Why is it so hard to secure a laptop? Where are the green fields for identity thieves? What are the security threats that IT professionals are ignoring? IDG News Services recently invited the heads of three security businesses\u2014Barracuda Networks CEO Dean Drako, Sana Security CEO John Zicker, and Jay Kidd, who runs Network Appliance\u2019s emerging products group\u2014to a roundtable discussion of the trends they see on the horizon and the threats they think IT executives may be missing.Following is an edited transcript of that discussion.IDG: The U.S. Department of Veterans Affairs recently lost a laptop containing information on more than 26.5 million veterans; Ernst & Young GIobal lost a laptop containing sensitive information on nearly 250,000 Hotels.com customers. Why do we keep hearing about these missing laptops?Dean Drako: I think people just did what was easy and convenient and didn\u2019t really think about it. Ernst\u00a0& Young guys used to go in and audit, and they\u2019d have paper and pencil. Then they started getting laptops and they started carrying them in, so they\u2019d create little spreadsheets. And then USB keys appeared, and they could say, "Oh, let\u2019s just transfer that data to a laptop." Nobody ever really thought about the repercussions of the fact that these laptops were scooting out of the building every night. John Zicker: Most people don\u2019t buy fire insurance until their neighbor\u2019s house burns down, or the mortgage companies require you to have it to buy the house. Laptops and desktops have been one of the last things in the security industry for people to worry about. They worried about perimeters and about central storage, and now they\u2019re worried about desktops and laptops because it\u2019s not been a big issue before.Jay Kidd: Security\u2019s always a balance between safety and inconvenience. So there\u2019s some level of inconvenience with any security. Companies are figuring out: Where is the right balance? And every time you have one of these disclosures, it shifts a little bit more toward safety. But the bias is toward convenience.IDG: How much should we be worrying about laptop theft, really? There must be more efficient ways to steal somebody\u2019s identity.Kidd: That\u2019s not the efficient way to get identity. The bigger concern has actually been in the public sector, because it\u2019s targeted. You can target everybody in the Pentagon, everybody in the State Department. I know that there\u2019s a higher incident of that theft than there is of just general corporate theft. In general, corporate theft is about walking through the office and grabbing a few laptops and selling them for the hardware. It\u2019s not identity theft.IDG: What are the new threats that people aren\u2019t thinking about?Drako: There has been a market change over the last five to six years, primarily due to Sarbanes-Oxley. It used to be that you actually trusted your employees. What\u2019s changed\u2014and which is really kind of morally and socially depressing\u2014is that now, the way the auditors approach the problem, the way Sarbanes-Oxley approaches the problem, is you actually put in systems assuming that you can\u2019t trust anyone. Everything has to be double-signoff or a double-check in the process of how you organize all of the financials of the company.That is really the major shift, which has created a huge burden on how we operate any [publicly traded] organization. Part of it you can attribute to folks like Enron and CA, where the guys at the top were crooks.Jay Kidd: The SEC [Securities and Exchange Commission] positions themselves as the protector of the public in terms of investors. They were having to trust the CEOs and the CFOs that the results that they reported were accurate. Enough examples showed that they couldn\u2019t, so they had to put in some sort of double-check to make that provable.I think the same thing will probably happen in IT organizations. Stealing identities one at a time by snooping Internet traffic is not the most efficient way to do it. You want to go to the accounts that have a large number of customer records with credit cards and Social Security numbers, and you figure out a way to grab that database. The probability of finding some employee somewhere in the process who is willing to be corrupted, it can happen. Or you take the backup tapes as they\u2019re in transit ...Zicker: The simple way: Pay the cleaning lady $1,000.Kidd: ... that\u2019s almost untraceable. I think it\u2019s the intentional attacks, as opposed to the accidental or opportunistic, that are the threat that people are starting to worry about.IDG: Backup and laptop encryption is one way to respond to these threats, but what other things leave people exposed?Drako: There\u2019s a lot of traffic that goes over the Internet in the clear.Kidd: The amount of data that\u2019s encrypted versus the amount of data\u2014it\u2019s a tiny fraction.Drako: I probably shouldn\u2019t say this, but we have e-mail that goes back and forth between people in our company and it\u2019s not encrypted. And some of the data is stuff that we wouldn\u2019t want other people to see.But it\u2019s a probability game. I know that the probability is one in\u00a010 trillion that somebody\u2019s going to be snooping the traffic, so it\u2019s like the risk is OK. But there are other people who I am sure have a lot of Internet traffic in the clear, who it\u2019s probably more of a risk to.Zicker: One of the things that we see a lot with identity theft is mass distribution of malware that\u2019s bundled with good things, typically ads. You\u2019re browsing the Web through what look like perfectly good websites, and you drive by an ad\u2014you don\u2019t even have to touch it\u2014and you can have malicious software installed on your machine.And what\u2019s fascinating about it is you take it at the macro-economic level and you can see why they do it. You buy excess ad inventory\u2014keywords off of Google of known good ads\u2014bundle something bad with it, pay a good website 50 cents per ad impression instead of the going rate of 10 cents. Everybody kind of wins along the way, and then malware is on the box.There\u2019s no way for me as a website person to check ads to see if something malicious is bundled with them. And you can\u2019t tell by looking at an ad whether there\u2019s something malicious going on.-Robert McMillan, IDG News Service (San Francisco Bureau)Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.