Fidelity snafu spotlights need for laptop security policies

By Shamus McGillicuddy, News Writer 28 Mar 2006 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

But when it happens to a huge financial institution such as Fidelity Investments, which admitted last week that a laptop computer containing sensitive personal information on about 196,000 clients was stolen, people stop and take notice.

And CIOs everywhere start wondering, 'Is anyone reading the laptop security policy ?

Unattended laptops are easy to steal. But because mobile access is critical to conducting business, CIOs need to find a way to mitigate risk while still allowing a company's workers to do business.

Eric Maiwald, senior analyst at Midvale, Utah-based Burton Group, said the only way to completely eliminate the risk of data being stolen from a laptop is to lock that data down and forbid it from ever leaving the company. However, for business to occur, data must be accessible, he said. Employees often need mobile access to data to make a sale.

"You've made a risk management decision," Maiwald said. "You can't be 100% secure. There is no way to do that and still conduct business."

More on security Mobile security: An oxymoron? Privacy expert calls for action on Specter-Leahy bill

Maiwald said there are several steps a CIO can take to mitigate the risk of allowing mobile access to data.

Probably the most important step is have authentication and encryption technology on mobile computers. But that alone is not going to protect data on a stolen laptop. In reality, encryption will only slow the sophisticated thief from accessing data on a stolen laptop.

"Encryption delays an attacker's ability to get to the information," Maiwald said. "Eventually they can brute-force it. Computers get faster and algorithms get better. But if I'm going to attack, I'm not going to attack the algorithm; I'm going to look for a weak link."

While it's likely that the culprit who stole Fidelity's laptop wasn't out to get sensitive data, it doesn't make the deed any less frustrating to CIOs.

It may seem obvious, but the best way to protect the data on a laptop is to prevent it from being stolen in the first place.

Companies must have good policies about protecting data and using laptops. More importantly, they must enforce that policy.

"I see a lot of organizations have a policy that says 'don't do this,' and then people do it anyway because there is no enforcement," Maiwald said.

Stuart McIrvine, director of global security strategy at IBM, said his company regularly makes automated checks to see if employees are in compliance with security policies. An automated system will verify that an employee's computer has updated antivirus software and an active firewall. It also checks that all sensitive information is encrypted. If these conditions aren't met, the employee's supervisor is automatically notified.

A company must emphasize the importance of security policy with its employees, Maiwald said. "Security awareness is often one of the last things that's done. It is something that can get you a pretty big bang for the buck, as far as better security polices in an organization. Because when employees completely mess up, it costs millions and millions of dollars."

As it turns out, the data stolen from Fidelity could be safe. According to Crowley, police believe the theft of the laptop was a property crime. The thief probably has no idea what sort of information he has on the computer, which is why Fidelity has been so careful to give out as few details about the circumstances of the crime as possible.

Anne Crowley, senior vice president of media relations and public affairs at Fidelity, would not offer details of last week's theft. She would say only that a group of Fidelity employees took the laptop to a business meeting outside of Fidelity and Hewlett-Packard Co. offices. At some point after that meeting the computer was stolen.

Crowley would not comment on Fidelity's policies regarding the storage of sensitive data on mobile devices. However, she did say, "It is not our practice to have that level of data on a laptop. We limit significantly the use of such confidential data outside of Fidelity."

Crowley described the data on the stolen computer as "scrambled" and said the license for the software used to read the data on the laptop has expired, making it extremely unlikely anyone could use the information.

Let us know what you think about the story; e-mail: Shamus McGillicuddy, News Writer

Tags: Mobile technology and management,  Enterprise information security management,  Enterprise risk management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Mobile technology and management Sidekick data and 'balloon boy' Software and services guides for CIOs Mobile data protection options for enterprise CIOs E-waste: A blight on the environment and a company's good name Videoconferencing equipment, software can help firms cut costs Mobile device management guide: Keeping IT on the run HD videoconferencing a way of life for some VIPs VoIP security and converged networks: A Special Report for CIOs VoIP savings seen in productivity and long-distance charges Wireless investments key to future success Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Enterprise risk management Email archiving solutions and strategies for enterprise CIOs For CIOs, email deletion scandal shows need for email retention policy Swine flu preparedness: Business continuity during an H1N1 outbreak Talking swine flu and Conficker with the CIO of the CDC Tips from the CDC's CIO on H1N1 flu preparedness Tips for business continuity and contingency planning for swine flu Enterprise risk management quiz for CIOs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Business continuity plan needs the right leader, metrics to succeed

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary