Looking at Laptop Losses
A RECENT SURVEY by the Ponemon Institute of 484 corporate and government IT managers found that 81 percent of companies surveyed had laptops with confidential or sensitive information lost or stolen in the past year. A group of building managers in Canada has gathered together to fight that trend locally.
Rather than slap cables on laptops or retool corporate laptop policy as a kneejerk reaction, this group of building managers joined with security managers, police, and intelligence agencies in the province of Alberta to study the problem systematically.
The group, members of the Calgary Public Safety Committee of the Building Owners and Managers Association (BOMA), “shared detailed information to create a roadmap of successes and failures of various thefts,” states Glen Kitteringham, CPP, of Brookfield Properties, one of the study’s architects. That information, concerning 101 documented thefts or attempted thefts in 2005, included video footage, modus operandi specifics, and evidence.
Studying the breakdown of thefts that succeeded (63 percent) versus those that didn’t (37 percent), the group identified security aspects that may have had a bearing on those outcomes. For example, the group found that thieves accessed tenant spaces half the time by breaking and entering. Of the other half of entries, the method most often used by thieves was piggybacking to get in through open doors or talking their way inside via social engineering.
Comparing successful and unsuccessful thefts, the BOMA group concluded that properly configured layers of physical and procedural security do stop thieves. In cases where such layers were present, 30 of 38 theft attempts were thwarted. Measures of a layered approach include CCTV on the tenant floor, officers, and electromagnetic locks. The human factor was also important, including employees who challenge visitors, and employees who are trained not to hold doors open for strangers.
Another interesting finding was that overt CCTV was found to be a potentially significant deterrent. While CCTV’s value is always speculative in that it’s difficult to prove the reason for a lack of crime, the BOMA group concluded that there is “strong evidence to support the contention [that] thieves were bypassing tenant floors where CCTV was installed.”
Among the evidence was the fact that suspicious people left the building and never returned after they noticed CCTV cameras. Tenants reported the immediate cessation of thefts once CCTV was installed. CCTV in common areas had little deterrent effect, however.
Throughout the one-year study period, laptop thieves proved flexible and adaptive. As security targeted weaknesses, thieves changed tactics. At first, early in the year, thieves operated solely from Monday through Friday, often using legitimate activity as cover. But later in the year, perhaps because employee awareness training cut down on the thieves’ ability to use social engineering successfully, they began to steal on Sundays. And thieves initially targeted high-end laptops, but switched to cheaper models once the more valuable equipment received better protection.
The study is significant in that it represents one of the few examples of a long-term and extensive collection and analysis of data on this important topic. “The group took an objective and methodical approach to this problem,” notes Kitteringham.
In addition to the general findings, the group compiled specific security recommendations and a tenant lobby security checklist, which can be found in the report.