TechRepublic members who responded to Bob Artner’s recent column on the theft of laptops here at TechRepublic offered a number of ideas for securing hardware, ranging from simple locks to more complicated psychological warfare. In a lively discussion and in e-mail messages, members also touched on issues such as personal responsibility and laptop alarms.
Think like a thief
A computer training manager at a major university advised other members, “When reviewing your security policies, think like a thief.” He’s found that some thieves have the ingenuity to get around strong doors and good locks. “We have acoustic tiles forming a sub-ceiling, with a crawl space above the tiles,” he wrote in an e-mail. ”This crawl space afforded access to locked offices, and an enterprising student recognized the opportunity and seized it, along with three unsecured laptops.”
Thieves want to get in and get out of the building quickly, and that knowledge can help you outsmart them. Simon Trangmar, who works for a major international manufacturing company, has found that most thieves are too hurried—or too stupid—to distinguish junk from valuable equipment during a heist. Trangmar approaches the problem in a rather unorthodox way. “I leave a battery-operated powered drill and some other ‘trick or treat’-type goodies out on the bench (behind which is hidden the laptop and other REAL goodies). I also leave a $50 note in an envelope addressed ‘To Mr. Burglar.'” In the note, Trangmar asks the thief not to trash the place and to consider the money a goodwill gesture.
tundraroamer and sujai work for companies where thieves won’t get much for their efforts—both give employees laptops that have little resale value. sujai wrote in a post that his company issues old laptops that have nothing but the Linux OS installed. The machines act as a thin client and cost about $200 each.
But some thieves just want the “real” goods, and they don’t care where they have to go to get them. Mike Francis reminded members that it’s also important to keep staff directories secure. One of his clients had some laptops stolen, and Francis’ firm replaced them. The client told staff members to always take their laptops home, but a thief then stole the staff directory and broke into employees’ homes to get the laptops.
Invest in locks and alarms
If your company chooses to issue expensive laptops to employees, a number of devices can help keep them secure. jharden’s former consulting company purchased a locking cable for every laptop. “Each employee received the cable and key with their laptop and signed a document agreeing that if they forgot to lock down their laptop when at a desk or hotel or other location, they took responsibility for the loss of the laptop (i.e., they pay for the replacement),” jharden wrote in a post. But if a laptop was locked down and stolen, the company paid for the replacement. “When you let the user know that their pocketbook is at risk, they are VERY careful about always locking down!”
Swiftos prefers a cable with a combination lock, so there’s no key to use. However, he noted that the cable wouldn’t resist a bolt cutter.
Other members recommend storing laptops in a safe instead of relying on cable locks. “After suffering a number of laptop thefts—including from locked drawers—we bought a heavy safe and insist on laptops being locked there at night,” hansk wrote.
Noise can provide another roadblock to thieves. Mike Howard recalled a ZDNet review of a product that is a combination motion sensor and alarm. If someone moves the laptop without entering the password, the alarm sounds. Howard thinks the device could be a pretty good deterrent, especially to theft on a massive scale. “Twenty screaming laptops are pretty hard to hide,” Howard wrote.
Davetheconsultant favors the Defcon 1 security device. “This little box is a 110-decibel screamer, attached to an aircraft-strength cable,” he wrote, and fits into the standard security slot on a laptop. Sometimes, Davetheconsultant hangs the device on his bags, on his car door, or even on the door of his hotel room to scare off potential thieves. The alarm will sound if the cable is cut or the unit disturbed.
Some alarms are hooked into a larger security system. Rob Green, who works with ISIS Ltd., wrote that his company offers a radio frequency identification (RFID) tagging system that displays the real-time location of tagged assets. When a laptop is detected exiting the building, the system verifies that the proper user is carrying it by searching his or her “buddy tag” in the database. If there’s a match, the system authorizes the exit. If not, the system can set off alarms.
Block the use of stolen PCs
If a thief overcomes locks and alarms, there are options that may prevent them from using the equipment—and possibly help police recover it. Registering your hardware with the manufacturers and notifying them if the equipment is stolen is a free step that can help foil thieves. In the event of a theft, Rick Holder recommends that you consult your asset management records for the model, serial number, and other identifying information, then call the support department of the manufacturer. If a thief or someone who bought the stolen laptop contacts the manufacturer for support, they’ll be refused—which may prevent them from using the equipment. “I have been working with PCs, PC repairs, consulting, etc, for about 18 years and I have had about a half dozen incidents where I called for support only to discover that the unit was stolen and the vendor would not provide support,” Holder wrote to the IT Manager Republic mailbox. “It may not get your laptops back, but it should at least notify the new "owners" that what they have might not be what they think they have.”
Brian_M, however, reports that a thief stole a laptop from his company and was able to get Dell tech support to help him reset the BIOS password. Tech support was fooled because the thief had also stolen the employee’s business card, and was able to give Dell all the owner information they asked for. “We have now instituted a security procedure with Dell so that only certain people can call tech support,” Brian_M wrote in a post.
Some products go a step further and may help you track down your laptop. Tim Albright suggested members download a free evaluation copy of PC PhoneHome. The software sends e-mail to a designated address if a stolen PC connects to the Internet, allowing you to trace its whereabouts and report it to the police. This article from ZDNet discusses several other products that help track stolen PCs.
Institute user policies
Many members said companies need policies to show employees how to guard their data, as well as their equipment, so that they can quickly recover from a theft. Terryn recommends forcing users to back up to the network whenever they connect. “It won’t work if they’ve created a new folder for their personal stuff, but for backing up MyDocs or similar, it’s fine. We’ve used it quite a bit for road warriors who keep everything on laptop and never back up unless forced to.” StanToney recommended a transparent data replication software like Novell’s iFolder that protects data from local loss and simplifies central backup.
Members also recommended forcing users to create and use passwords at every level possible—from BIOS to the screen saver.
Most companies combine a variety of components into their PC security policy. For example, swbail listed in a post some of the steps his department has taken:
- Placing security tags on every laptop—a red sticker in a very visible place, and a plate that won’t come off without damaging the laptop.
- Issuing cable locks with all docking stations.
- Moving data storage to the server for those who have docking stations instead of PCs.
- Using Windows 2000 or XP on laptops instead of the less secure Windows 98.
Of course, even the best policies are inadequate if employees don’t follow them. As LouEgg wrote, “The ‘human factor’ is the weakest link….Even in a building with card access to secure areas, all it takes is one helpful person to hold the door for a ‘colleague.’”
Perhaps HLIM summed up the problem best when he wrote, “Security is something you do. Not something you buy.”