Fidelity laptop snafu spotlights need for security policies

By Shamus McGillicuddy, News Writer 28 Mar 2006 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

But when it happens to a huge financial institution such as Fidelity Investments, which admitted last week that a laptop computer containing sensitive personal information on about 196,000 clients was stolen, people stop and take notice.

And CIOs everywhere start wondering, 'Is anyone reading the laptop security policy?'

Unattended laptops are easy to steal. But because mobile access is critical to conducting business, CIOs need to find a way to mitigate risk while still allowing a company's workers to do business.

Eric Maiwald, senior analyst at Midvale, Utah-based Burton Group, said the only way to completely eliminate the risk of data being stolen from a laptop is to lock that data down and forbid it from ever leaving the company. However, for business to occur, data must be accessible, he said. Employees often need mobile access to data to make a sale.

"You've made a risk management decision," Maiwald said. "You can't be 100% secure. There is no way to do that and still conduct business."

More on security Physical security for laptops Mobile security: An oxymoron?

Maiwald said there are several steps a CIO can take to mitigate the risk of allowing mobile access to data.

Probably the most important step is have authentication and encryption technology on mobile computers. But that alone is not going to protect data on a stolen laptop. In reality, encryption will only slow the sophisticated thief from accessing data on a stolen laptop.

"Encryption delays an attacker's ability to get to the information," Maiwald said. "Eventually they can brute-force it. Computers get faster and algorithms get better. But if I'm going to attack, I'm not going to attack the algorithm; I'm going to look for a weak link."

While it's likely that the culprit who stole Fidelity's laptop wasn't out to get sensitive data, it doesn't make the deed any less frustrating to CIOs.

It may seem obvious, but the best way to protect the data on a laptop is to prevent it from being stolen in the first place.

Companies must have good policies about protecting data and using laptops. More importantly, they must enforce that policy.

"I see a lot of organizations have a policy that says 'don't do this,' and then people do it anyway because there is no enforcement," Maiwald said.

Stuart McIrvine, director of global security strategy at IBM, said his company regularly makes automated checks to see if employees are in compliance with security policies. An automated system will verify that an employee's computer has updated antivirus software and an active firewall. It also checks that all sensitive information is encrypted. If these conditions aren't met, the employee's supervisor is automatically notified.

A company must emphasize the importance of security policy with its employees, Maiwald said. "Security awareness is often one of the last things that's done. It is something that can get you a pretty big bang for the buck, as far as better security polices in an organization. Because when employees completely mess up, it costs millions and millions of dollars."

As it turns out, the data stolen from Fidelity could be safe. According to Crowley, police believe the theft of the laptop was a property crime. The thief probably has no idea what sort of information he has on the computer, which is why Fidelity has been so careful to give out as few details about the circumstances of the crime as possible.

Anne Crowley, senior vice president of media relations and public affairs at Fidelity, would not offer details of last week's theft. She would say only that a group of Fidelity employees took the laptop to a business meeting outside of Fidelity and Hewlett-Packard Co. offices. At some point after that meeting the computer was stolen.

Crowley would not comment on Fidelity's policies regarding the storage of sensitive data on mobile devices. However, she did say, "It is not our practice to have that level of data on a laptop. We limit significantly the use of such confidential data outside of Fidelity."

Crowley described the data on the stolen computer as "scrambled" and said the license for the software used to read the data on the laptop has expired, making it extremely unlikely anyone could use the information.

Let us know what you think about the story; e-mail: Shamus McGillicuddy, News Writer

Tags: Information security management for the midmarket,  Mobile technology for the midmarket,  Data privacy for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Mobile technology for the midmarket ITSM and corporate performance management: CIO Decisions Ezine Midmarket data center management guides: Tips and best practices 2008 top 10 technology articles: Social media, Vista, IT salaries FAQ: What is unified communications, and why would I want it? Mobile unified communications options for the midmarket Top five technology trends -- and why you should give thanks Information technology management e-book downloads for midmarket CIOs Arts center's network infrastructure hits right note with Wi-Fi, FMC When Microsoft shuts you down and other IT horror stories CIOs, unified communications and the lost art of conversation Data privacy for the midmarket The price of data center outsourcing: Security, costs and more explored From software prices to EHR security: The latest advice for CIOs Locking down security in the move to electronic medical records Identity and access management planning guide for the midmarket Data protection trumps threat pursuit in SMBs' 2009 security spending Information technology management e-book downloads for midmarket CIOs Database security: Who should have access? Federal breach notification stuck in Congress Pre-emptive strategy best approach to breach notification CIOs under fire and in front of the camera

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary USB  (SearchCIO-Midmarket.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary