Loose Laptops

The Hole: On April 5, MCI said that an MCI financial analyst's laptop had been stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees.

The Problem : In many recent cases involving laptops, the computer's security was handled by a Windows log-on password. "It's getting easier for even the more casual criminal to find out how to break into the laptop," says Forrester's Friedlander. "There's more awareness that the information is valuable." Plus, the data in many of these recent incidents wasn't encrypted. (MCI won't say whether the stolen laptop was encrypted, just that it had password protection). According to Friedlander, encryption adoption is much lower than firewall adoption because encryption historically has had performance issues (it slows the computer down) as well as usability issues (users are often confused about how to encrypt the right data). In a recent Forrester survey, 38 percent of respondents said they have no plans to deploy encryption tools. Ouch.

The Solution: CIOs need to do some classic risk management, says Friedlander, and ask themselves: What is the information on the system that I care about the most? Who's connected to a network where I might be exposed? And then they should create or revise their security policies based on that assessment. For example, if a laptop has customer information on it that would kill the company if it got into a competitor's hands, then the CIO should ensure that encryption was turned on. Users need to understand "why these policies and technologies are in place that may seem inconvenient, but why they do matter", says Friedlander. "If they realize the implications, most people will want to act." If the information on another laptop is less critical, then more basic security measures, such as strong passwords, can be used, he says.

Tales of the Tapes

The Hole : Let's not forget the good ole data tape - in particular, CitiFinancial's now-infamous UPS shipment of unencrypted computer tapes that were lost in transit to a credit bureau. A whopping 3.9 million CitiFinancial customers' data was on those tapes, including their names, Social Security numbers, account numbers and payment histories.

The Problem: CitiFinancial has stated it "[has] no reason to believe that this information has been used inappropriately". But on the other hand, there's no reason to believe that it won't be.

There are companies that specialize in handling data tapes, Iron Mountain for one. But even Iron Mountain is not impervious to security snafus. In May, Time Warner announced that Iron Mountain had lost 40 backup tapes that had the names and Social Security numbers for 600,000 of its current and former US-based employees and for some of their dependents and beneficiaries. Iron Mountain says it has recently suffered three other "events of human error" that resulted in the loss of customers' backup tapes - and these are the guys who supposedly are all about security and nothing else.

The Solution: In July, Citigroup said it will start shipping customer information via direct, encrypted electronic transmissions. "You can squeeze a lot more data into a truck than you can over the wire," Couture of Gartner Research says, "[but sending data electronically] could be cost-effective for smaller companies with small amounts of data." Citigroup's new shipping method will also take much of the people part out of the equation. "Any time you have to touch that tape and add a human element in the process, there's the potential [for] incompetence, malfeasance, and pure and simple stupidity," Couture says.