One night two years ago at a Sun Microsystems Inc. data center in Bagshot, England, thieves broke through a window and stole 14 servers, powerful computers the size of pizza boxes. There was no mystery about the crime--security personnel saw the break-in on surveillance cameras, but were too few and too late to stop it. The next day, the company boarded the window, surrounded the window area with barbed wire, and constructed a chain-link fence around that. That night, the brazen bandits returned with pickaxes, broke in again, and absconded with 7 more servers. Total amount of the two-night haul: $300,000.
But the loss of the hardware, by itself, "wasn't our major concern," points out John O'Loughlin, Sun's director of corporate security. "If the theft had taken place a month later, when the quarter ended, it would have disrupted our ability to produce the quarterly results for the corporation."
Although the pilfering of information gets much of the ink devoted to computer crime, old- fashioned larceny of boxes and components has become a significant problem. It's variously estimated that hardware theft adds between $43 and $150 to the cost of a new PC. And the numbers keep climbing. According to the Technology Theft Prevention Foundation, a nonprofit group founded by insurance giant Chubb, of Warren, New Jersey, the average loss from a computer hardware theft in 1991 was $5,000; today, it's $750,000. The foundation estimates that losses from such theft, along with losses from theft of intellectual property and trade secrets, are approaching $8 billion a year.
Robert W. Edwards, president of Risks Ltd., a risk-management consulting firm in Keedysville, Maryland, calls computer hardware theft "endemic." "There's a constant hemorrhaging from big businesses," he notes. "And it's not just PCs that [thieves are] stealing. They'll steal disk drives, even mainframes."
Experts cite a number of reasons for the increase in hardware theft. For one, high-tech hardware is in demand all over the world. That demand, especially outside the United States, often can't be met through legitimate channels, so hardware thieves find it increasingly easy to move the stolen property.
"Gray market and black market dealers have become very, very sophisticated," says Paul F. McNamara, president of Asset Management Technologies, a security firm in Raleigh, North Carolina. "Anyone with stolen computer parts can contact one of these dealers over the Internet and transact business with very few questions asked." Ralph A. Palmieri, president of Maximum Security and Investigations, in New York City, concurs. "Thieves are stealing these things with the understanding that they can be passed on to a company that is willing to engage in that kind of illicit business practice," he says.
Another reason for increasing theft is value, particularly for computer components. A thief typically receives 10 percent of the value of, say, a television, when he fences it; with a high-tech item, such as a microprocessor, he can recover as much as 50 percent of its worth. Computer chips, in fact, have been known to be used in lieu of cash in drug deals. "An ounce of cocaine and a Pentium chip can each be fenced on a street corner for about $600," observes MaryLu Korkuch, strategic initiatives manager at Chubb and executive director of the Technology Theft Prevention Foundation. "If you're a bad guy, which would you rather be stopped with?"
Palmieri adds: "It's hard to steal an item of clothing and sell it to someone. The color may not be right. The size may not be right. Even more so with jewelry. But if someone puts an IBM ThinkPad in front of you, you know what it's worth."
Convenience also contributes to the allure of hardware theft. The diminutive size of high- tech components such as memory chips and microprocessors makes them easy to conceal and transport. The same holds true for shrinking systems such as laptops and palmtops (see "The Allure of Laptops," page 111). Moreover, until recently, components didn't have serial numbers, so they were impossible to trace.
"Once a part is stolen, it's difficult to prove it's a stolen part," McNamara explains. That's changed a little bit, he adds. Intel has begun serializing some of its products; so have hard-disk makers Seagate and Western Digital. "But tracking the serial number is still difficult," says McNamara. Adds Sun's O'Loughlin, "Serialization without tracking is worthless."
Lack of proper concern also fuels the upward trend in thievery. Corporate auditors treat computer components as parts and ignore their real value. One insurance company estimates that every $100,000 in hardware swiped by snatch artists results in another $200,000 to $300,000 in lost productivity--a relationship that managers may fail to appreciate.
Richard J. Bernes, a special agent with the High-Technology Crime Unit of the San Jose, California, office of the Federal Bureau of Investigation, wrote in July's Electronic Business Today: "Many CEOs are willing to absorb a 2 percent shortfall as 'a cost of doing business,' and assume that [computer theft] losses fall within this 2 percent margin. But coping with injured or traumatized employees, lost productivity, sales, and time, not to mention the difficulty of replacing the product that was stolen because it was in short supply in the first place, can push that 2 percent figure closer to 7 or 8 percent."
The gravity of the hardware theft problem has been slow to penetrate corporate financial suites, too. "We've had trouble getting risk managers and financial executives to understand the devastating nature of this crime," says Korkuch of the Technology Theft Prevention Foundation. "They pass it off to their security people or shrug it off as an acceptable loss."
Or they view it as a particular industry's problem--chip makers, for example, or cargo carriers. But the fact is, any kind of business is vulnerable to hardware robbers, Korkuch argues. She cites a theft that took place several years ago at a London advertising agency. One weekend, thieves cleaned out every laptop and workstation in the place, as well as eviscerating 72 design stations. Bottom line: $800,000 in property losses and $175,000 in business income losses. "A bank could be crippled by an intrusion like that," she says.
While the value of a thief's haul may be greater from an assault on a chip-maker or the hijacking of a cargo container, the theft of a single laptop can lead to even greater losses for a company. "If that laptop has the password to your intranet on it, you've just given a thief the keys to your office," Korkuch says. "A computer workstation is worth its weight in gold, but the information on that workstation is the lifeblood of a company."
Hardware theft appears to be attracting shady types of every stripe, but it seems to be one of the last moneymaking endeavors where the amateur is king. "By and large, the people who are actually doing the stealing are nonprofessionals," McNamara says. "The professional criminals focus on the distribution of the stolen goods."
"Downsizing has created a lot of disgruntled and unhappy employees," observes John D. Spain, an independent security consultant and chairman of the computer security standing committee of the American Society for Information Security. "That, coupled with the downsizing of hardware, makes it easier for computers to disappear out the front door with an employee."
Amateurs or professionals, when it comes to ripping off their high-tech bounty, hardware thieves show no lack of boldness or ingenuity. Consider the following:
- Last September, at a computer parts company in Irvine, California, a dozen well- dressed men walked calmly into the lobby. The men seemed just another group of suits arriving for a business meeting--until they pulled out their automatic weapons and ordered everyone to hit the floor. It took just a few minutes for the men to pillage the company's computers and flee with components worth between $5 million and $12 million.
- At another company, one employee garnered a philanthropic reputation for treating his co- workers to pizza in the cafeteria on Friday afternoons. But while his colleagues munched on pepperoni, the employee's accomplice--the pizza man--stuffed his delivery bag with laptop computers and left the building without being challenged.
Consultant Edwards recalls a case several years ago where a data center on the West Side Highway in Manhattan bought a half-dozen disk drives worth about $9 million for its IBM mainframe. "They must have weighed about a ton apiece, and they were stolen right off the loading dock," he says.
On another occasion, a New York City bank received a shipment of 150 PCs. They were stacked in their shipping boxes in a corridor for distribution the next day. When the bank opened in the morning, the boxes were still there, sealed tight--but all were empty. "PCs disappear like candy mints in a restaurant," quips Edwards. He adds that some thieves aren't bothering with systems anymore. "They'll just pop the skin off a computer and take the insides out of it," he says. "I've seen guys clean out the inside of a PC in less than 30 seconds."
Parts don't even have to work to attract the interest of hardware gonifs. Broken components can be fenced to dealers who will cash them in for their warranty value. Paul McNamara explains that every month, a dealer may return under warranty to a manufacturer broken parts from machines he's sold. An unscrupulous dealer will seed those shipments with dead components bought on the black market and fabricate paperwork to make it look like the parts came from a legitimate machine. McNamara estimates that warranty scams represent 40 percent of all hardware crime.
What can be done to protect your computer hardware? Here are some tips from the pros:
Build awareness of the potential problem in your organization. At Dallas-based Amresco Inc., a diversified real estate and financial services firm, when employees log out laptops, they're warned not to leave them unattended on the road. They're also advised to carry them in their briefcases--not in computer bags with the manufacturer's name on it. "Security awareness is an area where you can get the most for your security dollars spent," says consultant Spain.
Tighten security where there are aggregations of computer hardware.Although it's almost impossible to stop petty theft, companies should be able to prevent the "big hit" by hardening security in loading docks, warehouses, and storage rooms. For example, IBM recently hardened security at its PC factory in Greenock, Scotland, installing closed-circuit cameras and an elaborate system for logging in components as they arrive.
Maintain inventory control over your hardware. If you know what you have, you'll know when something's missing. "There are a large number of companies that have no idea how many computers they have," Spain says. "Anytime there's a lack of inventory control, there are going to be shortages." A number of vendors offer asset management software for tracking computers (see "Tending Computer Assets," CFO, June 1996). At Amresco, the Novell software running the company's network automatically tracks the serial numbers of any hardware connected to it, according to CIO Cathy Rodewald. (Hardware that is leased or off the network is tracked separately through proprietary software.) John Tichenor, a staff surveyor at Cigna Property & Casualty Insurance in Philadelphia, notes that some companies improve their inventory control by marking their computers with a stamp that will appear only under a black light.
Make sure the lines of responsibility for your hardware are clear. As a matter of policy, companies should require workers to sign agreements of responsibility for all portable equipment, including laptop computers. "If there's no individual accountability, then it's very easy for things like laptops to end up missing," Spain notes.
Tighten up hiring policies. Temporary workers are a common recruiting pool for gangs that specialize in hardware theft, so the hiring of temps should be carefully scrutinized. Applicants may give false identities, submit false qualifications, or omit criminal convictions from application forms.
As computers become ubiquitous, and as they continue to shrink, opportunities for computer theft will multiply. Corporate managers will be wise to take steps now to protect their chip-based resources from increasingly ingenious predators. Just how well do you know your pizza deliveryman, anyway?
THE LURE OF LAPTOPS
The indispensable tool of traveling businesspeople, laptop computers are also prime targets of thieves. They're small, powerful, expensive, and in demand. "Stolen laptops you can move at the snap of a finger," says Ralph Palmieri of Maximum Security and Investigations.
It's well known that airports are a favorite locale of laptop thieves; also well known is the typical airport theft, involving a pair of robbers. One will pass through the security checkpoint ahead of the target. When the target sends his laptop down the metal detector's conveyor belt, the second thief will create a diversion while the first thief grabs the computer when it emerges from the detector.
Some laptops are stolen less for the worth of the hardware than for what's on them. "There are some organizations that do industrial espionage that have bounties out on the notebook computers of officers of specific corporations," says John G. O'Leary, director of education for the Computer Security Institute, which is based in San Francisco. "Those organizations will pay tens of thousands of dollars for those notebooks, because the information on them may be worth millions of dollars."
The rise in laptop theft has spawned a market for deterrents. For instance, a Vancouver, British Columbia, company named Absolute Software offers a solution called CompuTrace. The software, which resides on a laptop's hard drive and is undetectable, surreptitiously phones the company's monitoring center on a periodic basis. If the host laptop has been reported stolen, the software will report the phone number it is calling from--even if the caller ID function for the phone is blocked or the phone number is unlisted. The software costs $29.95, while monitoring costs $60 a year.
Laptops can be sonically booby-trapped with another security device called TrackIt (from TrackIt Corp., of Buffalo Grove, Illinois). The $49.95 device consists of a wireless transmitter that fits on a key chain and a receiver that attaches to the laptop. If the laptop is moved more than 40 feet from the transmitter, a siren in the receiver goes off, emitting an eardrum-splitting 110-decibel alarm.
A more passive approach to laptop security is to use "asset tattoos." These consist of two labels bonded together and attached to a computer with a special adhesive. The outside label looks like an ordinary asset tag. But the label beneath is an indelible "tattoo" that can't be removed. The tattoo usually contains a warning that the machine has been stolen and a phone number to call to facilitate its recovery. One company that sells asset tattoos is Datamation Systems, in Hasbrouck Heights, New Jersey. They cost $8.75 to $25 each, depending on the quantity bought.
If you're using your laptop on your desktop, there are a number of devices to chain the machine to your desk. These range from simple cable locks--such as the $29.95 Laptop Lock-Up from Vanstar Corp., a division of QuakeProof Inc., of San Francisco; and the Kablit line of security cables available from Computer Security Products, of Nashua, New Hampshire-- to fiber-optic cables that set off alarms if they're tampered with, such as LightGuard from Minatronics Corp., in Pittsburgh.
How effective are these devices? "Anything that's going to make it tougher for someone to steal a laptop is going to be useful," says Robert W. Edwards, president of risk management consultants Risks Ltd. "Is anything the absolute solution to the problem? Absolutely not, save locking up the laptop in a vault."