Mobile Device and Information Theft: The Real Costs

Ralph DeFrangesco

According to the latest Computer Crime and Security Survey issued by the CSI, of the 433 respondents who took the survey, 42 percent claimed a laptop or mobile device theft. This is down 8 percent from the previous year, so that might be seen as encouraging. But 144 respondents claimed an average of $289,000 in losses due to various types of computer security incidents. In addition, there was an average of $463,000 in costs due to financial fraud, and $345,000 in costs due to dealing with "bots." Loss of employee confidential data cost $268,000 and client-related data costs topped out at $241,000.

But when we say losses, do we really understand all of the hidden costs? With such a high percentage of respondents claiming hardware and information theft, it is important for CIOs to understand their total losses and what they can do to mitigate them.

The survey does not give us an idea of where the true losses are. The obvious costs are the replacement of the hardware and a "best guess" of the stolen information's value. Let's look at the cost of replacing the hardware first:

  • End-user downtime due to non-productivity
  • Hardware procurement costs
  • Shipping costs
  • Receiving and inventory costs
  • Loading the operating system and applications
  • Data restore (if a backup exists)
  • Desktop customization
  • Shipping costs if end user is remote or travel costs to pick up the new laptop

Information loss is more complicated to calculate because we don't necessarily really lose information -- we lose a copy of it. Therefore, we have the potential for loss, such as first-to-market data, intellectual property, or the loss of a client list. Business information owners need to take stock of their information inventory and make regular estimates as to its value. This information would be invaluable to the company and criminal investigators should information be stolen.


There are a few technologies available to help mitigate the loss of a laptop. One of the two most prevalent technologies is Lojack for Laptops, a piece of software to help track down a stolen laptop. The software is installed in the laptop's BIOS. When the stolen laptop is connected to the Internet, it silently contacts the company's monitoring center. The company works with authorities to track down the location and recover the laptop. Lojack for Laptops also makes a premium version that will allow remote data deletion, and a corporate edition that offers a complete IT asset management solution.


Another solution is to use hard-drive encryption. The theory of hard-drive encryption is simple enough. When a file gets written to disk, it gets encrypted by a special algorithm built into the software, and then written to the disk as any normal file. When the file is read, the process is reversed. Files can not be accessed, written or read without the appropriate password or key. Should a laptop be stolen, the data would be protected and non-accessible to the thief. PGP makes an excellent solution and should be considered when looking for a cost-effective solution. The only catch is that the hard drive could be replaced and the laptop re-appropriated with little effort.


With the increased demand for mobile devices, IT professionals must deal with possible hardware loss. This is the nature of a mobile device. What we do not have to struggle with is how to protect against information loss. With so many cost-effective solutions on the market, it's unacceptable for an organization to claim that sensitive information has been stolen and the public -- that's you and me -- are at risk. You and I are the real losers when sensitive data is stolen.

Add Comment      Leave a comment on this blog post
Dec 21, 2008 11:56 AM Nina Nina  says:
Loss of Data thru mobile devices and the resulting impact is a real concern. I have discussed much about this in Chapter 3 of my Wiley India book published on Information Systems Security. In spite of these real threats, my industry experience continues to show weak controls over employees' and contractor persons' mobile devices and conrols about blocking the USB ports in certain project situations. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.