According to a leading insurer of computers, this nightmare scenario turned into reality for some 387,000 people in the US last year, up nearly 20 percent from 1999 (estimates by Safeware, of Columbus, Ohio). This article offers advice on how to prevent this from happening to you, and how to minimize the damage if, despite your best efforts, it happens anyway. But first, a cautionary tale that is not an exercise.

Nightmare Scenarios

Last year, the Chairman and CEO of a major hi-tech company, Qualcomm, used his notebook computer to make a presentation to the Society of American Business Editors and Writers. The location was entirely respectable, the Hyatt Regency Hotel in Irvine, California. After the presentation a bunch of journalists gathered around to ask questions, during which time, someone stole the notebook. On the machine's hard drive were some of Qualcomm's most valuable trade secrets (valued in the millions).

The questions raised by an incident such as this come fast and furious. Was the theft preventable? Who has those secrets now? Was the data protected? Was it corporate espionage? Why was the machine stolen? In fact, it is the last of these questions that really takes us to the heart of the issue for notebook users. For there is no single reason for notebook computer theft. It could be for cash or content, malice or kicks. For example, the machine might be resold on eBay for maximum profit, or sold cheap on the street for quick drug money. It could be taken home by a jealous co-worker or stranger. It used to gain access to proprietary data and systems.

The very uncertainty over motive is what makes this type of incident so damaging. Without additional clues, you just don't know if it was simple avarice or complex industrial espionage. If the latter, you don't know if it was perpetrated by a competitor or a free agent. And you might not know the answer until you get beaten to market by a competing product that looks suspiciously like the one that was detailed on your stolen machine, or you lose a bid to the competition because that had a copy of your pricing formulas.

Fighting Back

Could the Qualcomm incident have been prevented? Possibly. The best protection for notebook computers consists of three things: a healthy paranoia, a clear awareness that things like this can happen, and a firm grip on the machine itself. One can sympathize with the CEO of Qualcomm, who was in the company of professionals, in a respectable hotel, and never more than thirty feet from his notebook at any time. But in the end, this simply underlines the fact that you need those three things.

When you take the notebook out of the office, never let it out of your site and preferably never out of your grip. When staying in a hotel you place the notebook in the room safe when you are not in the room. If there is no room safe, take it with you wherever you go (yet another reason to consider an ultra lightweight machine like the Omnibook 500). You most certainly do not go out to dinner leaving your notebook on, with the screen glowing through an uncurtained hotel window like a beacon to thieves.

When traveling you watch out for crowds and bustle, in airports and on
the street. Hustle and bustle is the perfect cover for snatchers. At airport security checks you don't put your notebook through the X-ray machine until you have a clear path through the metal detector (hopefully you have already made it a point of pride to clear metal detectors on the first try). And if someone holds up the line be extra alert. Watch for a second person on the other side of the check point to be working a block-and-snatch scam. Consider toting your notebook in a bag that doesn't scream "notebook inside." And if you use a bag with a shoulder strap watch for street thieves strap who use razors to slash the strap and grab the back.

But beware of thinking that physical security for notebook computers is all about being a savvy road warrior. A lot of notebooks go missing from the office. And again, it pays to be paranoid. Start by making sure you are using proper inventory tracking. Log all machines accurately and in detail. This is both a theft deterrent and a great aid in recovery should a machine go missing. HP notebooks provide TopTools Asset Tracking Number, PC Identification Number, and an Electronic Security Number. Also invest in a restraining cable to lock your notebook down while you are away (all HP notebooks have the requisite Kensington lock slot). And consider putting it in a locked drawer if unattended for extended periods. If you are using a docking station, use the dock lock and set an undocking password.

Let's Get Logical

An anchor cable or a firm grip on the device is the best physical protection. But if the device is stolen, you need good logical protection mechanisms for damage control. Company policy should require BIOS passwords be implemented on notebooks. While BIOS passwords are not foolproof, they present a significant obstacle to all but the most determined data thief. This is particularly true for owners of HP notebooks which feature DriveLock. By hiding a copy of the BIOS password in a chip on the hard drive, DriveLock defeats a data thief who removes the drive and tries to access it from a different computer one (a weakness in the BIOS password protection on other systems).

If you have sensitive data on the device it should be encrypted. There are many programs that encrypt folders, such as PGP. These typically require knowledge of the password in order to provide access to sensitive files. You can take this a step further with HP Mobile ProtectTools Smart Card Kit, which enables files to be encrypted using a key stored on a smart card that can be accessed through a reader in the PC Card slot. Without the smart card and a PIN, other users can't read your private files, nor can they encrypt new files. If someone copies your private files to a different HP OmniBook notebook PC, those files can only be read if a de-encryption key is generated using the unique smart card that created the files-and the original user password.

As more and more valuable data resides on mobile devices, and mobile devices become access points for corporate networks, hardware authentication such as smart keys and Universal Serial Bus (USB) tokens, plus biometric authentication, using devices like fingerprint readers, will become more widespread. Tokens and smart cards that contain digital certificates will be deployed extensively because they can double as desktop and laptop keys. We will also see deployment of IPAA, the Intel Protected Access Architecture, a pre-boot security system which integrates additional software and hardware components, via the notebook BIOS, to provide an added level of protection, For example, after turning on the laptop, the user could be required to "authenticate" himself or herself by using a fingerprint reader or a USB token. Once the user has been authenticated, the password-protected hard drive automatically unlocks, and the computer boots.

Conclusions

The two main challenges of notebook security are preventing theft in the first place, and denying unauthorized access to data in the second place. But that is not the end of the story. Notebooks that go out into the world are notorious for returning with unwanted guests, computer viruses and Trojan Horse programs that has been picked up while attached to foreign networks. For that reason, regular virus-scanning of notebooks is a must. So too are so-called "personal firewalls." These are programs like Zone Alarm, which protect a notebook's network and Internet connection. These can stand in for the corporate firewall when the notebook is out of the office. In short, we have both the technology and the methodology to protect notebooks. But in too many organizations the message is not getting to the troops. This requires training and awareness programs that make sure everyone knows the risks, and the steps required to minimize them.