• Lost passwords and VPN settings give away the keys to a company's networks and applications.
• Proprietary information can be sold to competitors or recruiters, posted on a Web site, or held for ransom. The results can include competitors obtaining secrets, embarrassment, a tarnished reputation, or financial loss.
• Stolen personal information can lead to a variety of consequences, including identity theft, violation of federal laws protecting health care information, and requirements of some states to inform customers of losses. Personal information has been held for ransom, probably more than we know.

An easy problem to solve
Securing the data on your portable devices is an easy problem to solve. Applied Trust Engineering recommends taking two simple steps to prevent your mobile devices from being a thief's low-hanging fruit: leash and lock them, and use whole-disk encryption.

Leash and lock them
The easiest and most effective way to keep your data safe is to keep your mobile devices from being stolen in the first place. Virtually every laptop comes equipped with a lock slot where you can attach a leash and tether it to something solid such as your desk, luggage, or car. Buy one and use it. The Kensington® MicroSaver® accessory is pic­tured, but just about any leash from any manufac­turer is good enough. The key is that you want to be sure that the one stolen is not yours.

Whole-disk encryption
What if someone does walk off with your mobile device? If you've set up a BIOS pass-word on your laptop, kiss your data goodbye. Just about any high-school kid can boot your system with an OS install disk and access all of your infor－mation. Are you encrypting individual files? It's next to impossi－ble to remember to re-encrypt them after you've edited them, and to destructively delete any decrypted versions that might be lying around in hidden, temporary, and cache files. Save indi－vidual file encryption for occasions when you send sensitive files in email. With whole-disk encryption, it will take a lot more than a fishing expedition to crack open your data.

Whole-disk encryption secures all of the data on your disk, not just your home directory or the files you remember to encrypt. This is key because applications may store temporary or cache files in locations that are not automatically encrypted and destructively deleted, leaving your data at risk. Whole-disk encryption decrypts every disk block when the operating sys－tem reads it, and encrypts every block before the OS writes it to disk. With encryption handled at the lowest level, even hid-den, temporary, and cache files are secured.

Whole-disk encryption software also can handle your removable media including disks and USB storage devices. Other products can help you protect email and other data on handheld devices .

The value of enterprise solutions
By now you're ready to shop for a whole-disk encryption solu－tion. Before you do, consider your requirements. If you're implementing whole-disk encryption in an enterprise context, think about how you will back up a device that's encrypted, and how you will access company data in the event that an employ－ee leaves the company and takes her passphrase with her.

Enterprise-grade, whole-disk encryption packages make it easy to apply encryption policies uniformly across a large num－ber of mobile devices, and they ensure that the company can obtain access to encrypted data even if the employee isn't around. Enterprise solutions for mobile devices can revoke access rights on laptops and some handheld devices if they are lost or stolen or if the employee leaves the company.|

Enterprise solutions typically employ strong public-key encryption to protect a weaker (but more efficient) secret key used to encrypt data on the disk. Now that it's possible to securely protect every user's secret key, it's possible to store them on a server where they can be unlocked if there's no other way to access the mobile data. This is called key escrow, and it's like giving a trusted friend a key to your car just in case you lose yours. Like key escrow, a Public-Key Infrastructure (PKI) also supports key revocation. What happens if an employee is fired and his laptop is at home? You can deny access to that person's data through the PKI mecha－nism, preventing unauthorized access to what's really the company's data.

Along with a central server to sup-port the PKI, enterprise solutions include management capabilities such as authorizing data decryption for backups and enforcing specific securi­ty policies, for example spe­cific filesystem encryption set­tings or hand-held email access proce­dures.

First steps to take                          
Remember that security is an amalgam of people, policy, and technology. Without all three working together you won't be successful in securing your mobile devices.

Policy
Determine the right policy for your organization. Make sure that you include physical security through laptop leashes, data security through whole-disk encryption, and additional protec­tion for handheld devices Recognize that handheld devices pres­ent just as much risk as laptops. Make it clear where employees can take their laptops and where they can't. (Leaving one in a car is usually a bad idea.) Consider whether employee or cus­tomer data should ever be taken off-premises on a laptop. Spell out how employees must comply with the policy, and what hap-pens if they don't.

Technology
Give your employees the tools they need to implement the pol­icy. Buy them laptop leashes and make sure they have adequate anchor points on their desks and in conference rooms. Consider the products mentioned on page 4 and set up an enterprise-quality, whole-disk encryption system. Make sure that every device's encryption settings are in compliance with the policy. Be sure that you back up all data before installing whole-disk encryption, and set up procedures for performing backups once the encryption software is installed. Are handheld devices, PDAs, or flash memory devices part of your fleet? Incorporate them into your strategy as well.

People
Now that you have a policy and the technology to support it, get your employees signed up. Make sure they know their devices contain information that, in the wrong hands, could damage them, their peers, the company, or their customers.Teach them how to comply with the policy, and give them incentives. Enterprise-quality tools can help enforce uniform settings and standards, but what about laptop leashing? Make it fun. Award a bounty when one employee can swipe another's laptop, encouraging them to leash their devices everywhere, including conference rooms. Give them a bonus for surviving walk-through audits. Once you've established good habits at work, encourage them to continue them at home and while traveling.