Fool me once, shame on you. Fool me twice, shame on me. Fool me 160 times ...
In a sense, the study outlined in this SC Magazine article ends a little too early -- September, 2005 -- to have too much relevance today. It's a bit frustrating: Why can't the government put out a report with results that are fresher than 16 months old?
On another level, however, the study certainly is relevant. Laptops disappeared before the report's time frame, have disappeared since and will continue to disappear in the future.
Some of these computers contain peoples' personnel information. Some hold data whose disappearance is even more frightening. For instance, one of the machines mentioned in the report -- prepared by the Department of Justice's Office of the Inspector General -- contained software for making FBI identification badges.
Beating up the government and its employees for losing laptops may be the wrong reaction to the report, however. The story says that at any one time, the FBI controls more than 26,000 laptops. It's unrealistic to think that a certain amount of them won't disappear. Indeed, we would argue that losing 160 -- a bit over one-half of one percent -- isn't so bad.
Of the machines that disappear, it's safe to assume that the data on some will be encrypted and that data on some will be innocuous. It's also safe to assume that some were stolen for the machines themselves, and the first thing the thieves will do is delete the data. Indeed, the story said that during the period of the study only 61 machines, about one-quarter of one percent, held or may have held sensitive data.
Such an analysis appears to mitigate the risk from a quantitative standpoint. What remains, however, is the question of whether the government is doing a proper job of protecting the machines with the truly sensitive data. It's possible that these machines can be (or have been) targeted by organized criminals or terrorists. From this perspective, the important thing is how well guarded those specific machines are.
This suggests that laptop security is a qualitative issue: It really doesn't matter in the scheme of things if 10 low level machines go missing, as long as the one with the ID badge software is safe.
The point is that comprehensive and sensible mobile policies are vital. Important issues relate to the criteria used to decide what type of encryption and related security software goes into what machines. Are security measures decided by the title of the person to whom the device is assigned or some other criteria, such as the actual content? How nuanced are the rules for determining the importance of data?
The bottom line is simple: The safety of mobile devices is a far more complex and subtle issue than counting up how many machines disappear over a set period of time.