Are Your 'Road Warriors' Putting Your CU's Data At Risk With Lax Laptop Security?

Information security awareness is something that is so prevalent in today's society that scarcely a day goes by without hearing about a new virus, a computer intrusion, or some other risk to our networks and our member's data. Because of this, and increasing regulatory scrutiny, virtually everyone has taken steps to protect their networks and data. Complex passwords have been put into place, firewalls, intrusion prevention and detection, anti-virus software and scanning, multifactor authentication and more.

With all of this security in place, what more can be done? Many credit unions are convinced that they have addressed all that can reasonably be done to protect their network and the member's data.

Enter the road warrior; armed to the teeth with all of the tools necessary to conduct business virtually anywhere in the world. In addition to the road warrior, we have our executive management team, our marketing staff, information technology staff and others, all of which indirectly present a much greater risk to our networks and member data than the multitude of hackers who spend countless hours attacking our systems.

* March 29, 2005. A thief steals a laptop from the University of California, Berkeley, containing personal information about nearly 100,000 alumni, graduate students and past applicants.

* May 22, 2006. The story breaks on a stolen Veterans Administration laptop containing personal data on 2.2-million U.S. veterans, originally thought to be 26.5-million.

* September 26, 2006. A laptop is stolen that contains personal information on about 50,000 current and former General Electric employees/

The list goes on and on. What none of us wants to see is: "February 15, 2007. A laptop containing personal information on 65,000 members from Your Credit Union was recently stolen."

Of 484 companies that were surveyed by the Ponemon Institute last year, 81% lost or had stolen laptops containing sensitive or confidential information. What makes these numbers even more shocking is the costs associated with these data losses. The average total costs of a data breach (or loss) is $140.00 per member record. The costs are broken down below:

* Direct costs-incremental, out-of-pocket unbudgeted spending, including legal costs, mail notification, phone calls, etc: $50 per member.

* Indirect costs-lost productivity: $15 per member.

* Opportunity costs-loss of existing customers, increased difficulty obtaining new customers: $75 per member.

Data provided by Ponemon Institute - "PGP Research Report Summary-What Does a Data Breach Cost Companies?"

In addition to the costs mentioned above, the impact to the credit union's reputation can also be significant. Almost 20% of the survey's respondents terminated their relationship with the company in which the data breach occurred.

An additional 40% were considering terminating their relationship. Of all those affected only 14% said they were not concerned by the breach. Finally, according to the FBI, 97% of all stolen laptops are never recovered.

One way to protect your laptops from being stolen would be to lock them down with a cable; however this does not work so well with a productivity tool that is designed to be mobile and this form of security can be defeated easily with a small pair of bolt cutters. One of the solutions that the Veterans Administration initially implemented was a complete recall of all Veterans Administration laptops, their solution, initially, was simply to take them away.

Although that would be effective, less drastic options are available. For example, there are a number of different encryption technologies available that require an additional user ID and password to un-encrypt a file, folder or hard drive. If this is the solution selected, 128 bit encryption should be the minimum considered and 256 bit encryption is recommended.

Encryption is a good start, but it really should be taken a step or two further. Requiring another validation, in addition to the user ID and password, further increases the security of the data on the system. A multifactor approach toward laptop security will go a long way to effectively securing the data contained within it.

The use of a USB key token, which includes a part of the encryption algorithm and must remain in place whenever the laptop is in use, provides substantial data protection. To access data on the hard drive, the USB token must be placed in a USB slot. The laptop is then turned on and the user enters their encryption userid and password, followed by their standard Windows log on information.

If the laptop is stolen, provided the token is not in the laptop, accessing the data becomes extremely difficult. In addition to this technology, there are laptop theft recovery services available. Many of these require software be installed on the laptop and if the laptop is stolen, it will silently (to the thieves) send its location to the service provider once it is connected to the Internet. Many of the services will refund the purchase price of the laptop, the recovery software, or both if the laptop is not recovered within thirty days.

At least one of these services, Computrace, claims to be able to delete sensitive data off from a laptop after it has been stolen and also provides recovery, inventory/tracking and software inventory services.

Effective security is never a single solution, it requires a multi-layer approach to be truly secure. Through the use of education, training, policy and technologies, your laptops can be effectively secured, the data protected and deleted if stolen, and the unit tracked down and returned.

Lester Warby III is VP and CIO at Firstmark Credit Union and can be reached at lester.warby<at>firstmarkcu.org