December 22, 2000, 11:01 AM — DAN COOLIDGE WOULD NEVER WORK on sensitive documents in public. He watches his laptop so closely that if he is detained at an airport security checkpoint, he's not shy about announcing loudly that that's his bag on the conveyor belt. And he encrypts all the client-related information on his hard drive. "It's a little inconvenient," admits Coolidge, an attorney at Boston law firm Fish & Richardson and coauthor of A Survival Guide for Road Warriors: Essentials for the Mobile Lawyer (American Bar Association, 1996). "It might take 30 seconds to get at that file instead of five seconds, but I sleep nights."
Most users aren't so vigilant. In the past year, the U.S. State Department and Britain's intelligence agency both hit the headlines with embarrassing breaches of security through simple laptop theft. In a survey done by the San Francisco FBI Computer Intrusion Squad and the Computer Security Institute,
45 percent of respondents reported laptop thefts in the past year, and security vendors claim that as many as one in every 10 laptop computers is stolen. A $1,000 laptop -- a significant loss to most consumers and a tidy gain for the thief -- is a drop in the corporate bucket compared with the loss of the device's information. Not only is it inconvenient to try to rebuild files, but more significant losses can occur if someone uses the device to access sales contacts, financial records, trade secrets, military plans or even just salary records. One former systems consultant at an insurance company in the Northeast recalls that a manager's laptop computer containing all his staff's salary information was stolen right off his desk in the middle of the day. The CIO, beleaguered by the challenges of a recent merger, never found out whether the laptop was swiped by an outsider or an internal thief.
Such thefts are not uncommon, but implementing and enforcing policies that protect laptop and handheld computers is cumbersome and expensive. "Executives don't necessarily see the payback," says Adam Braunstein, a senior research analyst at Westport, Conn.-based Robert Frances Group (RFG). "Everything is always ROI -- implement a solution, make products faster, make more revenue -- versus this, which is preventing something bad that may not have happened anyway." True, technology chiefs and their lieutenants must constantly weigh risks and rewards. "Like most things in life, once you have reached a certain level of control, to make it to 99.9 percent secure, the cost becomes disproportionate to the risk," says Bud Albers, CTO of Seattle-based Getty Images. As mobile devices become smaller and their uses bigger, IS executives are faced with the challenge of establishing workable policies and procedures that protect hardware, data and network connections that may be out of their physical reach, all the while accounting for the really tricky part: getting free-wheeling mobile users to follow the rules.