Perhaps the first thing to say is: “It's nobody's fault.” We could blame the laws of physics for the current capabilities of laptops, but not those who discovered them, nor those who have successfully pushed the data storage of hard disks to terabyte capacities. Nor indeed, the people who squeezed the processing equivalent of …
CIA to CIA*
where * denotes what to do in a crisis where either of C, I or A has become compromised?
(the best example I can remember was a loud-mouthed senior exec of an systems integrator explaining to a colleague – and indeed the rest of the carriage – how to interpret next year’s competitive analysis spreadsheet).
i think i was on that train...
i recall thinking what a showoff arse he was. no concern about the fact that someone from a competitor may be just one seat away... which i was, and i do. hehehe ;)
shades of gray
Lost or stolen laptops (pretty common in my experience), misplaced flash, CDs / USB HDs and the inadvertent leaking of next year's marketing campaign to the rest of the railway carriage (or the guy in the next seat) have a lot in common with ankle-biting malware outbreaks. Even those of us lucky enough to have been able to convince management to enforce a locked down laptop config (users are users, not admins, and can only write to My Docs - see the MS XP Hardening Guide for waaay more detail on that) still get regular malware detects, and sometimes these are of things that sneaked onto a machine weeks or months earlier and are only now being detected by updated AV signatures. 99.9% of the time they're a nothing worse than a nuisance, though.
In principle, finding out the CFO's laptop's had a typical remote access trojan/rootkit/password sniffer installed for the last 6 weeks should elict a code red, OMFGwe're-all-doomed, Major Security Incident Plan, response. 99 times out of 100, though, it's just a random drive-by download via an infected banner ad site or such like. The attacker was only ever interested in adding the infected machine to his botnet to spew spam or DoS traffic, or in grabbing direct access to dosh - bank account login credentials. In theory the attacker *could* be working for the NSA, or the company's main competitor, or serious industrial espionage types, but it's pretty unlikely. In the same way, the proverbial USB key in the pub carpark with a spreadsheet of PID on it is much more likely to be picked up by Owld Jolter weaving his way home via the Offie and kebab shop who's going to either use it as a spare flash stick (or a toothpick) than to be found by someone who'll analyse the data, realise what it is and think "Aha, this would be very useful if I were (the head of SMERSH / Chinese Espionage / $competitor)!". Even if they do realise it, they're much more likely to take it to the press than the Chinese Embassy - and doing otherwise could mean a long stretch at one of HM's less exclusive guesthouses. I would hope that a typical corporate whose CEO is approached by a dodgy geezer loitering by reception going "Pssst, wanna buy some 'interesting information' ?"
Likewise, the odds of having an infosec journalist in your carriage is - well, higher than that, especially in London, but still pretty low I imagine. The fact is that people high enough up their orgs to have their own sensitive data - C-level execs, some FLAC wonks, HR perhaps, dev if they're a dotcom or s/w development firm - often have a delusional concept of how important their work is to the world at large. What makes my life as an infosec grunt interesting is the /other/, much rarer sort of attacker: the malicious insider, or the external targeted attacker. Anyone paying attention knows there really ARE state-sponsored industrial espionage attackers and aggressive, highly skilled and motivated criminals after a 7 or 8 or 9 figure score who are prepared to spend six months scoping your systems and networks before even beginning active attacks. Those buggers are much, much harder to defend against...
Hide it in the Cloud
If your site was not so rabidly against cloud computing, your correspondent could have suggested a very good alternative to safeguarding the data - keep it in the cloud with a strong log-in password, or even encrypted.
Nothing to loose if the netbook goes AWOL!
Federico el Sueco
@AC - 9/2/209 07:40
Who the hell needs cloud computing? Ever heard of VPN?