Computrace: Data Protection for IT, Freedom for Laptop Users

Computrace from Absolute Software is an on-demand endpoint security solution designed to provide robust data breach protection regardless of end user action. Centrally managed via an Online Customer Center, Computrace operates without end user knowledge or assistance ' tracking computers regardless of location, remotely deleting sensitive information and assisting police in recovering those computers that go missing.

Perfectly complementing organizational policy and encryption technologies, Computrace addresses data breach protection challenges including:

Emergency Data Delete ' Computrace allows IT professionals to remotely delete sensitive information from missing laptops. Organizations can then assess whether they are required to publicly announce a data breach.

Accurately Inventorying Computers ' By logging into the Online Customer Center, IT personnel can create near real time reports on the computers in their inventory, their configuration, current user and location ' whether they are connected to the local area network or in the field.

Recovery ' Using Computrace, the Absolute Recovery Team can track missing computers and work with local law enforcement to recover the computer backed by a $1,000 Recovery Guarantee.

Policy Enforcement ' Computrace can detect unauthorized software installations, missing hardware and can report on software installed ' allowing IT departments to ensure that key programs such as anti-virus are current.

Lifecycle Management ' In addition to remotely deleting confidential information in emergency situations, Computrace can be used to automatically delete data from computers at lease end or at retirement date.
How Computrace Works

The Computrace Software Agent is built into computers from the world"s leading computer manufacturers during the manufacturing process. Customers activate Computrace when they purchase a subscription to Absolute"s endpoint security solutions. When a computer protected by Computrace is reported stolen, the embedded Computrace agent sends a silent signal to Absolute"s Monitoring Center providing critical location information. Absolute then works with local law enforcement to recover the computer. If the missing computer cannot be recovered within 60 days, the Computrace customer may be eligible for a Recovery Guarantee of up to $1,000. The stealthy Computrace Software Agent can survive accidental or deliberate attempts at removal or disablement. With embedded support in the BIOS of a computer, the Computrace agent is capable of surviving operating system re-installations, as well as hard-drive reformats, replacements and re-imaging.

Case Study: Hospital Employee Tapes Encryption Key to Stolen Laptop

IT and security staff at a 2,400-physician Michigan-based hospital were justifiably concerned when they learned that a nurse"s laptop computer had been stolen. Of greater concern was the fact that the nurse had contravened the hospital"s data security policy and affixed the laptop"s encryption key to the front of the computer. Fortunately, the hospital had protected the laptop with the Computrace endpoint security solution from Absolute Software.

After alerting police, the hospital contacted the Absolute Recovery Team and let the team know that they were very concerned over the health information contained in the laptop. Rather than attempting to physically recover the computer, the Absolute Recovery Team recommended an immediate Data Delete operation to remove the sensitive information from the laptop. Having promptly deleted all sensitive information from the computer, hospital officials maintained the computer"s security. Hospital officials estimate that the quick action resulted in cost savings of between $80 and $100 per health record in data breachrelated costs.
Endpoint Security Remains Effective When Other Security Layers Fail

Organizations that deal with sensitive information need to provide layers of protection for the data they hold ' each layer working to bolster protection. With endpoint security at the core of security strategies, organizations are able to remotely delete data and physically recover stolen computers in the event that other security strategies are compromised.
Lessons from Recent Data Breaches

Data breaches that went unnoticed historically are now highly-publicized affairs as a result of recent state data breach legislation.

Boston, Massachusetts - Forrester Research announced that a laptop stolen from one of the research firm"s employees had potentially exposed the names, addresses and social security numbers of an undisclosed number of employees and directors. In a letter mailed to those affected, Forrester"s Chief People Officer Elizabeth Lemons indicated that the laptop was password protected but made no mention of encryption. The incident proved especially embarrassing for the research firm that often consults on data security strategies for mid-market and Fortune 500 companies.

Aspen Hill, Maryland ' U.S. Department of Veterans Affairs announced that a notebook computer containing the names, birthdates, Social Security numbers and limited health information of 26.5 million veterans and active-duty military personnel had been stolen. It took Veteran"s Affairs officials more than two weeks to publicly disclose the breach. The laptop, stolen from the data analyst working for VA, became part of the largest data breach in U.S. history. The theft prompted a series of hearings in the U.S. Congress that criticized the VA"s data security processes and resulted in legislation that compels the VA to immediately notify congress in the event of a data breach.

Detroit, Michigan ' Blue Cross Blue Shield of Michigan announced in a Website statement and via personalized letters to members that the information of approximately 1,560 members and two staff had been breached. Information contained on a laptop stolen from an employee"s home included names and health insurance contract numbers. Approximately 120 records also included Social Security numbers. Despite BCBSM internal policy that requires the encryption of health information and closelymonitored circumstances that allow downloading health information onto portable devices, the employee"s laptop was unprotected. Disciplinary actions are pending completion of investigations into the incident.

Survey Sheds Light on Holes in Data Breach Protection

In September 2007, Research Concepts LLC asked 185 members of NetworkWorld"s Technology Opinion Panel about the state of computer and data security in their organizations. The results revealed that, although computer and data security are high priorities for corporations, they are nevertheless unprepared to prevent data breaches and computer theft. Common approaches to computer security aimed at minimizing the possibility of data breach were consistently undermined by employees. Indeed, those surveyed reported that only one in 100 employees consistently follows corporate data and security policies.
Physical Security and Authentication

The simplest form of laptop computer security involves protecting the computer and its physical environment. According to Research Concepts, more than 31% of organizations surveyed provide laptop users with cable locks to secure their computers when out of the office. Nearly 94% reported the use of password-based authentication on laptop computers. Interestingly, this same survey group indicated that they believed employees were responsible for most incidents of data breach within their organizations. Clearly, many organizations believe that despite basic precautions such as providing laptop locks and password-protecting computers, employees remain the weakest link in security plans.
Data Breach Regulation Across 37 States

The 2002, California Senate Bill 1386 added a new, public dimension to regulatory compliance. In the event of a data breach such as a lost laptop computer containing sensitive information, the bill requires organizations to notify all parties whose personal information has been exposed.5 Following California"s lead, 36 additional states have enacted similar data breach laws. The Ponemon Institute estimates that it costs a company $197 per missing record when a breach occurs.
Organizational Policy

Research Concepts found that 58% of organizations currently promote polices for the safe use of mobile computing devices and for accessing sensitive files. The University of Miami Office of HIPAA Privacy and Security for example, details the circumstances under which students and medical staff may download electronic protected health information to a laptop computer. The fact remains however, that despite these organizational policies, busy salespeople, unknowing marketers and harried administrative staff will contravene policy and load sensitive information onto portable computers. With more than 600,000 laptops stolen each year in the United States, companies relying on organizational policy to protect sensitive data will continue to fuel data breach media headlines.
High Tech Protection: Encryption and IT Asset Management

More than 50% of organizations surveyed by Research Concepts indicated that they protected sensitive information with encryption software. A further 43% reported the use of asset tracking software. Simply knowing where all mobile computers are located is a powerful security measure, however, traditional IT asset management solutions are designed to track only those laptops that connect to a local area network (LAN) or virtual private network (VPN) connection. For a large proportion of laptop users, returning to head office is an intermittent event ' allowing many laptop computers to remain below the radar of IT.

Encryption software is commonly referred to as the computer security "fall back". In the event that a computer protected by organizational policy and physical deterrents is stolen, sensitive information on the laptop is made unreadable by encryption. For encryption software to be effective however, laptop users must consistently and accurately follow company encryption policy. Even more worrisome is the fact that more than 30% of companies believe employees are actively involved in the theft of company computers. Armed with the necessary passwords and encryption keys to access data, disgruntled or dishonest employees represent a threat that cannot be addressed by encryption alone.

The common failing of these laptop security measures is the fact that they are heavily reliant on the diligent action of laptop-using employees to remain effective. If a cable lock is not used, an authentication password is taped to the keyboard for convenience or a regular encryption process not completed, organizations remain unnecessarily vulnerable to public data breach. By the same token, complex, expensive and ultimately productivity-dampening security measures may be effective but greatly reduce the benefits of laptop computers. Endpoint security solutions complement other security measures by providing a final, user-independent layer of protection.
Stolen Laptop Leads to Dismissal

"Just last month, security company VeriSign(VRSN) announced that a contract worker reported that her laptop, which held employee information, was stolen from her car. The employee no longer works at the company. A company spokeswoman told InformationWeek at the time that the woman, who worked in VeriSign"s human resources department, failed to comply with company policies that mandate that data be encrypted and that employee information not be downloaded on laptop computers."

Endpoint Security: Data Protection for IT, Freedom for Laptop Users

The worldwide shift from stationary desktop computers to highly-portable laptop and tablet PC computers offers organizations increased productivity, flexible work schedules and greater work/life balance. Driven by the need for increased productivity and the ability to present up-to-date information at a moment"s notice, secure mobile computing can be an organization"s greatest strength. However, research indicates that lost or stolen laptop computers cause nearly 50% of public data breaches.3 With recentlyexpanded state data breach legislation, even a single lost or stolen computer can expose organizations to the negative publicity and increased costs associated with public data breaches.

To protect themselves, many organizations have developed sophisticated IT asset use policies while others have combined policy with encryption technology in hopes of better securing computers and the sensitive information they contain. While these are necessary steps, organizations still struggle to compensate for the "human factor." According to a recent survey of 1,400 enterprises, more than 60% of data breaches are the work of those operating within the firewall ' insiders such as employees, contractors and others with ready access to sensitive information.4 Accidently or by design, employees will always be the weakest link in computer security strategies that rely on their diligence to provide consistent protection.

Rather than imposing strangling IT asset policies aimed at forcing end users to comply, endpoint security strategies use centrally-managed technology to ensure that mobile devices such as laptops secure themselves. Using readily-available computer theft recovery, remote data delete and Internet-based IT asset management, organizations can free end-users from computer security responsibilities while ensuring maximum protection for computers and the information stored on them.
Endpoint Security Defined

Endpoint security is a security strategy that emphasizes distributing security software onto end-user devices such as mobile devices or laptop computers while retaining central management over the security software. Traditionally, organizations used corporate firewalls and other intrusion detection systems to protect corporate networks from potentially compromised endpoints. In today"s laptop-dominated environment, endpoint security strategies place the responsibility for security on the device itself. This next generation of security strategy is already common in the form of anti-spam filters, desktop level firewalls and anti-virus software programs. Recognizing that organizations cannot rely on end-users to consistently follow IT policy or diligently apply security software, endpoint security seeks to eliminate the requirement for end-user involvement to be effective.

Potential Solution to the Problem

Since reuse is the highest order of recycling, inventory asset liquidation customers of some specialized, private marketplace auction services providers are already practicing a WEEE-compliant form of recycling (that is, reuse) by selling excess, refurbished, and returned products through their auction platforms. The disposition of product for secondary use prolongs the useful life of the product, thereby deferring the costs of recycling and netting cash to a company's bottom line; profit recovery is maximized through competitive bidding. The audit trail of products listed, products sold, and registered bidders can be included in the tracking and reporting of take-back and recovery programs. However, ensuring complete WEEE compliance is essentially a network management problem. It entails managing the collection of products via licensed carriers and the coordination of sorting and disposing of products within authorized facilities. It also includes managing the resale of products to ensure the highest possible recovery rate and tracking treatment through certified recyclers. Most manufacturers, recognizing that their core competence lies in product design and marketing, will elect to outsource compliance management to a partner organization or third party logistics (3PL) provider. To that end, a manufacturer can do one of the following:

* Establish a private take-back program, which would involve a manufacturer establishing a product recovery network consisting of specified drop-off and pickup locations, collection and transport networks, and remarketing and recycling partners. The network management may be administered in house or be outsourced to a service provider such as the company's 3PL. As an example, Dell Computer is an early leader in private take-back programs with door-to-door, consumer-level pickup of waste equipment at the time of new product delivery.

* Join a consortium whereby groups of companies may elect to join together to establish branded take-back programs. The operational coverage is essentially the same as that in a private WEEE compliance program, with the difference being that the member companies fund a joint operational entity to manage the network. A prominent Paris, France-based consortium is that of Braun, Electrolux, HP, and Sony, known as the European Recycling Platform (ERP). ERP chose as general contractors CCR, a German company that has dealt with automotive waste such as scrap metal, and Geodis, a French company with experience in IT take-back. Each company will handle selected EU countries, together providing a pan-European recycling operation.

* Join a national take-back program that will provide consumer-accessible collection points where a variety of products can be returned. Recycling is managed for the group by an internally appointed office, and the cost of recycling is borne by the member organizations, prorated according to their country sales volume by weight. Some good examples include NVMP in the Netherlands, RECUPEL in Belgium, Alliance-Tics in France, and Gambica and Repic in the United Kingdom (UK).

Whichever option a manufacturer chooses, it can envision the following three-step process to ensure an integrated and compliant inventory asset recovery:

1. Product Recovery, since manufacturers will be required to provide extensive networks for product recovery, from consumer drop-off to retailer, distributor, or municipal aggregation. As the manufacturer (or its agent) takes possession of the recovered product, the first capture of product category information should be completed, and related data stored in some appropriate WEEE compliance portal. The key tracking identifier in the portal would be the WEEE consignment note (WCN).

2. Controlled Product Disposition, since, whether on-site, in channel, or at a recycling center, the next step in the process is sorting, where the product is directed for resale or reuse, recycling, partial harvesting, or destruction. As appropriate, the WCN should then be broken down into sub-notes to ensure complete traceability.

3. Certified Destruction, whereby the product to be scrapped is routed to recyclers that are certified, registered members of the portal. As the product is disassembled and ground and components or materials recycled or salvaged, the relevant information would be recorded against the WCN(s). Certificates of destruction should then be stored within the database of the specialized, private marketplace auction services provider for auditing and reporting, whereby weight-in and weight-out transactions ensure data completeness to regulatory specifications.

As for proving compliance, compliance reporting of the required percentage of reuse and recycle will be aggregated by weight per time period. The provider of specialized, private marketplace auction services would store product weights cross-referenced to product categories for reporting and reconciliation. Whether reporting is aggregated by weight or detailed by product category, the compliance portal should capture the requisite source data in the three steps above. Combined reuse and recycling data would then be stored in the same database to simplify the reporting process and to ensure compliance with a minimum of overhead. The information generated should help the recycling company iron out collection inefficiencies in the short term, while on the other hand, it could affect product design in the long term for the manufacturer. One could imagine how useful feedback from the recycling facility could be, even if it is something as simple as a list of products that create the highest costs because they are hard to take apart.

Still, despite their existing solutions' fit, some private marketplace auction services providers have made the strategic decision to defer officially entering the WEEE space until the legislation is more clearly defined. In other words, they are taking a pause while the legislation evolves and the EU market matures, especially across the greater EU (let alone other, less environmentally friendly global regions). This is but a small reprieve for affected manufacturers and importers to "catch their breath." They should definitely start to devise strategies on how to comply at the end of the day, since it is only a matter of (not too long a) time before the WEEE legislation resolves any kinks it may currently have.

The Realities of Manufacturing Today

Nowadays manufacturers are increasingly subject to massive pressures due to the need for driving down costs and increasing efficiency. What makes things worse is that with product life cycles decreasing, manufacturing and distribution are increasing in complexity. This, for the manufacturer, translates into a need to better manage customer demands and expectations and to respond accordingly. Furthermore, manufacturers of electrical and electronics equipment must comply with a growing array of strict environmental regulations, many of which have already been implemented in the European Union (EU) and the United States (US). More regulations are pending in Japan, China, and other countries. As in many other industries, the cost of compliance can be high, but the cost of noncompliance can be far greater. Thus, the industry winners have to gain the capabilities they need to adapt their businesses to meet regulatory requirements—from product design to compliance reporting, and from sourcing and procurement to service and repair—so that they can avoid costly penalties and product recalls, optimize processes to comply with changing regulations, build trusted brands, and protect shareholder value.

Such manufacturers will have to turn somewhere to comply with these high-tech and electronic industries' significant and stringent environmental policies. Specialized, private marketplace service providers that offer auction platforms to off-load a company's excess and obsolete (E&O) inventory are the logical outlets for manufacturers to use in order to ensure compliance with these new regulations. Ideally, these providers should have an established number of treatment recycling and transportation management company partnerships. An environmental policy came into effect in August of 2005 for member states of the EU. The Waste Electrical and Electronics Equipment (WEEE) Directive 2006/96/EC sets recycling and reuse standards across a variety of industries from home appliances to computer products. The WEEE directive holds the manufacturer (producer) ultimately accountable for recovering products and for recycling up to 75 percent of the material content by weight. Failure to comply results in the manufacturer paying a penalty of 2 percent of its annual revenue. In other words, the WEEE directive establishes rules for the collection, treatment, recycling, and recovery of electronic waste in the EU. It states that electronics manufacturers and importers must manage and pay for the recycling of electrical and electronics waste.

In addition, the WEEE legislation's directive states that electronic product manufacturers, excluding retailers and distributors, are responsible for providing take-back programs for all electrical and electronic equipment sold in the EU's member states, as well as in Norway and Switzerland. The directive defines, prescribes actions, and sets regulatory milestones for the collection, treatment, recovery, and financing of discarded electrical and electronic equipment across ten product categories. These ten categories range from information technology (IT) and telecommunications equipment, large and small appliances, and tools to toys and leisure equipment. Naturally, product reuse (that is, the resale or reuse of whole appliances for their original intended function) is to be given priority over recycling. For IT equipment, telecommunications, and consumer electronics that do not have a whole product reuse option, 75 percent of the product weight must be proven to be recycled. New products must be marked with "do not trash" symbols, and information on product disassembly must be provided by manufacturers. The target date for commencement of these programs was August 13, 2005. Since then, the EU member states have been obliged to provide for the financing of the collection, treatment, recovery, and environmentally sound disposal of waste electrical and electronic equipment. They have had to set up separate collection systems to eliminate the disposal of such products into municipal waste. To that end, distributors must ensure that waste of the electronics equipment can be returned to them free of charge, and manufacturers must set up and operate individual or collective take-back systems.