40-45 wyld laptop
TRANSCRIPT
40 41Global Identification - September 2008 www.global-identification.com40 41Global Identification - September 2008 www.global-identification.com
by Prof. David C. Wyld, Southeastern
Louisiana University
silverware en route, or even the tremendously incon-venienced, say the gentle-man in a wheelchair and the mother with three kids strug-gling to comply.
Still, Americans and others who travel routinely comply with various airport security drills knowing that it is now just part of life in a post 9/11 world. Airports are even try-ing to make the process fast-
er, by adding more lanes, and dare we say, a bit fun, as any-one who has seen the video instructions at Las Vegas’ Mc-Carran International Airport can attest ‒ for those who haven’t seen it, it features noted entertainers from the Las Vegas Strip, such as the Blue Man Group and Cirque du Soleil acrobats, trying to comply with Transportation Security Administration (TSA) guidelines.
IT SECURITY
All of us now dread the familiar ritual of the airport se-curity line. Shoes
off, belts off, jackets off, jew-elry off, drinks thrown away, and of course, laptops out of their cases. We always see the unknowing: like the grandmother from Pough-keepsie who hasn’t flown since the days of propellers and flight attendants offer-ing real meals with actual
Today’s business laptops are much more than just tools, they are important IT assets
containing valuable corporate information. However, an increasing amount go
missing each year, something which RFID can help remedy
The true cost of a laptop
40 41Global Identification - September 2008 www.global-identification.com
40 41Global Identification - September 2008 www.global-identification.com40 41Global Identification - September 2008 www.global-identification.com
Still, there is that moment of fear when placing your laptop ‒ laden with your work, your iTunes library, your copy of ‘The Matrix’, and in most cases, valuable corporate data and client info ‒ on the screening belt. What if you get distracted by other passengers and their travails? What if you get se-lected for the special, more intense screening? What if your carry-on has to be hand-inspected for having too big a bottle of shampoo? What if you shouldn’t have had that last overpriced beer in the airport bar? The ulti-mate “what if” question that lingers in the mind of every business traveler is ultimate-ly, what if I lose my laptop?
In late June, the Ponemon Institute, an independent information technology re-search organization, released an astonishing report detail-ing the extent of the problem of lost laptops in the airport environment. It answers the “what if” question with data suggesting that the problem of lost ‒ and most commonly, stolen ‒ laptops is reaching epidemic proportions at U.S. airports. They found that, on average, at the nation’s 106 largest commercial airports, over 12,000 laptops are lost or stolen each week ‒ a staggering 600,000 laptops annually. While some have criticized the institute’s study for extrapolating figures to overestimate the size of the laptop security issue, the findings have found support from a variety of computer security and airport industry experts.
Charles Chambers, Senior Vice President of Security for the Airports Council In-ternational North America, believes the loss of 12,000 laptops per week to be very plausible, considering that there are 3.5 million business travelers flying each week.
As can be seen in table 1, there is no direct correlation between the size of the air-port and the rate of laptop losses. In fact, while Atlanta’s airport is the busiest in the nation ‒ and indeed the entire world ‒ it is tied for eighth overall in the rate of laptop disappearances. In fact, the rate of laptop losses in Atlanta is equal to that of Ronald Reagan Washington National Airport, the 29th busiest in the nation, an air-port that handles less than a quarter of the passengers traveling through Hartsfield-Jackson Atlanta Internation-al.
Looking at the diagram for laptop losses by location, we can see that 40% of all air-port laptop losses take place at the security checkpoint. Hardly surprising, as by de-sign this is where a traveler must be separated from his or her laptop. Earlier this spring, the TSA announced that it was working with lap-top bag manufacturers to create designs that would allow for full scanning with-
out the owner needing to remove the laptop from its case at security checkpoints. It is expected that in early fall, we will see the introduc-tion of “checkpoint-friendly” laptop cases on the market. This could indeed work to greatly lessen the problem of laptops being lost, sto-
len, or just forgotten at air-port security lines. Still, until such approved laptop cases become commonplace, for the vast majority of all air travelers the airport security line may be the place where one’s corporate laptop ‒ and thus the valuable corporate data contained inside ‒ is most vulnerable.
Perhaps the most astonish-ing statistics in the Ponemon
The true cost of a laptop
40 41Global Identification - September 2008 www.global-identification.com
Corporate and governmental interest in acquiring RFID-based laptop security systems is accelerating
Commenting on the Ponemon Institute finding that 16% of surveyed business travelers would do nothing if they discovered their laptop was missing, Victor Godinez of the Dallas Morning News remarked: “A question for those who said they would do nothing, and remember, this was a survey of business travelers who presumably rely on their laptops to, you know, stay gainfully employed. What do you do when you show up to the big meeting sans laptop? Pretend to type on an invisible computer? Act like you’re suffering from amnesia? Seriously, who does ‘nothing’ when they discover their laptop is missing? I know laptops are getting cheap, but this seems like a stunning lack of concern for the whereabouts of a machine worth several hundred dollars at least, and presumably storing important documents, valuable photos and so forth.”
“Do nothing?”
42 Global Identification - September 2008
tions before seeking to find the laptop themselves.
The high cost of laptop losses
Of course, unfortunately, laptops are lost or stolen not just in airports, but ev-erywhere and anywhere. In fact, in the U.S., it has been estimated that upwards of a million laptops are stolen annually, with an estimated hardware loss alone totaling over a billion dollars. And it is not just companies that are affected. Indeed, across federal agencies, leading universities, and all facets of healthcare and education, there is increasing focus on laptop theft, as surveys of IT executives across organiza-tions of all types show such occurrences happening on a routine basis ‒ often with dire consequences poten-tially impacting thousands of employees, customers, patients, and students.
Until recently, a common misconception was that the impact of a lost or stolen laptop was merely the cost of replacing the hardware, a replacement cost that could be assumed to continue to decline over time. How-ever, in 2000, the respected Rand Corporation released a study that pegged the actual replacement cost of a lost laptop at an average of over $6,000. The Rand researchers included not just the replace-ment cost for a new unit plus any payments owed on the missing item, but the data and software lost on the
laptop, as well as the added costs to the organization in terms of procuring and set-ting-up the replacement computer. When including potential loss of corporate data and legal liability, the dollar loss can be quite high. There are wide variances in the estimates of the financial losses stemming from lap-top theft, with losses rang-ing from simple replacement costs of a few thousand dol-lars to estimates ranging into the millions. Beyond replace-ment costs, there may be far greater ‒ and more costly im-pacts ‒ from loss of customer information and records to loss of confidential business information and intellectual property, such as marketing plans, software code and product renderings.
In 2004, a joint study issued by the Computer Security Institute and the Federal Bu-reau of Investigation (FBI) es-timated the cost per incident to be approximately $48,000. iBahn, a leading provider of secure broadband services to hotels and conference centers, found that the av-erage business traveler has over $330,000 worth of per-sonal information on their laptop. Last year, in a white paper entitled, ‘Datagate: The Next Inevitable Corpo-rate Disaster?’, McAfee and Datamonitor pegged the value of a lost notebook computer, in terms of con-fidential consumer informa-tion and company data, at almost $9 million.
In fact, a recent study has projected that when confi-
IT Sec
urity
Institute’s study concern what happens after the trav-eler discovers that his or her laptop has gone missing.
Quite worrying for corporate IT managers is the fact that in over two-thirds of all loss cases ‒ 69% of the time ‒ the laptop is not reunited with its owner. What was even more surprising perhaps was the fact that among the business travelers surveyed by the Ponemon Institute for their report, when asked what they would do upon the discovery of a missing laptop, 16% responded that they would do nothing, and over half would contact their company for help or instruc-
Laptop Losses by Location in
Airports (below)
Source Data: The Ponemon
Institute, Airport Insecurity: The
Case of Lost Laptops, June 30,
2008, p. 7.
43www.global-identification.com
dential personal information is lost or stolen, the average cost to a company is actually $197 per record. Overall, the National Hi-Tech Crime Unit has pegged stolen laptops as having a greater impact on organizations than any other computer threat, in-cluding viruses and hackers. Finally, in today’s 24/7 media environment, there is also a “hit” on the company’s name brand and image from the negative public relations garnered from such cases, which can translate into declining consumer trust in doing business with the firm and actual negative im-pact on sales and revenue at least in the short-term, and in some extreme cases, also in the long-term. The FBI it-self is not immune from the problem, for it has been esti-mated that the agency loses 3 to 4 laptops each month.
RFID solutions for laptop security
There is a wide array of data protection measures avail-able today for laptops, from data backups to password protection to encryption and even biometrics. There are also software-based prod-ucts, which can be built into the BIOS of the machine at the factory. However, RFID-based solutions are just now beginning to enter the mar-ketplace.
In the United States, corpo-rate and governmental inter-est in acquiring RFID-based laptop security systems is ac-celerating. In the private sec-
tor, clients range from For-tune 500 companies to even smaller businesses. Across higher education, colleges and universities are seeking to replace their laborious paper and barcode based systems for inventorying laptops and other IT assets with RFID installations. In the federal government, a num-ber of cabinet-level agencies have begun looking at RFID solutions. Carrollton, Texas-based Axcess International is working with three federal agencies on RFID tracking of their laptop assets within their facilities using the com-
pany’s ActiveTag solution.
This spring, Profitable Inven-tory Control Systems (PICS), based in Bogart, Georgia, be-gan installing their AssetTrak-ker system at the headquar-ters of the U.S. Army National Guard in Washington, DC. The National Guard has ap-proximately ten thousand electronic assets ‒ with up to 8 per employee ‒ and each will be tagged as part of the PICS installation. The move will begin with the use of hand-held readers for inven-tory purposes and expand to include readers at building doorways and the parking garage to track movements and send alerts for unauthor-ized movements.
There are other new entrants in the emerging RFID laptop
protection market. Cogni-zant Technology Solutions’ RFID Center of Excellence recently reported that it has developed and implement-ed an RFID-based laptop tracking system for internal use across its 45,000 plus employees, who use more than 10,000 laptops across its worldwide locations. This rollout could serve as the ba-sis for a commercially-avail-able solution in the future.
Saratoga, California-based AssetPulse recently intro-duced its own AssetGather solution for tracking laptops
and other electronic equip-ment with RFID. The system is designed to work with any type or brand of tags (pas-sive, semi-passive or active) and various forms of readers.
The system’s software is web-based, and it can provide
Colleges and universities are seeking to introduce RFID IT asset monitoring and tracking
44 Global Identification - September 2008
dashboard controls and real-time visibility on a client’s IT assets across multiple loca-tions, including map, graph and list views, based on user preferences. It can also provide IT managers with reporting and audit controls and users with programmed alerts on specific suspect laptop movements, such as perimeter alerts, when an asset goes outside a permit-ted zone, delinquency alert, when it is not seen back within a configured time and serial number alert when a specific asset is seen.
IT Sec
urity
Interest in laptop security is quickly becoming a global marketplace. In India, Orizin Technologies has recently introduced a system for lap-top tracking that uses active RFID tags to track laptops and other IT assets in an or-ganization’s premises with a range of up to 20 meters.
Finally, perhaps the “coolest” RFID solution to date comes from the United Kingdom. Sheffield-based Virtuity has introduced a data protection solution under the brand name BackStopp. In short, the solution uses RFID tags
to ensure that laptops are securely maintained within the allowable range of a cli-ent’s facilities. So, as long as the laptop is within range, it operates normally. However, if it is removed on an unau-thorized basis from the per-mitted range, the BackStopp server attempts to locate the laptop, using both the inter-net and the laptop’s internal GSM card. Protection goes beyond that, as the system immediately blocks any un-authorized user from access-ing the computer and sends out a “self-destruct” message to the laptop to securely and permanently delete the data on the hard drive of the com-puter. BackStopp also has what Virtuity terms a “cul-prit identification capability” in that the built-in webcam capabilities found in many laptops today are prompted to take and transmit digital images that might very well capture the laptop thief.
IT departments on the line
Much of IT security is based on knowing that a threat is foreseeable, and unfor-tunately, corporate expen-ditures against known and continuing threats, from spyware, computer virus, hackers, denial of service attacks, and other cyber threats, are just a cost of do-ing business in the ‘Internet Age’. Today, laptop theft is a similar foreseeable, ongoing threat. Experts have pegged the probability of a given laptop being lost or stolen at between 1 and 4%. Us-ing the FBI’s $48,000 laptop
An increasing amount of
U.S business travelers each
year lose valuable corporate
information in their laptops
while transiting through
airports
45www.global-identification.com
loss estimate, and assuming just a 1% loss probability, the expected loss per laptop, per year is $480. If one uses high-er probabilities in the range ‒ between 3 and 4% ‒ the expected loss would easily equal or exceed the actual hardware replacement costs of 95% of all laptops on the market. Thus, even with significant investments for hardware and software to implement an RFID-based security, when considering the potential demonstrated costs of the loss of even a single laptop, the ROI equa-tion for RFID protection is clearly demonstrable. And, as we have seen in cases in-volving companies like IBM and Pfizer and governmen-tal agencies ranging from the U.S. military to leading universities, the larger the organization, the larger the potential vulnerability. In-deed, a 2006 theft of a single laptop from a Department of Veterans Affairs employee exposed personal informa-tion on 2.5 million active and retired military personnel.
Finally, the funny thing about statistics is that the chance of a laptop loss occurring for any one company or any one individual goes up over time. So, to guard against this foreseeable threat is not just being proactive, it may even be a necessity in today’s legal environment. Courts are increasingly look-ing at steps that a company has taken to better secure its data in case of a security breach as a mitigating factor in cases stemming from such data loss. Further, legal ana-
lysts believe that the much-discussed Sarbanes-Oxley Act may indeed impose new legal requirements on corporate IT departments to safeguard its mobile devices as part of its fiduciary duty to maintain a system of ad-equate internal controls.
Today’s concerns over lap-top security may indeed be just the tip of a data-security iceberg, especially when one considers the panoply of mo-bile devices used in business today: cell phones, PDAs, Blackberries, etc... What’s more, the shape of all such electronic devices continues to shrink across the board. While fixed computers still outsell laptops (with just over 150 million desktops sold in 2007), laptop sales are themselves surging, with approximately 110 million units shipped worldwide last year. In fact, global laptop shipments grew by 33% be-tween 2006 and 2007, while PC shipments grew just 4% year on year during the same time period. So, there will be no abating the challenge ‒ and market prospects ‒ for laptop security.
The challenge now is to move beyond the closed-loop, four wall-delimited solutions being introduced and marketed today to more open system solutions that would enable tracking and location of laptops on a global basis. Let’s face it, we have systems on the market today for tracking down golf balls in the woods, but if you lose your laptop in an airport, hotel or restaurant you have
no way to remotely locate it simply because it is a location outside of any closed-loop of protection. The company that can find a way to create such location systems, avail-able “on demand” in high traffic areas such as airports, will find significant interest worldwide. With scary statis-tics such as those conveyed in this report, the market-ing should be an easy sell ‒ namely to take away the “holy $#&*!” fears of traveling executives and their IT man-agers.
Table 1 ‒ The Top Ten U.S.
Airports for Laptop Loss.
Airports are ranked by total
annual enplanements for the
entire 2007 calendar year.
Source Data: The Ponemon
Institute, Airport Insecurity:
The Case of Lost Laptops, June
30, 2008, p. 3 and Bureau of
Transportation Statistics Data,
July 2008.