Truth 35 Corporate laptop security

In 2005, there were more than 750,000 laptops stolen in the United State, up about 20% from the prior year. So it should come as no surprise when you hear about organizations that have reported lost or stolen data that these losses are often associated with lost or stolen laptops. On the other hand, maybe it should surprise you. One would think that with as much press as there has been regarding identity theft and lost data that companies would be doing far more to protect their data.

Let me first start with the obvious. On one of my conference trips, I went to lunch with some people who were also attending the same conference. When we got to the restaurant, I started to get out of the car with my backpack containing my laptop. I noticed one of the guys in my group was putting his backpack containing his laptop in the back seat. He asked if I wanted to leave my backpack behind since it would be a hassle to carry inside. I told him I would take mine. He just shrugged and laid his coat over the backpack. He climbed out of the car and closed the door, and we went into the restaurant.

This is not the first time I have seen someone do this, and when I talk to people about it, almost everyone admits they have done something similar. Now to step into reality: If you’re a criminal who happens to be wandering around a parking lot looking for something interesting to steal, what do you think goes through your head when you look in the car with the coat lump? “Gee, nothing in this car but that big old coat. Obviously, I don’t want to steal that, so I will move on.” Maybe. However, I think that, like me, criminals are probably really thinking, “Gee, I wonder what’s under that coat that was so important that the owner wanted to hide it. Think I’ll take a little peek.”

So what makes laptops such a critical factor in dealing with identity theft? Simply put, they contain confidential information. Many people use laptops at work and at home. While at work, people are often interfacing with customer confidential information. Database files and confidential documents often end up residing on laptops. Sometimes the information is put there intentionally so that the employee can work on it from home. Other times the employee thinks he has deleted the files from the computer, not realizing that a hacker can easily restore the files, which actually haven’t been deleted. Once confidential data is on the laptop in any form, it becomes a mobile time bomb. One mistake by the employee, and suddenly you find your company entangled in a confidentiality nightmare.

A laptop doesn’t have to be stolen to put the confidential information at risk. When the laptop is plugged in to your corporate network, it has been placed in what should be a secure environment. Your corporate firewall is keeping would-be hackers at bay. However, when employees go home and connect to the Internet through their home network, what security do they have?

Some Internet providers offer a limited level of protection, while others leave the security up to the user. In the latter, if that laptop has not been kept up to date with all the latest patches and the employee has not been trained on how to avoid malicious software, hackers can gain access to that laptop very quickly. The first response I receive when I explain this to people is, “I’m a nobody, so who is going to attack my computer?” Most of you probably realize by now that the majority of the home users whose computers have been compromised were not singled out. Instead, malicious software known as worms continuously attack random computers all over the world. It is just dumb luck if your computer is discovered by one of these worms.

As I said earlier, there are cases in which laptops are truly needed for business, and in those situations, there are several things you can do to keep confidential information protected while still gaining the benefits that a laptop provides.

Require all laptops that access your network to maintain a certain level of security. Maintain patches, and ensure that a personal firewall is active on the laptop if it is used away from the office. Both Windows XP and Vista include built-in firewalls. (Though the Vista version is more robust.) While I feel every computer should have the personal firewall active, it should be absolutely mandatory with laptops.

Install encryption software, such as Secure Boot, on every corporate laptop. This software requires that a username and strong password be entered at startup to decrypt the files on the drive. If the correct password isn’t entered, all the files on the drive are inaccessible and useless. In rare cases, however, encryption software can become corrupted, so make sure you have a solid backup plan in place so that if an encrypted laptop becomes inaccessible, you can restore critical data.

Install an encrypted partition if you can’t encrypt the entire hard drive. There are a number of free products that will set up what looks like an additional hard drive on your computer. In reality, it simply takes a portion of your existing drive and sets it up as an encrypted drive. To access that drive, you must supply a pass phrase. Once you’ve accessed the drive, you can use it just like you would any other drive. Require your employees to place all confidential data into this partition.

Train employees on the do’s and don’ts of email attachments and malicious software. An employee needs to load only one malicious program onto his laptop while at home to put both his laptop and your network at risk.

Don’t allow laptops on your network if you have a choice.

While laptops may be able to increase productivity, they also increase your customers’ risk of identity theft. Be certain you have done a complete risk assessment and understand that no matter what policies you implement, there is no sure thing when that laptop leaves your office.