By CYRIL TUOHY, managing editor of Risk & Insurance®.
Sometimes a laptop is just a $500 machine. At other times, it's a $49,000 liability.
Lately, businesses have discovered that personal computing devices are more and more likely to become liabilities. Adding to the risk is the fact that more employees carry more data with them in ever smaller devices: smartphones, tablets and now, Ultrabooks.
Welcome to the new age of the shrinking computer, the all-you-can remember PDA, and the mad scramble into the tablet space. Safety and loss-prevention managers are being forced to become increasingly aware of the risks involved in allowing employees to bring this expanding variety of computing tools to work.
Yet, despite all of this vigilance, statistics recently compiled by Kensington Computer Group show just how desperate the situation is.
Consider the following loss statistics related to laptops (from a variety of sources):
* One out of every 10 laptops is stolen or lost over the life of the machine and one laptop is stolen every 53 seconds.
* Of the devices in 2010 reported stolen, 52 percent were stolen at the office or at work, 24 percent at a conference, 13 percent in a meeting room and 6 percent from a car.
* The average cost from a laptop loss in 2009 was estimated at $49,000, a figure that includes lost productivity, support and management resources devoted to resolving issues pertaining to the loss.
Now consider the following loss statistics related to smartphones:
* Of the 70 million smartphones lost each year, only 7 percent are ever recovered. And still ? 57 percent of those lost smartphones were not protected with enabling mobile security features.
* 4.3 percent of all smartphones issued to employees are lost or stolen every year.
* As much as 60 percent of lost or stolen smartphones contain sensitive data in a contact list, emails, Internet credentials, security codes and settings and business applications.
The average cost to a company of recovering from a single data breach has gone from $3.3 million in 2005 to $7.2 million in 2010, according to Kensington. The snapshot of the data was compiled from Kensington's records, as well as information from the Ponemon Institute, McAfee.com, Forbes.com, Datatheftsolutions.com and Macsense.com.
With so many devices in the mix, companies that allow their employees to connect such a large number of technology tools to their systems are taking on increased risk.
"More and more companies are allowing personal devices to be connected to the networks," said Rob Humphrey, director of security products with the Kensington Computer Products Group, which makes computer security devices. "That's a tradeoff. The company is saving money on equipment but raising the risk and it's hard to enforce policies." The workplace, he also said, "continually pops up as No. 1 or No. 2" as the location where people report their devices lost or stolen.
For businesses, a laptop or smartphone is easy and cheap enough to insure under a property policy. But it's losing the data on the network that poses an existential threat to the company.
DataLossDB, a not-for-profit foundation that tracks security breaches, recorded 369 incidents through July 2011 that exposed personal identification or the medical records of 126.7 million consumers.
The incidents ranged in size from the loss of a few dozen records to the 77 million customers affected when hackers broke into Sony Corp.'s PlayStation network in April.
Despite the risk, many companies are not buying network-liability protection, even with hacking and data-loss incidents in the headlines.
"The market penetration is still woefully low given the exposure," said Lori S. Nugent, a partner and cyber risk expert with Wilson, Elser, Moskowitz, Edelman & Dicker LLP in Chicago, in an interview with Risk & Insurance last year.
Companies can protect themselves, Humphrey said, by implementing a mobile security policy, investing in physical security, never leaving devices logged into networks, encrypting data and authenticating users.
January 17, 2012
Copyright 2012© LRP Publications