Dell, the computer company, released a study in June 2008 titled "Airport Insecurity: The Case of Lost Laptops." The study was conducted by Ponemon Institute LLC for Dell.
The study is telling in many respects, especially in the number of notebook computers that "go missing" and the lack of security in place on these machines. It's also interesting to note which airports have the highest - and lowest - numbers of missing computers. LAX leads the list with 1,200 units "lost" in a week, closely followed by MIA with 1,000; DCA and IAD are close to the bottom in their airport class.
The study, as expected had a number of recommendations.
Recommendations and Conclusion
Lost laptops in airports are a serious issue for business travelers and their companies. As revealed in this study, very often business travelers’ laptops contain sensitive or confidential business information that is vulnerable to a data breach.
According to our Cost of Data Breach Study, the average business cost when confidential personal information is lost or stolen is $197 per record. Obviously, even one missing laptop can become a serious problem for any organization. To avoid having this occur, we recommend the following simple steps.
Most of the recommendations really fall into the category of "just common sense."
Hurry up and wait
"Allow enough time" is a no brainer. I understand that sometimes an urgent flight is required, but having been in business for more than a couple of years, I know that at least 85 percent of all flights can be booked well in advance (saving the organization substantial money).
Early arrival at the airport does not mean reduction in productivity. The study reports that 70 percent of those interviewed claimed to feel rushed at the airport. A lot of that "rushed" feeling is waiting o get a boarding pass and to clear security. Most boarding passes can be printed by or for the travel before heading for the airport.
If the Busy Executive hangs around the office or home using the computer, the same Busy Executive can use a laptop computer at the airport; most airports now have free or fee Wi-Fi, so even connectivity is possible.
In other words, the only time Busy Executive will suffer keyboard separation is during the security check. Forbes Traveler has a 10-slide presentation that may help travelers get through the security check a little faster. (See info box.)
Unfortunately, the "Clear" TSA Registered Traveler program operated by Verified Identity Pass and mentioned in the Forbes' presentation shut down in June 2009 for lack of funding. Two other companies, Vigilant and FLO, offer similar service, but they are far smaller, according to the AP.
Another no-brainer is to "take appropriate security measures to protect your information."
According to the survey, 65 percent of the respondents claimed they, or their organizations "do not take steps to protect the confidential or sensitive information contained on laptop when traveling on business."
- No system password protection.
- No media encryption.
- No file passwords.
- No backups.
Granted, biometric security may be a bit much for most computers, but to go completely naked into the night as it were never will make a best business practice list.
At the most basic level, there should be a strong password at the system level, sensitive files (including e-mails) need to be individually password protected, and critical data needs to be backed up.
If the Busy Executive intends to use a laptop at the airport (and now on the plane) data encryption needs to be in place so all those bits and bytes traveling across the ether are scrambled.
Consolidate to expedite
Travelers can help prevent the computer from being accidently (or purposely) picked up by someone else at the end of the scan tunnel by following the "carry less and think ahead" admonition.
Empty pockets and collect all loose items – change, keys, cell phones, etc. – and stow them in a bag to be scanned. Untie shoe laces or better yet, wear loafers/slip ons. For quick retrieval, stick ticket/boarding pass and picture ID into a shirt pocket (never a hip pocket) or a special hang-around-the-neck ID/passport/boarding pass holder made for just this exercise.
Rodeo champion-sized belt buckles and the belt should be removed and passed through the scanner.
The idea is to have everything ready when the traveler and computer are separated so the traveler will be on the other side of the scanner when it spits out the computer.
Must the data be on the machine?
Another recommendation: "Think twice about the information you carry on your laptop" has me nodding my head in agreement.
When I worked for a transportation company, I recommended scanning contracts to CD. One of the brighter managers suggested that it would be convenient if he could have a copy of the CD for his trips to client sites. That way, he said, he could update the contract on the spot, print out the relevant pages, and get signatures while the customer was sitting across the table.
It seems to me it would be easy to comply with the study recommendation AND have all the information the traveler may need if the traveler took the manager's approach: put information on a CD (make a second back-up, and then delete the file[s] from the computer).
Put the CD in carry-on or stowed luggage; anyplace but with the computer. If the computer goes astray, the CD still may be available. There is an excellent probability that the customer will have a computer that can read the CD and business will go on.
Think about this one
The one recommendation to which I take limited exception is "label your laptop."
Yes, label it, but do not, as the recommendation suggests, "Provide your full contact information." The only information that ought to be on the label is a set of telephone numbers – the owner's cell (since the owner still may be at the airport) and the owner's office (in the event the owner is airborne).
The owner's name might be OK unless the owner is a "known" in his or her field, but never, never, never include the owner's organization. Imagine a modern Mata Hari labeling her computer "Property of Spies-R-Us" or "If lost, call Spies-R-Us at 8**-Spy-4You." Our Busy Executive may as well put the machine password – if there is one – on a Post-It note and stick it on the keyboard touchpad.
Put the two phone numbers on an at least semi-permanent tag located in a fairly prominent part of the machine.
About the Author:
John Glenn, MBCI, (http://JohnGlennMBCI.com) is an enterprise risk management - business continuity practitioner with more than 13 years experience; he invites comments on this article and others at his Web site to Planner@JohnGlennMBCI.com