Laptops easy targets for data thieves

The past dozen years have witnessed a revolution in the workplace.

Thanks to the Internet and ever-more-powerful notebook computers, corporate employees are no longer chained to their desks. Virtual teams, telecommuters and other remote workers are now common in many companies.

Unfortunately, without proper safeguards, those same workers may provide data thieves and malicious hackers with yet another target of attack.

According to the Federal Bureau of Investigation, losses from laptop theft totaled $6.7 million in 2005. Although the cost of replacing hardware is relatively low, data stored on the hard drives of these systems can be priceless. Theft of a single notebook computer could result in the exposure of trade secrets, loss of critical process information, or misuse of confidential customer data.

Laptop security begins by physically protecting the system. Any computer that is left unattended becomes an attractive target for thieves.

Cable locks are available for around $30 each, and although such locks are not foolproof, they may slow down or deter any prospective laptop thieves.

File encryption technologies are built into most current operating systems. Microsoft incorporates the Encrypted File System (EFS) into Windows XP and Vista. EFS allows data within an encrypted folder to be decrypted on the fly, but only when the owner is logged on.

Apple provides a similar feature in Mac OS X that allows the user to encrypt his or her home folder.

Various proprietary and open-source technologies allow encryption of an entire drive or logical volume. Any of these products can help to ensure that sensitive data remain inaccessible, even if the computer is stolen.

Traveling employees often require access to internal resources, such as e-mail servers, customer databases, and office applications. However, if information is sent over an unsecured connection, thieves could intercept the transmission.

A Virtual Private Network, or VPN, is the standard solution for securing communication over a public network such as the Internet. With a VPN, an encrypted "tunnel" is established between the network perimeter and the remote system using one of several tunneling protocols. All traffic flowing through this tunnel is encrypted while in transit and would appear as gibberish to an interceptor.

Web-based applications can be secured through Secure Sockets Layer or Transport Layer Security (SSL/TLS) encryption. This same technology that is used to secure a purchase at Amazon.com can be used to secure remote workers connections to the corporate Intranet and various database applications. Some enterprise-level applications, such as Microsoft Exchange Server and Novell GroupWise, offer secure web-based access.

As portable storage devices continue to become smaller and grow in capacity, their potential for being mishandled increases. A two-gigabyte thumb drive can store as much data as the hard drive of a typical Windows 95 workstation.

Cell phones, portable music players, and PDAs may all be used to store and transfer sensitive information. As a result, these devices need to be given the same protection as a laptop computer, and employees should be provided with clear policies regarding their use.

Mobile technologies can free a company from geographic limitations and help support a global work force. However, expansion of the corporate workspace does not come without risks. By recognizing and addressing those risks, companies and employees can continue to reap the rewards of a remote computing environment.

New columnist: Monte Kendrick

Monte Kendrick has held a variety of positions over the course of his career, including research scientist, technical writer, multimedia developer, Web master and technology consultant. For the past few years, Kendrick has served as president of and senior consultant for Pixelogiq Data Systems - a multifaceted technology and information security consulting firm in Madison.

Kendrick earned a master's degree from Ohio State in 1992 and is now nearing completion of a second master's in information assurance from the University of Dallas, Graduate School of Management. He possesses two management certificates from the American Management Association, a computer security certificate from Stanford University, and more than a dozen information technology and security certifications.