The Value of a Stolen Corporate Laptop

Tuesday, January 04, 2011

Bozidar Spirovski

E973b16363b3de77b360563237df7e32

Laptops have become a commodity. Buying a corporate laptop costs nearly the same as buying a desktop PC.

And corporations love laptops for one simple reason. Laptops are mobile. When you issue laptop to an employee, you encourage him/her to take the work at home. Productivity increases, at no extra cost

But there is a flip side: this same trait of mobility also puts the laptop at risk of theft. Although the mantra of protecting your laptop is long going, there are a lot of companies who do not take this issue seriously.

The mindset of managers still needs to be adjusted to present the issue.
Because managers speak the language of money, let's make a simple calculation that shows the impact of how much is your laptop worth:

Total Impact Value = Cv*[(Pl^2/Lv)/ProtL^2]

  • Cv = Company value - Place the value of a company (usually declared in annual reports)
  • Lv = Laptop purchase value (with costs of protection - licenses, encryption, GPS)
  • Pl = Position level of laptop user:
  • 10 - CEO/CFO/CSO
  • 7 - Division Manager
  • 5 - Department Head
  • 2 - Senior Employee
  • 1 - Junior Employee
  • ProtL = Protection Level of Laptop
  • 10 - hardware supported full HDD encryption, biometric, GPS location
  • 7 - hardware supported full HDD encryption, biometrics
  • 5 - Full HDD encryption
  • 1 - password protected Account
This simple calculator can present the financial impact of non-protected laptop. For example, in a company worth 10,000,000 USD, if the CEO's laptop with no encryption is lost, it can cost the company more than 500,000 USD.

Securing a laptop is very well known issue connected to laptops. So when you buy new PC Laptops you may want to invest in a higher value of laptops, in order to provide better protection.

Interesting PC laptops for companies should be devices with security features like
  • Full HDD encryption
  • fingerprint reader, even retina scanner,
  • Trusted Platform Module (TPM) chip (hardware supported encryption).
  • Even GPS tracking can be added to protection, but this is only for the most serious systems
Cross-posted from ShortInfosec
Possibly Related Articles:
13492
Network->General
Data Loss breaches Risk Management Mobile Devices Laptop
Post Rating I Like this!
99edc1997453f90eb5ac1430fd9a7c61
Javvad Malik Interesting post, I've never seen a laptop loss being accounted for in such a scientific method. But I'll give it a go.

Although, I would substitute Pl, instead of having the level of employee, try and ascertain the classification of information on the laptop. Sometimes junior support staff can have more sensitive information on their laptops than their senior counterparts.
1294244295
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley Have to agree with Javvad. The value of the data needs classification not the user. For example a senior network admin, is likely to have access to far more data then a Division Manager as looking after the network/services/servers are part of his/her role.
1294336306
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.