Those are probably the scariest words a CIO can hear. But are they taken seriously?
Look at this selection of articles which we googled on 12th June 2006::
Lost Ernst & Young laptop exposes IBM staff
Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk.
We're not picking on Ernst & Young. really they picked on themselves. The US Department of Justice seems to treat laptops like weapons, if you read the article. And the US Veterans had disks stolen that arguably should never have left their site.
So what can you do?
Simple things first. One valid concept is to make employees personally liable for laptops at the full retail price. That concentrates the mind of the person who walks off to lunch leaving the laptop around. And obviously employing a tether for the laptop, even if on the staff member's own desk, often especially if on their own desk. But these are physical. What about intellectual?
Remember the Information Security Policy issue that we commented about a few weeks back? The first thing is "have one" - Only 40% of the people we surveyed had one. If you have one then you can enforce it.
What does your Infosec Policy say about encryption of data? And is encryption enforced?
How can an employee regularly take home data (US Veterans) without someone wondering why? Surely there is some form of access control policy in place for records such as those removed and then stolen?
You can't assume that the BIOS password will be much of a deterrent to a thief who wants to get at your data: either. Certainly on older laptops they're easy to get around. Even so, is the machine password controlled? And should you have another layer of security between the user and the data?
Be paranoid. Assume that the stolen data has stuff about you that could cost you your job, perhaps even your relationship at home, if exposed. And make sure you protect it