Recovering stolen laptops one step at a time
When a student's laptop was stolen last year on a university campus, police and IT investigators went to work, recovering it within a matter of weeks. Neil Spellman, one of the investigators on the case, offers some best practices on what to do if a laptop is taken, and how to prevent theft in the first place.
Late last year, a laptop was stolen from a student's car at Worcester Polytechnic Institute outside of Boston. Fortunately, when the student had purchased his laptop, he also purchased tracking software, which allowed university police to track and locate the computer. Within a few weeks, the student had his laptop back, and the thieves (along with several other stolen laptops) were in police custody. How the IT department, working in concert with the police, recovered the laptop is a worthy example of how adaptive software can assist in a laptop recovery effort and what can be done to deter theft of small electronic devices.
According to the FBI, approximately 2 million laptops are stolen each year. Even worse, only 2% are recovered. Depending on the data stored on the laptop, this can really get complicated for IT departments. It is not unlike losing one's wallet, except the wallet in this case could be the size of a box truck. And inside that box truck is everything from customers' names and billing information to the CEO's credit card number.
The easiest laptop to recover is one that never gets nabbed in the first place, so it's wise to take steps to prevent devices from walking away. Here's a list of a few best practices to keep laptops from being stolen:
- Know where the device is all the time; it is OK to be paranoid. The first rule of countering theft is deterring theft. This responsibility is jointly shared by the company and the user. If a laptop has to be left on a desk at any time, the company should ensure that securing cables are available for lockups. However, the employee must assume responsibility by keeping an eye on their laptop.
- Mark the laptop to identify its owner. There are commercially available physical devices that will aid anyone who finds the laptop and wants to return it. Such a device -- usually a small plate affixed to the computer's exterior -- displays a visible identification number that acts as a reference when the locating party contacts an 800 number, which is also displayed.
- Consider an embedded tracking device, such as Absolute Software Corp.'s Computrace LoJack for Laptops, especially if the information is worth more than the laptop. Any embedded device is good, but one that is embedded in the motherboard and cannot be deleted even if the thief wipes the hard drive is better. Frequent (as in daily) backup on removable storage devices is also a best practice. Making a decision on whether to use an embedded device vs. a physical device should hinge on whether it's more important to deter theft or recover stolen items after the fact. It may be wise to employ both a deterrent and a recovery device, if the loss of the item and the stored information are equal in value.
- For executives traveling with personally identifiable information (PII), keep the PII on a removable storage device with biometric authentication. Also, encrypt hard drives rather than folders and files. This is the solution for the traveler who may not remember to delete downloaded PII.
When a device theft or loss takes place, it's of paramount importance to follow a template or a standard operating procedure. This means having such a procedure in place before any theft occurs. A few steps that should be involved are as follows:
- Assist local law enforcement with technical details. What seems apparent to IT pros probably is not to those in law enforcement. As an example, search warrants call for technical details that have to be easily understood. Such things as an IP addresses have to be related to in details that police, DAs and clerk magistrates understand.
- Most laptops are stolen for resale. Some are sold on legitimate websites (which is very hard to offset), but many thieves are trying to move the item quickly, which leads them to a pawnshop. Therefore, it's a good idea to publicize the company's theft-deterrence program with local pawnshops; let them know what's being done to track and recover items. It's in the pawnshop broker's best interest to know, because if he or she is found to be in possession of stolen items, the items can be recovered immediately without compensation for the broker. Thieves need a place to resell, and if the most reliable resellers are unwilling to accept certain items, they will not steal those items.
- Educate those in the company with awareness training, videos and posters. Advise them to report persons of suspicion. Training should be conducted by someone who commands immediate respect and authority. Consider not only the content but also the delivery of content.
- When a laptop is recovered, consider publicizing what was done and who did it. Letting people know that theft is taken seriously will assist further prevention efforts and recognition of effort will ensure continuous motivation.
In the case of the theft at Worcester Polytechnic, it was important that the investigators knew immediately that the theft had occurred; the owner reported the loss within hours rather than days. The student had also thought to install tracking software on his notebook, which enabled Computrace to track the laptop and assist in the recovery.
It's important to note, however, that it was not a matter of simply putting information down on a form and letting the justice system take its course. As the Network Security Analyst, I had to explain the probable cause so those in law enforcement -- and eventually the Clerk Magistrate and the Grand Jury -- could understand how the theft could be linked to the individual thief.
Though it's true that an ounce of prevention is worth a pound of cure in information security, it's still a good idea to have the pound of cure ready just in case.
About the author:
Neil Spellman is a network security analyst at Worcester Polytechnic Institute and was formerly a WPI police officer. He has a B.S. and is a graduate of the Massachusetts State Police Academy. For 20 years, he was a senior investigator for the Massachusetts Bureau of Special Investigations. Additionally, he serves on the board of directors for the Boston chapter of Infragard.