Years ago, I worked for a medium-sized company with about 130 employees. We shared one laptop. No kidding, but back then, laptops were expensive and as we all had all the hardware and software we needed at the office, management didn't see the need to invest in laptops. You had to sign the thing out and it was never available, and at 100 pounds soaking wet, I could barely carry the thing to the car anyway. I don't know why they called them laptops back then — it certainly didn't fit in my lap!
Things have changed. Now employees carry laptops like books onto planes to meet with out of town clients. While this convenience is great for your users and clients, it can be a nightmare for you. As your company's IT guru, your job is to secure both the laptop and any data that's on it. Big job! Huge job! You aren't paid enough, right? I feel your pain and I'm here to help.
Your first line of defense is to prevent theft, and that includes the hardware and its data. The way to avoid data theft is simple — don't store sensitive or confidential data on a laptop. Make that company policy and make it hurt when employees break it. You simply don't have any other choice but to be ruthless. Education is the key. You simply must make users understand that they can't store sensitive data on laptops that leave the building. The truth is, they don't need to as there are other options:
- If you have remote capability, let users sign in from home or while they're on the road. There are still security risks, but you alleviate the problem of direct theft.
- If there's no remote access or when remote just doesn't meet the need (and that happens occasionally), train users how to use a USB flash drive. They're (typically) removable and rewritable. They weigh just a few ounces and fit into a purse or briefcase, or better yet, into a pocket. They can store from 64 MB to 32 GB! As an added bonus, you really should train them how to encrypt the data, just in case.
- Unfortunately, nothing's absolute, so if a user must store sensitive data on a laptop, instruct him or her to dump the data when they're done with it. Don't pass Go; don't collect $200. As soon as the meeting's over, dump the data. In the long run, you just can't afford to run around with a laptop full of sensitive data any longer than you have to. (It is with great reservation that I even offer this piece of advice because I know some users will ignore it or forget it.)
Prohibiting the storage of sensitive data on laptops helps protect your data, but it won't stop a thief from stealing your laptop or keep an employee from simply losing it during their travels. You can be proactive in this area though:
- Register the laptop with the manufacturer.
- Store the serial number in a safe place in case you need to identify the laptop to claim it.
- Engrave your business name and address on the outer case so that it's clearly visible. A thief that's after just the hardware won't want a laptop that's marked up that way. In addition, good things do happen and if the laptop is lost, you might get it back.
- Take a play from Ian Fleming's James Bond character and disguise your laptop. It only sounds like overkill, but f theft weren't big business, manufacturers wouldn't build laptop cases that look like courier bags and brief cases.
Training users is critical. You're a team, remember? Your efforts are only so good — the person carrying the laptop needs to be informed and take responsibility. Train users not to be too casual with a laptop:
- Conceal the laptop as much as possible and never leave it unattended.
- Take it into the restroom stall with you.
- Keep it on your lap in a taxi, subway, or plane.
- Ask for a booth when you eat out and set your laptop in the booth with you.
- Lock the car while driving around to avoid a quick snatch while stopped at a traffic light.
- Don't sit the laptop on the passenger seat — it's just too easy a target there.
- Don't leave your laptop in the car. If you must, lock it in the trunk.
- Buy a lock and train users to secure the laptop to an immovable object at home or in a hotel room. You won't stop a determined thief, but you will slow them down.
If the worst happens, users should call you immediately so you can change their network passwords immediately. A laptop with remote access is an open door to your server and your company's data. Also consider reporting the theft or loss to local authorities.
It sounds like a lot of trouble, but truthfully, you can't afford not to put strict laptop security policies into place and then enforce them. As a small business, you don't have the luxury of deep pockets and legal resources to protect your company if the worst happens. You're it...you have to be up to the task.
Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.