Protecting Campus Data

Protecting Campus Data

Portability can have its price. Here's how IT managers deal with stolen laptops.
By:

Laptops are a modern marvel. They are portable, able to process amazing amounts of data, but, oh, so easy to steal. At least 600,000 laptops are stolen every year, according to a technology firm that helps protect data and locate missing machines. According to the Federal Bureau of Investigations, 97 percent of those stolen laptops are never recovered.

That means a lot of data ends up in the wrong hands.

Several software companies specialize in recovery and security, making products that either lock thieves out of certain files or destroy stolen data. Some recovery services even trace stolen laptops and help recover them.

The stolen laptop will call back to an office every 15 minutes to reveal its location.

Given the proliferation of laptop programs in higher education, it makes sense that IT managers are looking to these services to protect assets.

The recent headline-grabbing case of the laptop flinched from the Department of Veterans Affairs was notable, in part, because the machine contained 26.5 million personnel records. In a rare turn of events, the laptop was recovered.

In the world of higher education, there have been dozens of IT security incidents, including one at California Polytechnic State University, located in the town of San Luis Obispo. A laptop, stolen in July from a physics professor's home, contained the names and Social Security numbers of 3,020 students. University officials had to send out warning letters to all students who had been enrolled in particular physics and astronomy lectures between 1994 and 2004.

While all such breaches are serious, it is especially problematic when Social Security numbers are involved because thieves can use them to obtain credit cards and make unauthorized purchases.

Last year, University of California, Berkeley, issued a notification about the theft of a laptop that contained data on 98,000 graduate students and applicants. The laptop, which had been left alone for only a few minutes, was taken from a restricted area, according to reports. The university paid a reported $2.4 million in notification costs to those whose data may have been exposed.

The topic of data theft was "interesting, but not really compelling, until privacy rules from California required disclosure," notes International Data Corp. analyst Chris Christianson.

In 2003, the state of California adopted legislation that requires all companies and organization doing business there to protect data and to notify those whose information has been compromised by a security breach. Since 2003, 32 states have adopted similar legislation, and U.S. Sen. Diane Feinstein (D-Calif.) continues to work on passing a federal law.

One campus of William Penn University (Iowa) began using LoJack for Laptops last year. The program is one of several IT security products produced by Absolute Software. The company also offers Computrace, which helps secure data and track lost or stolen portable machines. This particular WPU campus, located in West Des Moines, is geared to non-traditional students, such as adults coming back to school and working executives. Laptops are an integral part of every academic program, notes Curt Gomes, IT supervisor.

To date, this campus has outfitted 500 laptops with IT security programs. "We figure we will take any steps to help prevent a theft," Gomes says. The policy is key, considering that students are financially responsible for the laptops issued to them. Gomes estimates that the cost to replace a university laptop and related software is $2,000.

No sooner did WPU become an Absolute customer in October 2005 than the software was put to the test. A woman had her laptop stolen midmonth. Through the company's installed tracking protocol, the police were able to locate the laptop and return it within a week.

The Computrace program works as a "digital security cable," explains John Livingston, Absolute's CEO. If the stolen laptop is connected to the internet, it will call back an Absolute office every 15 minutes to reveal its location. The internet communication-undetected by the thief-also allows Absolute to send back commands that can erase files, if instructed by the laptop's owner.

This particular software, and similar programs, depends on password protection. Any user has to be correctly identified through a multiple series of passwords and other identification codes in order to enter any protected files. It is the combination of fumbled passwords and the report that a machine is stolen that sets the tracing software into action.

The software also prevents thieves from doing more mischief, like erasing the hard drive and all the software on it. Basically, Absolute's LoJack program works with computers at the BIOS stage (the basic input/output system), which kicks in before the OS, or operating system, goes to work. This means the OS is protected at all times.

"We don't disable the computer, because we don't want to notify the thief." -Bradley Lide, CyberAngel Security Software

"Someone may think they are deleting everything on the hard drive or all the software, but they can't," says Gomes. Absolute's security goes as far has helping to issue search warrants or subpoenas for stolen machines.

Another company, CyberAngel Security Software, offers data protection to the University of Toledo (Ohio) and Brown University. Toledo became a client after two laptops were lost last year, compromising thousands of faculty and alumni files.

The company offers five software programs, including the CyberAngel Security program and Laptop Locks.

"Our main focus is data protection," explains Bradley Lide, president and CEO. Laptop users have to not only enter a password to gain access, but must also correctly fill in the codes for secondary and even tertiary prompts. Those who fail to log in correctly at all the various stages are denied access to files that have been pre-designated by the users as to be off limits.

"We don't disable the computer, because we don't want to notify the thief," explains Lide.

The IT team at the University of Miami (Fla.) is taking a different approach by creating a homegrown proprietary encryption system that will seal sensitive data on employees' laptops and PDAs.

The university is rolling out the program later this year to protect the information stored on the laptops of admissions counselors, attorneys, and other administrators, says Tim Ramsay, associate vice president of computer operations and telecommunications. Users will have to fill out several "scripts" of passwords and site key information to gain access to information about applicants, their SAT scores, and other data.

Two UM engineers have worked throughout the year developing the tools, which will also be used to protect the data used by the personnel at the university's medical school. Ramsay estimates that 1,000 employees carry sensitive data on laptops and portable devices.

Absolute's pricing is based on a subscription model. William Penn pays $55 annually per laptop for the recovery services, says Gomes. Education pricing is $125 for three years of coverage.

CyberAngel charges education customers $47.95 annually to protect a single laptop and $95.90 for a three-year contract. This represents a 20 percent discount off regular pricing, says Lide.

Gomes notes another benefit of the security program: Students are far less likely to "forget" to return their laptops when they graduate or leave the school, given that they will be reported as missing almost immediately.


Advertisement