In 2009 the Cost of a Lost Laptop study was conducted by Ponemon Institute and sponsored by Intel Corporation. It was the first benchmark study to estimate the full cost associated with a lost or stolen laptop. The average value of a lost laptop is $49,246. This value is based on seven cost components: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.
- What makes a lost laptop costly to a company is the potential for a data breach to occur. In the cases we studied, the occurrence of a data breach represents 80% of the cost.
- The second highest cost component is attributed to intellectual property loss. When the cost of a data breach is removed, intellectual property loss represents 59% of the total cost.
- The faster the company learns that a laptop is lost, the lower the average cost. If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849.
- Lost productivity is not a significant cost to companies. When employees have down time due to losing their laptops, it represents only 1% of the total cost.
- Encryption makes a difference. There is almost a $20,000 difference between lost laptops that had encryption installed versus those that did not have encryption.
- The cost of a lost laptop varies by industry. The average full cost of a lost laptop is highest for services industry ($112,853) followed by financial services ($71,820), healthcare ($67,873) and pharmaceutical ($50,393). The industries with the lowest average cost per lost laptop are retail ($8,756) consumer products ($2,194) and manufacturing ($2,184).
- 72% of U.S. employees are allowed to store sensitive and confidential information on their notebooks.
- 92% of IT security professionals reported notebook theft or loss in their organization.
- Lost or stolen notebooks result in a data breach 71% of the time.
- 89% of employees ask others to watch their notebook while traveling.
Implications for organizations
As more employees are provided laptops, Pad Computers and Smart Phones, the risk of a data breach due to a lost or stolen computer is increasing. The average cost of a lost laptop is highest when a data breach occurs. The study also reveals the following implications for companies and recommended practices for organizations.
Protection of the sensitive data on the computer is critical. Not surprisingly, lost or stolen laptops are costly to organizations. But it’s not the replacement cost that should have companies concerned. Rather, it is the data and the risk of a data breach that can have serious financial implications for companies. The cost of a data breach represents 80% of the total cost of a lost laptop compared to 2% for replacing the computer.
Encryption on average can reduce the cost of a lost laptop by more than $20,000.
Conduct training and awareness programs for all employees who have laptops. The laptops of managers and directors have a higher average cost per lost laptop than the laptops of executives. If employees understand what it costs their companies to lose a laptop it might encourage them to be more conscientious when traveling and working at remote locations.
Policies that require employees to report a lost or stolen laptop as soon as possible may reduce the average cost. In cases where the laptop loss was reported immediately, the average cost was much lower than the average. In contrast, when the loss was communicated slowly (say more than one week later), cost was more than double the overall average.
Anti-theft and data protection solutions are available to secure laptops and the sensitive and confidential data they contain. An understanding of how costly it is to lose a laptop can be used to make the case for purchasing enterprise-wide solutions.
As described in this report, data breaches represent the greatest cost. Reducing the incidence of lost laptops through training and awareness programs and protecting sensitive data, has the potential to save organizations significant money and protect their most valuable information assets.
Actions you need to take
Cloud Computing: Larger organizations can keep their sensitive information on a Private Cloud. That way the Laptop, Pad Computer or Smart Phones do not contain the information since they are only a ‘dumb terminal’. You need to be careful using public clouds to store sensitive information. The fine print on many public clouds state any information stored on them is their property. Plus, if the cloud servers are located in a different country, you may lose the privacy protection provided by your country’s laws.
Encryption: You can decrease your cost by 50% with encryption. However, 56% of employees who have encryption on their laptops disengage the encryption solution. (The Human Factor in Laptop Encryption, The Ponemon Institute, LLC. December 2008)
Remote disabling software: I.T. can remotely delete data on a laptop, or the laptop can lock itself down. When the laptop is reported lost or stolen, I.T. flags it and sets up a ‘poison pill’, so the next time the laptop boots, it is disabled.
Training: Decreasing the odds of losing a device containing sensitive information lowers the cost, so informing them on proper security procedures is imperative. When employees know they need to inform I.T. immediately when a device is lost or stolen, the cost decreases 90%. They need to never disable security or encryption on their device.
Inventory: I.T. needs to know what information is stored on Laptops, Pad Computers and Smart Phones. Does it need to be stored there? Is it really needed to conduct business? Do not allow sensitive information on a device if it is not needed.
If it doesn’t need to be on a device, keep it off. If it is needed, protect it.