Malcolm Harkins is Chief Information Security Officer, Intel Corporation.

Recently, I sat down with several other IT security experts and reporters to provide context to a study of the nagging and, as it turns out, incredibly expensive problem of missing laptop PCs. The study found that the odds of having your laptop lost or stolen are as high as 1 in 10.  This won’t surprise many CISOs who regularly field reports of laptops vanishing at airports, customer conference rooms, homes and through shattered car windows.  Likely most would be shocked at the cost.  The 300 companies shared a $2.1 billion bill by and large to cover the ramifications from potentially compromised information on the hard drives.

There was one stat, however, that really stunned me – 70 percent of those companies do nothing to protect their laptops and data.  No encryption.  No back-up.  No antitheft technologies.

So, did the pollster just happen across 70 percent of the dumbest, cheapest or feeling-luckiest IT professionals in the nation?  Of course, not.  I believe they just didn’t realize what was at stake.  The biggest vulnerability we all face today is misperceiving risk.  It inevitably leads to bad decision…or, possibly worse, no decisions.

For example, study respondents said only 48 percent of the missing laptops contained confidential material.  When hearing this fellow panelist Kevin Beaver, an information security consultant and author, quipped, “Clearly, 52 percent don’t know what’s on their computers.” He said this attitude is typical among his new clients who believe only their very responsible execs pack confidential data.  In truth, he finds nearly 100 percent of his clients’ laptops contain proprietary material, typically forgotten customer data and corporate documents.

That said, it’s hard for me to fathom why any company would forgo encryption, regular back-ups and any of the new antitheft technologies on the market.  Early on, you could make a case that encryption and back-up competed with the CPU and bogged things down, but that’s not true with today’s multicore processors.  At most, encryption might delay boot-up a couple of seconds.

Backing up data is virtually transparent for the same reason.  When we upgraded our back-up technology some time back, our service desk had calls from employees concerned that their back-up programs weren’t working because they no longer saw the start-up prompt or experienced the subsequent digital molasses.

Antitheft services are the latest technologies aimed at reducing lost data costs, and even at getting the laptop back.  Their primary capability is to make the computer and encryption keys completely inoperative, turns it into a brick as we say.  Commands can be sent via the Internet or 3G cellular links even if the system is turned off.  There’s also a location beacon capability available that can lead to a computer’s recovery, possibly a game-saver for people like me who travel and losing a laptop sends you home.

In misperceiving risk, we also have the tendency to misperceive the best remedies.  Strategies I’ve heard for protecting laptops and data include:  we’ll only issue laptops to those with a proven need, thereby reducing exposure.  We’ll tether workers to a server where they can securely access all data and execute all applications.  We’ll forbid personal data to eliminate the temptation to take laptops when not on official business.

Over the years, I’ve chronicled five “Irrefutable Laws of Information Security.”  The first law: data wants to be free.  Trying to prevent its mobility is pointless.  Since the invention of printers, CDs and, well, carbon paper, it’s been mobile anyway.

Data has recruited benevolent freedom fighters throughout every company.  These aren’t WikiLeaks rebels, but bright, hardworking employees dedicated to their jobs and their employers.  People who work at home in the evenings, travel on airplanes and draft deals with customers thousands of miles from the home office.  Mobility has expanded productivity and accelerated business.  To get their jobs done well, they’ll find ways to mobilize that data – e-mail, personal laptops, smart phones, tablets, CDs, thumb drives – and in creating edicts to prevent its dissemination, IT will lose all possible control over it.

Moving data to a central server doesn’t improve security either.  It simply moves the risk to another location, a central location at that.  There are a number of desktop virtualization models, which have varying effects on mobility and productivity in addition to security considerations.  However, even for dumb terminals or a laptop functioning as dumb terminal, seemingly the most secure, password authentication is initiated on the terminal.  If someone has the terminal and cracks the password, data can be accessed the same as on a local hard drive.

My view of personal data on a company-owned laptop flies in the face of commonly held thought.  Intel allows employees to use company-owned computers as extensions of their personal lives.  In my mind, it increases security.  Having family photos and videos, personal correspondence, taxes, and “consumer” apps on Intel laptops, encourages a sense of ownership.  It’s one more reason to treat them responsibly.

You’ve likely perceived a trend in my approach to data security.  Data wants to be free and employees will find a way to help it, albeit normally for the right reasons.  It’s futile, actually counterproductive, to try to build a wall around the data.

To be successful, you have to run at the risk.  Embrace it.  Give it a hug.  Take advantage of both technology and employees’ aspirations in creating the best solution.

So, what can this strategy mean for an organization?  In the nineties, Intel cut the LAN cable on virtually all of its employees.  We now have 87,000 completely mobile employees.  They can take their laptops and jobs anywhere.  The study that started this blog found that financial services companies scored better than any other industry for hanging onto their laptops.  Laptops lost or stolen amounted to only 5.2 percent, less than half of the education sector, which came up short 10.8 percent of their laptops.  Intel?  Using the run-at-risk approach that involves employees and takes advantage of technology, including encryption, back-up and antitheft services, we annually anticipate losing around 700 laptops annually – less than 1 percent of our fleet.