SMBs everywhere have a unique situation when it comes to laptop security. Mobility is a business necessity, yet the resources to do it securely are often scarce. You can tell your employees to keep their laptops with them at all times and hope nothing bad happens, but that is a poor strategy. Instead, here are six low-cost steps you can take that will help take laptop computers out of the data backup security risk equation.
Encrypt laptop drives. If you have the option to use data encryption on your laptop drives, don't hesitate. Whole disk encryption such as those offered by BitLocker from Windows 7, Credant Technologies and PGP Corp. is a good option for SMBs. These applications are $200 or less per system. Also, keep in mind that there are solutions to encrypt sensitive folders or specific drives (i.e., Windows EFS and BitLocker in Windows Vista), but the risks are too high. Why? Because it's almost guaranteed that sensitive information is going to end up outside the protected area of your laptops and be exposed, which negates any niche data encryption benefits.
Tighten laptop login requirements. At a minimum, require strong passwords, or better yet, passphrases. A power-on password setup in the BIOS is another good layer of protection, but it's not foolproof since someone can simply remove the laptop's hard drive, install it in another system, and gain full Windows access using tools such as Elcomsoft System Recovery and Ophcrack if the drive is not encrypted.
Lock laptops that are left unattended. Make it a policy and help instill the habit of everyone locking their screens with CTRL-ALT-DEL anytime they leave their laptops unattended. Configuring locking screensavers with a reasonably short timeout period, such as five to 10 minutes, will ensure higher security. Educate your users on the consequences of leaving their laptops wide open for abuse while they leave them unattended for "just a minute or two" at the coffee shop. That's all it takes for someone to grab the system and walk off with full access to anything and everything on it including credentials to gain access into your company's network.
Password protect re-entry into laptops. Ensure password re-entry is required from all modes of startup; initial boot as well as return from standby/sleep mode, system hibernation and screensaver time-outs. Do this on every system from your receptionist to your sales team to management. Again, sensitive information lies on every laptop that can be abused or used against you.
Secure laptops with physical locks. Require the use of physical security mechanisms like laptop locks for added protection.
Educate management and users about data security risks. If management understands the business and security risks with leaving laptops unattended or unsecure, they will be much more in tune with what users are doing and not doing with their laptops. Also, management buy-in can really help hold users accountable for their actions. Educating employees and users with the risks and consequences of unattended or unsecure laptops is critical as well. The last thing you need is an uneducated workforce carrying around your business's most critical assets without ever thinking about the consequences of careless actions.
Unsecured laptops create some of the greatest information and security risks for your SMB. In order to assure complete data security, you need a set of formal policies, processes and technologies to make sure everything's in check. Depending on your culture, you may or may not be able to implement structured policies. The same goes for stringent business processes typically reserved for larger enterprises. Both can be a tough sell in some SMB environments, especially if management's not on board. If anything, focus on technical controls right now. That will not only stop the bleeding, but also keep your SMB in line with compliance requirements and out of the negative spotlight.
About the author: Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. With more than 20 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and managing information risks. He has authored/co-authored seven books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and the newly-updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
This was first published in January 2010