attacks, and other cyber threats, are just a cost of doing business in the ‘Internet Age’. Today, laptop theft is a similar foreseeable, ongoing threat. Experts have pegged the probability of a given laptop being lost or stolen at between 1 and 4%. Using the FBI’s $48,000 laptop loss estimate, and assuming just a 1% loss probability, the expected loss per laptop, per year is $480. If one uses higher probabilities in the range – between 3 and 4% – the expected loss would easily equal or exceed the actual hardware replacement costs of 95% of all laptops on the market. Thus, even with significant investments for hardware and software to implement an RFID-based security, when considering the potential demonstrated costs of the loss of even a single laptop, the ROI equation for RFID protection is clearly demonstrable. And, as we have seen in cases involving companies like IBM and Pfizer and governmental agencies ranging from the U.S. military to leading universities, the larger the organization, the larger the potential vulnerability. Indeed, a 2006 theft of a single laptop from a Department of Veterans Affairs employee exposed personal information on 2.5 million active and retired military personnel.

Finally, the funny thing about statistics is that the chance of a laptop loss occurring for any one company or any one individual goes up over time. So, to guard against this foreseeable threat is not just being proactive, it may even be a necessity in today’s legal environment. Courts are increasingly looking at steps that a company has taken to better secure its data in case of a security breach as a mitigating factor in cases stemming from such data loss. Further, legal analysts believe that the much-discussed Sarbanes-Oxley Act may indeed impose new legal requirements on corporate IT departments to safeguard its mobile devices as part of its fiduciary duty to maintain a system of adequate internal controls.

Today’s concerns over laptop security may indeed be just the tip of a data-security iceberg, especially when one considers the panoply of mobile devices used in business today: cell phones, PDAs, Blackberries, etc… What’s more, the shape of all such electronic devices continues to shrink across the board. While fixed computers still outsell laptops (with just over 150 million desktops sold in 2007), laptop sales are themselves surging, with approximately 110 million units shipped worldwide last year. In fact, global laptop shipments grew by 33% between 2006 and 2007, while PC shipments grew just 4% year on year during the same time period. So, there will be no abating the challenge – and market prospects – for laptop security.

The challenge now is to move beyond the closed-loop, four wall-delimited solutions being introduced and marketed today to more open system solutions that would enable tracking and location of laptops on a global basis. Let’s face it, we have systems on the market today for tracking down golf balls in the woods, but if you lose your laptop in an airport, hotel or restaurant you have no way to remotely locate it simply because it is a location outside of any closed-loop of protection. The company that can find a way to create such location systems, available “on demand” in high traffic areas such as airports, will find significant interest worldwide. With scary statistics such as those conveyed in this report, the marketing should be an easy sell – namely to take away the “holy crap” fears of traveling executives and their IT managers.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

David C. Wyld (dwyld@selu.edu) is the Robert Maurin Professor of Management at Southeastern Louisiana University in Hammond, Louisiana. He is a management consultant, researcher/writer, and executive educator.