Saving the Dell: using RFID to improve laptop security
12 November, 2008
category: Digital ID, Library, RFID
By David C. Wyld, Southeastern Louisiana University
In the U.S., it has been estimated that upwards of a million laptops are stolen annually. This is an astonishing – and scary statistic. And it is not just companies that are affected.
Indeed, across federal agencies, leading universities, and all facets of health care and education, there is increasing focus on laptop theft, as surveys of IT executives across organizations of all types show such occurrences happening on a routine basis – often with dire consequences potentially impacting thousands of employees, customers, patients and students.
Until recently, a common misconception was that the impact of a lost or stolen laptop was merely the cost a replacing the hardware – the laptop itself, a cost that could be assumed to continue decline over time. However, in 2000, the Rand Corporation released a study that pegged the actual replacement cost of a lost laptop at found the average value to be more than $6,000.
The Rand researchers included not just the replacement cost for a new unit plus any payments owed on the missing item, but the data and software lost on the laptop, as well as the added costs to the organization in terms of procuring and setting-up the replacement computer.
When including potential loss of corporate data and legal liability, the dollar loss can be quite high. There are wide variances in the estimates of the financial losses stemming from laptop theft, with losses ranging from simple replacement costs of a few thousand dollars to estimates ranging into the millions.
Beyond replacement costs, there may be far greater–and more costly impacts–from loss of customer information and records to loss of confidential business information and intellectual property, such as marketing plans, software code and product renderings.
In 2004, a joint study issued by the Computer Security Institute and the FBI estimated the cost per incident to be approximately $48,000. iBahn, a provider of secure broadband services to hotels and conference centers, found that the average business traveler has more than $330,000 worth of personal information on their laptop.
Last year, in a white paper entitled, Datagate: The Next Inevitable Corporate Disaster?, McAfee and Datamonitor pegged the value of a lost notebook computer, in terms of confidential consumer information and company data, at almost $9 million. In fact, a recent study has projected that when confidential personal information is lost or stolen, the average cost to a company is $197 per record.
Overall, the National Hi-Tech Crime Unit has pegged stolen laptops as having a greater impact on organizations than any other computer threat, including viruses and hackers. Finally, in today’s 24/7 media environment, there is also a “hit” on the company’s name brand and image from the negative public relations garnered from such cases, which can translate into declining consumer trust in doing business with the firm and actual negative impact on sales and revenue, at least in the short-term, and in some extreme cases, with long-term impact. The FBI itself is not immune from the problem, for it has been estimated that the agency loses 3-4 laptops each month.
RFID Solutions for Laptop Security
There is a wide array of data protection measures available today for laptops, from data backups to password protection to encryption and even biometrics. RFID-based solutions are just now beginning to enter the marketplace.
In the U.S., corporate and governmental interest in acquiring RFID-based laptop security systems is accelerating. In the private sector, clients range from Fortune 500 companies to even smaller businesses. Across higher education, colleges and universities are seeking to replace their laborious paper and bar code based systems for inventorying laptops and other IT assets with RFID installations. In the federal government, a number of Cabinet-level agencies have begun looking to RFID solutions.
Carrollton, Texas-based Axcess International Inc. is working with three federal agencies on RFID tracking of their laptop assets within their facilities with their ActiveTag solution. This spring, Profitable Inventory Control Systems, Inc. (PICS), based in Bogart, Ga., began an installation of their AssetTrakker system for the headquarters building of the U.S. Army National Guard in Washington, DC. The National Guard has approximately ten thousand electronic assets–with up to eight per employee – that will be tagged as part of the PICS installation, which will begin with the use of hand-held readers for inventory purposes and expand to include readers at building doorways and the parking garage to track movements and send alerts for unauthorized movements.
There are other new entrants in the emerging RFID laptop protection market. Cognizant Technology Solutions’ RFID Center of Excellence recently reported that it has developed and implemented an RFID-based laptop tracking system for internal use with its over 45,000 employees who use more than 10,000 laptops at its locations around the world which could serve as the basis for a commercially-available solution.
Saratoga, Calif.-based AssetPulse introduced its AssetGather solution for tracking laptops and other electronic equipment with RFID. The AssetGather system is designed to work with any type or brand of tags (passive, semi-passive or active) and various forms of readers. The AssetGather software is Web-based, and it can provide dashboard controls and real-time visibility on a client’s IT assets across multiple locations, including map, graph and list views, based on user preferences. AssetGather also can provide IT managers with reporting and audit controls, as well as programmed alerts on specific suspect laptop movements, including:
- Perimeter Alerts: Alert when an asset goes outside its permitted “home” zone
- Delinquency Alert: An alert is raised when an asset is not seen back within configured time
- Serial Number Alert: An alert action is triggered when a specific asset is seen.
And interest in laptop security is quickly becoming a global marketplace. In India, Orizin Technologies has recently introduced a system for laptop tracking. Using active RFID tags, capable of tracking laptops and other IT assets in an organization’s premises with a range of up to 20 meters.
Perhaps the “coolest” RFID solution to date comes from the UK. Sheffield, England-based Virtuity has introduced a data protection solution under the brand name BackStopp. In short, the BackStopp solution uses RFID tags to ensure that laptops are securely maintained within the allowable range of a client’s facilities. So, as long as the laptop is within range, it operates normally. However, if it is removed on an unauthorized basis from the permitted range, the BackStopp server attempts to locate the laptop, using both the Internet and the internal GSM card on the laptop.
Protection goes beyond that though, as BackStopp immediately blocks any unauthorized user from accessing the computer and sends out a “self-destruct” message to the laptop to securely and permanently delete the data on the hard drive of the computer. BackStopp also has what Virtuity terms a “culprit identification capability” in that the built-in Webcam capabilities found in many laptops today are prompted to take and transmit digital images that might very well capture the laptop thief.
Analysis
Much of IT security is based on knowing that a threat is foreseeable, and unfortunately, corporate expenditures against known and continuing threats, from spyware, computer virus, hackers, denial of service attacks, and other cyber threats are just a cost of doing business in the Internet Age. And today, laptop theft is a similar foreseeable, ongoing threat.
Experts have pegged the probability of a given laptop being lost or stolen at between 1% and 4%. Using the FBI’s $48,000 laptop loss estimate, and assuming just a 1% loss probability, the expected loss per laptop–each year – is $480. If one uses higher probabilities in the range–between 3 and 4%, the expected loss would easily equal or exceed the actual hardware replacement costs of 95% of all laptops on the market.
Thus, even with significant investments for hardware and software to implement an RFID-based security, when considering the potential demonstrated costs of the loss of even a single laptop, the ROI equation for RFID protection is clearly demonstrable. And, as we have seen in cases involving companies like IBM and Pfizer and governmental agencies ranging from the U.S. military to leading universities, the larger the organization, the larger the potential vulnerability. A 2006 theft of a single laptop from a Department of Veterans Affairs employee exposed personal information on 2.5 million active and retired military personnel
Finally, the funny thing about statistics is that the chance of a laptop loss occurring for any one company or one individual goes up over time. So, to guard against this foreseeable threat is not just being proactive, it may even be a necessity in today’s legal environment.
Courts are increasingly looking at steps that a company has taken to better secure its data in case of a security breach as a mitigating factor in cases stemming from such data loss. Further, legal analysts believe that the much-discussed Sarbanes-Oxley Act (SOX) may indeed impose new legal requirements on corporate IT departments to safeguard its mobile devices as part of its fiduciary duty to maintain a system of adequate internal controls.
Today’s concerns over laptop security may be just the tip of an data security iceberg, when one considers the panoply of mobile devices used in business today–cell phones, PDA’s, Blackberry devices, etc., especially as form factors across the board for all such electronics shrink.
While fixed computers still outsell laptops (with just over 150 million desktops sold in 2007), laptop sales are themselves surging, with approximately 110 million units shipped worldwide last year. In fact, global laptop shipments grew by 33% between 2006 and 2007, while PC shipments grew just 4% year over year during the same time period. So, there will be no abating the challenge–and market prospects–for laptop security.
The challenge will be to move beyond the closed-loop, four wall-delimited solutions being introduced and marketed today to more open systems solutions that would enable tracking and location of laptops on a global basis. Let’s face it, we have RFID-based systems on the market today for tracking down golf balls in the woods, but if you lose our laptop in an airport, hotel, restaurant today, you have no way to remotely locate it today, simply because it is a location outside the closed-loop of protection.
The company that can find a way to create such location systems in high traffic areas–such as airports and conference centers- that can be available “on demand” will find significant interest worldwide. With scary statistics such as those conveyed in this article, the marketing should be an easy sell – namely to help IT managers and corporate executives sleep better knowing their organization’s laptops are more secure.
Wyld is a professor at Southeastern Louisiana University and director of the strategic e-commerce/e-Government initiative in the department of management. He can be reached at [email protected].