The Value of a Stolen Corporate Laptop

Tuesday, January 04, 2011

Bozidar Spirovski


Laptops have become a commodity. Buying a corporate laptop costs nearly the same as buying a desktop PC.

And corporations love laptops for one simple reason. Laptops are mobile. When you issue laptop to an employee, you encourage him/her to take the work at home. Productivity increases, at no extra cost

But there is a flip side: this same trait of mobility also puts the laptop at risk of theft. Although the mantra of protecting your laptop is long going, there are a lot of companies who do not take this issue seriously.

The mindset of managers still needs to be adjusted to present the issue.
Because managers speak the language of money, let's make a simple calculation that shows the impact of how much is your laptop worth:

Total Impact Value = Cv*[(Pl^2/Lv)/ProtL^2]

  • Cv = Company value - Place the value of a company (usually declared in annual reports)
  • Lv = Laptop purchase value (with costs of protection - licenses, encryption, GPS)
  • Pl = Position level of laptop user:
  • 10 - CEO/CFO/CSO
  • 7 - Division Manager
  • 5 - Department Head
  • 2 - Senior Employee
  • 1 - Junior Employee
  • ProtL = Protection Level of Laptop
  • 10 - hardware supported full HDD encryption, biometric, GPS location
  • 7 - hardware supported full HDD encryption, biometrics
  • 5 - Full HDD encryption
  • 1 - password protected Account
This simple calculator can present the financial impact of non-protected laptop. For example, in a company worth 10,000,000 USD, if the CEO's laptop with no encryption is lost, it can cost the company more than 500,000 USD.

Securing a laptop is very well known issue connected to laptops. So when you buy new PC Laptops you may want to invest in a higher value of laptops, in order to provide better protection.

Interesting PC laptops for companies should be devices with security features like
  • Full HDD encryption
  • fingerprint reader, even retina scanner,
  • Trusted Platform Module (TPM) chip (hardware supported encryption).
  • Even GPS tracking can be added to protection, but this is only for the most serious systems
Cross-posted from ShortInfosec
Possibly Related Articles:
Data Loss breaches Risk Management Mobile Devices Laptop
Post Rating I Like this!
Javvad Malik Interesting post, I've never seen a laptop loss being accounted for in such a scientific method. But I'll give it a go.

Although, I would substitute Pl, instead of having the level of employee, try and ascertain the classification of information on the laptop. Sometimes junior support staff can have more sensitive information on their laptops than their senior counterparts.
Ben Keeley Have to agree with Javvad. The value of the data needs classification not the user. For example a senior network admin, is likely to have access to far more data then a Division Manager as looking after the network/services/servers are part of his/her role.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.