Stop, thief! How to protect your laptop and its data.
Today's laptops weigh as little as four pounds, yet they are capable of storing as much data as the midsized mainframes of the 1970s. While mainframes typically are protected in high-security areas, laptops are toted casually around the world, through airports, train stations and from client to client with little or no thought of security, And that's despite the growing number of laptop thefts.
Some thieves are so emboldened they have been known to disguise themselves as pizza deliverers or maintenance workers, slipping past the front desks of even security-minded businesses. Once inside, they swoop up any unguarded laptop into their pizza warmers or tool repair kits and walk out - potentially carrying the data equivalent of hundreds of file cabinets.
While most thieves just sell the stolen computers, others are industrial spies and what they really want is the data stored inside. This article outlines some ways to reduce the opportunity for such thefts and, more important, ways to ensure the data cannot be accessed if computers are stolen.
ACCOUNTING FOR DANGER
Accountants who do auditing or tax preparation are most susceptible because they typically travel from client to client, and their laptops usually are loaded with a client's data, such as earnings information, inventory reserve amounts, audit memos and notes on internal controls. If this type of sensitive and confidential information, falls into the wrong hands, the CPA may end up defending itself against a negligence claim. But even if the thief doesn't use the lost data, the time needed just to recreate it may be substantial.
Accountants in industry face comparable Problems, so CPA firms may wish to assess their clients' risks and offer to provide security consulting services.
The key to a successful security program is top management's involvement. The best systems fail when management fails to give it impetus and provide reminders of its importance.
One major threat businesses face is the loss of transaction data: Traveling sales forces increasingly record such data on laptops and then either upload to the main office via modem or download onto diskettes that are mailed back to headquarters.
Even more serious is the fact that many modem-equipped laptops can link up with their corporate mainframes or network servers to retrieve information such as inventory quantities, price quotes and customer credit data. Thus, if a laptop is stolen, the thief potentially has access to these corporate databases.
One simple way to reduce laptop thefts when traveling is to place the machine inside a briefcase rather than carrying it in a separate bag emblazoned with the computer maker's logo; for a thief, that logo reads, "Steal me!"
An alarm system can help guard against thefts in which the portable machine is just picked up and carted off. Alarms are effective when the computer is in, say, a hotel room, a parked automobile, an airport lounge or an office. They are sensitive to motion: Move the computer without first typing in a code and an alarm sounds. One such device is SonicPro Alarm, which weighs about five ounces (including batteries), sells for $90 and comes with a three-year, $5,000 insurance policy. A similar device, Elert, sells for $49 without the insurance policy. For more information on such products, see exhibit 1, at left.
Such alarms trigger their own problems. For example, if the laptop is snatched and the piercing alarm is sounded, the surprised thief probably will drop the computer, damaging the hard disk and making the data inaccessible. Another problem occurs when the owner is at lunch and a colleague accidentally jars the computer, setting off the alarm. Of course, keeping a list of such alarm deactivation codes in the office alleviates this particular problem, but it also makes it easier for a thief to get the code. In addition, it won't help if the alarm goes off when the accountant is visiting a client.
A quieter solution is a lightweight steel security cable, which can secure the machine to a desk or chair. Some cable systems also lock the floppy drive so a thief cannot copy computer files without the access code. Some new portables even have built-in slots to attach security cables.
Unfortunately, even if the computer is locked with a cable, the thief can remove he hard disk, replacing it with a purposely malfunctioning one. In such a case, although a hard disk failure message appears on the screen when the user turns on the computer, the user has no way of knowing the original disk was stolen. This type of theft has been known to occur during computer repairs, which is why prudent users record the serial numbers of both their computers and their hard disks.
Another protection against hard disk theft is use of a removable hard disk - one that snaps out when not in use. Alternatively, it's possible to store and protect all sensitive data on diskettes. The downside to this solution is that it's time-consuming and tedious to download a large number of files onto diskettes.
Data files are not the only sensitive information often found on laptops. Many laptops are loaded with communications software that allows links to a company's mainframe or network, allowing a high-tech thief to break in, access and possibly destroy far more information than is on the stolen laptop.
Products generically called smart cards are one way to thwart that type of theft. Smart cards are essentially tiny computers the size of credit cards that can be snapped into a laptop slot; once installed, they require an authorization code to access a remote network or computer. The cards themselves cost about $60 and the companion host authentication hardware, which is installed at the mainframe or network, ranges from $1,000 to $35,000. Most of the systems also include personal identification codes for each user as additional security. Thus, if both the portable computer and smart card are stolen, the thief won't be able to access the host computer without the personal ID code. For more information on smart cards and network protection, see exhibit 2, at left, and exhibit 3, below.
In some cases, computer managers are taking smart card systems a step further: If the laptop and the smart card are stolen and the loss is reported to the mainframe or network supervisor, a special program is triggered to trip up the thief who tries to access the remote system. Once a connection is made, the remote host computer flashes a silent command back to the stolen portable that automatically erases its hard disk and then disconnects.
Another common way to secure host computers from unauthorized remote users is with a dial-back procedure in which users must dial from preauthorized phone numbers. Some of these dial-back packages also use passwords for additional protection.
A relatively low-cost way of securing data and application software on a personal computer's hard drive is to install a program that locks the hard drive with a password. Two popular products are Norton's DiskLock and Sentry Software's Hardlock Computer Security. Some security programs, such as PC Dynamic's Menuworks Total Security and Kent-Marsh's FolderBolt, go a step beyond a software lock: They provide an audit trail of who uses which applications and data files. Some of these programs also keep a record of illegal log-on attempts. For more information on such products, see exhibit 4, pages 76-77.
What happens if a user forgets a password? Most of the programs come with an emergency access diskette unique to the computer on which the program is loaded; the diskette is programmed to recognize the computer when the hard disk loads the original security program. But what happens if that disk is misplaced? Most manufacturers will send registered users a special utility diskette that allows access, but that may take a couple of days. Of course, if the manufacturer has a utility disk that can bypass security, it's a safe bet that a determined thief also will be able to bypass the security software.
The best data security is data encryption. The most popular code, DES (data encryption standard), is a government standard encryption design. Its security is so great that if a password is forgotten, it may never be possible to access the data again. These packages are relatively inexpensive and may come as part of another security package, such as Norton's DiskLock.
For any of these products to work, users must use them. In fact, many people just don't want to bother using them because it requires an extra step or it creates a problem. For example, if a motion detector alarm system goes off accidentally in an airport, it's likely the user will be too embarrassed to use it in the future. Data encryption software is useful only if employees encode files each time they are used. In a similar vein, smart cards serve no purpose if they are stored in the same carrying case as the laptop or notebook computer and the personal ID number is written on the card or easily guessed.
Good security requires constant attention. A system administrator should maintain a list of all passwords to ensure access to locked computers and recovery of encrypted data in the event an employee no longer is able to provide the password personally.
* As convenient and low-cost portable computing grows in popularity, thefts of laptops and their stored data become more of a threat. CPAs who provide auditing or tax preparation services are most susceptible because they typically travel from client to client with their laptops.
* Accountants in industry face comparable risks. CPA firms may wish to assess the risks clients face and offer to provide security consulting services.
* One simple way to reduce laptop thefts when travelling is to plate the machine inside a briefcase rather than carrying it in a separate bag emblazoned with the computer maker's logo.
* There are both hardware and software solutions to the theft problem. Hardware were devices include alarms and security cables. Software solutions include programs that require passwords to gain access to the computer.
* No matter how good the hardware and software, they are of no value unless used.
|Printer friendly Cite/link Email Feedback|
|Author:||Greenstein, Marilyn Magee|
|Publication:||Journal of Accountancy|
|Date:||May 1, 1995|
|Previous Article:||Counting on technology: accountants add more prowess to their computers and access more sophisticated software.|
|Next Article:||How am I doing? There are ways for a company to answer that question - digging deeper than measuring sales, profits and cash flow.|