Corporate America's lost laptop epidemic

One in 10 notebook computers will be lost over their three-year lifetime -- a massive data loss problem exacerbated by 'incompetent' protection and 'inaction,' say experts

The fact that one of 10 corporate laptops will be lost or stolen over their three-year lifetime -- along with tens of thousands of dollars of data -- presents two major problems for enterprises.

The Ponemon Institute took both tacks on Thursday in presenting a study on the cost of lost laptops funded by chip giant Intel. The survey of 329 companies found that more than 86,000 laptops had been lost or stolen. A previously released study pegged the cost of each lost device at $49,000 -- mostly due to the leakage of company-sensitive data. The total price tag for the survey group: $2.1 billion.

A large part of the problem is that companies generally had very little protection guarding the sensitive data on the mobile computers, said Larry Ponemon, chairman and founder of the Ponemon Institute.

"We do a lot of research, and we see a lot of organizations are incompetent in protecting information assets," said Ponemon, speaking during a press briefing. "And laptop computers and small data-bearing devices are always at risk."

In one company studied by the researchers, a database administrator had lost 11 laptops over two years. A security risk? Not necessarily. The woman -- an employee valued by her company -- admitted during an interview that the best way to get the latest and greatest laptop was to "lose" her current machine.

Yet, other portable computers were lost with valuable data and without adequate encryption or the ability to remotely wipe the device, the researchers said. Only about 30 percent of lost laptops were encrypted, and only 10 percent incorporated other antitheft technologies.

Data loss, of course, can hurt the company who owns the data, but in many cases, the loss of custodial data -- the information kept by companies on behalf of their customers or clients -- can lead to lawsuits, especially if the company was not doing its due diligence, said Kevin Beaver, an independent security consultant who spoke as part of the Intel-funded call.

"Inaction is probably the biggest problem we have with security," Beaver said. "Management knows ... that there is a problem with security, but we still have this issue of inaction. People not willing to invest the time, money, and resources into fixing this problem."

One way Intel works to ameliorate the problem internally is by letting its workers put their personal information on the computers. People are less cavalier about the security of their laptops when they have their own data on them, said Malcolm Harkins, Intel's chief information security officer.

"To some degree, all of our laptops you can think of as consumer devices," he said. "We allow for ... anybody to use them for anything, as long as it is not inappropriate. People do taxes on them, they store their kids soccer games on them ... Because we allow for that and people do have personal stuff on it, they do take more of a sense of ownership, and I think that helps rather than hurts."

Of course, Intel is offering its own technological solution as well. The company's anti-theft technology allows administrators to remotely remove access to encrypted data on the laptop. The company's recently announced acquisition of security firm McAfee for $7.7 billion could bring new capabilities to the platform as well.

This article, "Corporate America's lost laptop epidemic," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform