You probably read the story a few months back about Qualcomm CEO Irwin Jacobs' laptop being stolen. It seems that not long after he'd delivered a presentation at a business journalism conference in Irvine, Calif., Mr. Jacobs' personal IBM ThinkPad vanished. From the lectern, mind you. In it, we are told, was years of confidential corporate information--megabytes of unquestioned value.
We'll adroitly sidestep any comments on how this reinforces the popular perception of the scruples of journalists to focus once again on the yawning breach in corporate security that is opened each time one of your employees heads out to do business off-site.
Repeat after me: When you go on the road, your confidential data goes on the road with you unless you make sure it doesn't. When your salesfolks and marketing executives and development engineers go to meet clients, they take with them product databases and pro forma contracts and business plans and spreadsheets of financial projections and client contacts and contract details.
The modern vision of being a road warrior is to be self-sufficient, carrying with you everything you need to do business, whether it be the phone or fax setup you need to communicate or the information you need to be able to answer a customer's question on the spot.
It's a fantasy, of course--an expensive one, as you likely know. (Need I add it's also in large measure a testosterone-driven fantasy?)
Arguably the most dangerous part of that fantasy is the warrior imagery: commercial traveler as armored knight, or some such, impervious to attack.
By some estimates I've seen, fully a third of the average company already is doing business using mobile devices--typically laptops and portable phones. Safeware, an insurance agency in Columbus, Ohio, that specializes in covering computer equipment, reports that last year claims for losses of portable computers accounted for 88 percent of its total claims. Of the $1.9 million in computer-related claims, nearly $1.75 million were for notebook PCs. Accidents accounted for the majority of those notebook claims, but 29 percent were for theft.
That's theft as in car window broken and briefcase stolen from behind the front seat. Theft as in briefcase gently lifted away while owner is reading a newspaper at an airport gate. Theft as in laptop vanishing from a hotel room where it had been left on a closet shelf since it wouldn't fit into the in-room safe. Or even theft as in laptop walking away from a speaker podium while the presenter's back is turned.
There are devices that can help, of course. Most laptops have security slots into which cables can be locked to secure the machines so they can't be moved--assuming, of course, that the cable is also attached to something immovable. Alarms are available that will announce in unmistakable terms that something of yours is being moved without authorization.
There are techniques and approaches to security. One corner of a closet in my office is a graveyard for shiny black logo-emblazoned faux-leather carrying cases--the ones supplied with new laptops that announce, "Hey, I'm carrying a valuable portable computer!" When it comes to carrying cases, it's a case of ego versus security; if an old, somewhat funky non-computer-looking case will get you through unscathed without harming your business image too much, that's the way to go.
But whatever the case looks like, don't let go of it. Ever. In Britain, an intelligence agent lost a laptop when he put it down and turned his back on it to buy a ticket. National security may not be at stake, but if losing a laptop could imperil your company's business, don't leave it in a hotel room or checked anywhere. Simply put, don't ever let it out of your sight.
Finally, there are software tools that will lessen your company's risk and exposure. Password protection is essential, of course, along with a policy that keeps employees from using their initials or their birth dates or their dogs' names as their password for years on end. Encryption, of at least critical data files if not the entire drive, is worth considering. Additional security can be obtained by deploying access control, in the form of smart card or token-based authentication plus dynamic passwords that change regularly.
This particular aspect of data security will be less of a problem in coming years. As we have noted in this corner previously, laptops will become less important over time, for two related reasons: Compact information appliances will prove their worth in particular vertical industries, and the ASP/thin client model will diminish the need for the road warrior to transport applications and data herself. Devices without substantial built-in memory can be annoying, of course, since they need to be connected to allow access to data, but they are also considerably more secure for that same reason. (We should also note that hotels finally are getting considerably better about providing business travelers with appropriate working tools.)
Among the terminally cool, those pocket tools are the buzz. Some have already demonstrated their value--the RIM 957's ability to push corporate e-mail from an Exchange Server to your pocket is justly gaining widespread praise. Others haven't yet, but likely will--the Springboard plug-ins for the Handspring Visor, for example. We in the technology press have recently survived the huge Comdex trade show in Las Vegas, which was wall-to-wall wireless devices in search of users. For some of those devices, at least, those users will certainly come in time.
For now, though, your employees will continue to carry a mix of laptops, palmhelds and portable phones. And security will continue to be an under-appreciated threat to your business, as Mr. Jacobs found out. Once your IS department has done all it can to safeguard devices and data and make that security simple to use, the rest of the job involves an enterprise-wide focus on culture and training.
The culture part is important because security and convenience pull against each other, and convenience has a strong positive value for the business traveler. To counterbalance that, a company's core values must include defensive thinking about risks. A culture of awareness isn't limited to security issues alone, of course. It's about employees valuing the business, understanding the competitive environment in which they operate and always making decisions that safeguard the company's best interests.
Being able to do that in this context, though, requires training in security awareness. So this training should be both a standard part of employees' orientation and a just-in-time resource available as they prepare to head out on the road.
It's a hassle, no question about it, a cost in equipment, time and resources. Is it worth it? Let's rephrase that question: What is your laptop, as it's configured right now, worth to your strongest competitor?