According to Aberdeen, large companies have three computer-related losses per week. Aside from the physical cost of the hardware, businesses need to cope with data loss, security vulnerabilities, user productivity – and a very cranky boss, I’ll warrant.
I’m going to go out on a limb: Your IT department is understaffed and overworked, and you don’t have enough money in the budget to cover all the things you need. As a result, there’s a good chance that your end user computing hardware (for example, PCs, laptops, netbooks) and their associated applications, connectivity, and data on which employees depend on to do their work — also known as “endpoints” — can get lost in the shuffle. Employees leave for another job, they get laid off, they move to another department, and so on. What with all the work to do, it’s fairly low priority (not to mention difficult) to keep track of where all those laptops and applications end up.
But that lack of awareness is dangerous. Security may be tough to justify. It costs a lot to prevent something that only might happen. However, IT administrators need to consider the many recent well-publicized and costly data breaches to realize some of the reasons ignorance is decidedly not bliss.
Research consultancy Aberdeen Group reports that between January 2003 and December 2009, more than three computer-related loss, theft, or disposal incidents occurred each week (on average) and affected more than 150 million records. And that’s just the public disclosures. The damage such incidents can do are tremendous, both in terms of physical cost (nearly $5 million per year on average), and in terms of data loss or exposure (an average of $640,000 per incident). Then there’s also the not-always-quantifiable inconvenience and loss of productivity surrounding such events.
The odds are that at least some of the laptops or other mobile assets your company issues eventually will be lost or stolen. In Aberdeen’s study of 150 organizations in “Laptop Lost or Stolen? Five Questions to Ask and Answer,” [free download, registration required] for every 100 endpoints, only 85 came back. The rest were lost or stolen (with only one being successfully recovered) or simply were listed as “missing and unaccounted for.”
To dig deeper into the report’s findings and what you should learn from it, I talked with Aberdeen research associate Nathaniel Rowe, who collaborated on the report.
IT Expert Voice: With all the breaches in the news, do companies really need a report to remind them that asset management strategies and proactive security are important?
Nathaniel Rowe: They realize there are risks without security in place, but with budgets being tight and the economy being what it is they don’t have the budget. Preventing risk costs a lot of money and the benefits aren’t always obvious, so we’re attempting to put some hard numbers to what happens when you don’t protect your assets.
Best in class companies — those with advanced strategies around tracking, recovery, and deterrence — saved an average of $44 per endpoint. For the companies in this study, that translated to a cost savings of about $800,000. Those are hard numbers that these companies can look at to justify investing in technologies that help them track inventory, recover laptops, and so on.
IT Expert Voice: Which investments should companies begin with to improve their endpoint protection strategy?
Rowe: Start with protecting against data loss or exposure. Full disk encryption is a great way to start. We also recommend remote deletion or being able to remotely disable a device; these haven’t seen as much adoption in the market as perhaps we would like to see, and that’s probably because these are relatively new solutions.
However, there is a serious differential between the best in class and the laggards [companies with the most security incidences and least strategy]. The best in class are investing in these more advanced forms of security.
IT Expert Voice: You mentioned the missing and unaccounted for, but doesn’t a company need a certain amount of asset management and know where its laptops are before it can know if something is stolen?
Rowe: Absolutely. That starts on a policy level, with having the right kinds of policies and procedures in place on an organizational level. You don’t want to provision too many of them and have them underused or not used at all.
Maybe the company has downsized and you have a couple hundred laptops sitting on the shelf and by the time you get around to increasing your headcount those laptops might be obsolete. So you need to have strategies in place to track your assets all the way through the end of the lifecycle.
IT Expert Voice: How are the best-in-class enterprises doing this?
Rowe: There are a number of different solutions. For example, software portals that you can load onto your laptop or whatever endpoint you have and push out updates centrally so one guy isn’t taking a bundle of disks to every single workstation. Such solutions enable IT to look out and see the status of all the workstations — are they updated?
And that’s one window into asset management that helps you with tracking. Other solutions might deal with other aspects of the asset lifecycle.
But the more you automate solutions and reduce manual interactions with the devices, the fewer chances there are for human error, and the more you can do with the IT staff you do have. I was doing a report recently on the automation of backup and recovery of files; if something happens can you get that information back? Automated solutions do cost more, but they had the better ROI in terms of keeping the data secure and the amount of time spent managing each endpoint.
IT Expert Voice: Speaking of ROI, spending money on what might happen — especially in this economy — that’s a tough sell.
Rowe: Larger enterprises are often willing to swallow the couple thousand dollars for the physical devices as long as they know their intellectual property is secure, but it’s important to realize that those costs for the physical device add up. Best in class companies were much more likely to be able to successfully recover devices after they were stolen, by being able to track it—for example, if a lost of stolen laptop is logged into the Internet you can track the IP address the lost/stolen laptop is logged into. By tracking that, a company can get an approximate location and better assist law enforcement in arresting the suspect and recovering the device.
Some companies are far enough along in strategy that they can actually use the web cameras to take pictures of who’s using the laptops and report that, and some of the endpoints can be tracked through GPS… so there are several different solutions here, but if you’re able to track it you’re much more likely to be able to recover it.
Best in class companies also have better internal controls. So using these better internal and external tracking mechanisms, they’re able to recover more of their assets and lose fewer in the first place. So that $2,000 or $3,000 here and there [for a lost or stolen laptop or other endpoint] can really add up, especially for these larger enterprises, to an average of $800,000. That’s the difference between best in class and laggards, which is an indication of the money you could be saving by investing in some of these solutions.
The second kind of cost involved in this scenario is the potential loss of intellectual property itself. The information from our survey is several months old so it’s not as high as some of the other security estimates out there, but Aberdeen has calculated that the average cost of one of these data loss incidents is about $640,000 per incident. A single incident where you lose Social Security numbers of your clients or credit card numbers will not only damage your immediate business; you’re going to have to spend a lot of money trying to clean up the mess. And the damage to your reputation can be crippling.
IT Expert Voice: But not every company deals with sensitive information. What would you say to companies that think, “Oh, well we don’t have to worry.”
Rowe: If you haven’t successfully locked down a laptop or other endpoint, with today’s focus on people working from home and accessing files from outside the company networks, through VPNs, getting access to companies’ databases through wireless networks… If your assets are not sufficiently protected, that’s an open portal to whatever information you have and it’s also an open portal to malware, viruses, and attacks against the companies infrastructure. If that gets into the wrong hands, they can do anything they want.
IT Expert Voice: The report talks about five questions. Can you discuss those?
If a laptop goes missing, you should be able to answer: What happened, i.e., why is it missing? What assets are at risk? What protections were in place? Where is it now? Can we prevent it from happening again?
You don’t want to be the guy that says, “I don’t know.” But too often, companies will say, “I don’t have a response to these questions.” If you’re the guy who has to report the incident but say we don’t know what’s at risk, we don’t know if there’s credit card or personal information on the laptop, we don’t know if there are any protections or the data is easily accessible… That’s not good.
The most troubling thing to me is the 11 percent of assets that are missing and unaccounted for. It could be that it’s just sitting on a shelf. Or it could be in the hands of a disgruntled employee. Ignorance is not bliss in these instances. Having the information allows you to at least start the process of inquiry and protection.
Where to start? Endpoint management investment priorities
- Protect against data loss
- Create consistency end user policies
- Maintain accurate information on laptops and other mobile assets
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!
[...] This post was mentioned on Twitter by Esther Schindler. Esther Schindler said: RT @ExpertVoice: Do You Know Where Your Laptops Are? @Diann_D on 5 questions you'd better be able to answer http://ow.ly/1Bpy0 [...]
[...] Do You Know Where Your Laptops Are? – “According to Aberdeen, large companies have three computer-related losses per week. Aside from the physical cost of the hardware, businesses need to cope with data loss, security vulnerabilities, user productivity – and a very cranky boss, I’ll warrant…” [...]
[...] Selon Aberdeen, les grandes entreprises ont trois pertes liées à l'informatique par semaine. Mis à part le coût physique du matériel, les entreprises doivent faire face à la perte de données, les failles de sécurité, la productivité des utilisateurs – et un patron très grincheux, je vous le garantis. Je vais aller sur une branche: Votre département informatique est en sous- et surchargé de travail, et vous n'avez pas [. . . ] URL article original: http://itexpertvoice.com/home/do-you-know-where-your-laptops-are/ [...]
[...] service is that you don’t have to maintain a central server. It also is more useful for those occasionally-connected laptops; most central-server AV products require that the server and the laptop be on the same local area [...]
[...] downside to portable hard drives can be formidable. If you lose the notebook or leave it to be found on the next flight to somewhere, it’s likely that your backup portable [...]