Laptop security best practices
Laptops can free employees to work remotely, allowing them to telecommute and travel easily. But that freedom comes with security perils.
More employees with more laptops can mean greater exposure of your network to roaming security threats. And, in a worst-case scenario, a stolen laptop with sensitive customer data or proprietary company information can also expose the company to liabilities, legal or otherwise. Lost customer data can lead to identity theft and open the company to lawsuits. Lost proprietary information can damage the company's competitive edge, if not its business altogether.
Large organizations have sophisticated network defenses and firewalls to block malware from compromised laptops. For outbound threats, they may also employ complex content control systems to prevent the loss of customer data or company information. Not so for small and medium-sized businesses (SMBs), which may operate simple firewall networks on a shoestring and don't have the cash to spend on expensive content filtering systems and software.
But there are solutions for SMBs that won't break the budget and involve little or no overhead. Many of these solutions rely on simple procedures and best practices that don't require bulking up stretched-thin IT departments or hiring a dedicated information security team.
There are three parts to laptop security: physical security, administrative access and technical controls.
Physical security: A laptop should never be left unattended. If you have to get up, for any reason, power down the laptop and take it with you. Unattended laptops have been targets of thieves in airport lounges and at Starbucks.
If it's absolutely necessary to leave the laptop, use a good lock. The Defcon SCL cable lock from Targus Inc. is especially designed for laptops. It consists of a cable with a combination lock that plugs into the locking port of any laptop. The cable can be used to lock the laptop to a table, if you have to step away for a minute.
Other physical security measures for laptops include carrying them in nondescript briefcases rather than laptop bags, especially those emblazoned with big logos from the laptop manufacturer. Another thing to watch out for is shoulder surfing. Working on a laptop in a public place leaves you open to let people see everything you're doing. Try to work away from crowds in a secluded area like an empty gate at an airport or a table facing a wall -- not a window -- in a coffee shop. Shoulder surfers have been known to even peer through windows.
Privacy filters also protect against unwanted wandering eyes. Privacy filters are screens that stick to a laptop monitor with adhesive tape. Only someone looking directly at the screen can see it, but to others it looks dark. Privacy filters range in price from $50 to $90 and are available from 3M Co. and Fellowes Inc.
Administrative access: The best administrative controls are an inventory system for keeping track of who has a company laptop, and what they're doing with it. Every employee allowed a laptop should be required to sign it out, whether it's given for temporary or long-term purposes. The laptop's make, model and serial number should be recorded along with the name and signature of the employee using it. The records should be kept by your IT staff, which is already probably managing the issuing and maintenance of your company's laptops.
Personal laptops should never be allowed on a company network. You never know what's on a personal laptop that could infect your network.
- Technical controls: Technical controls include encryption, personal firewalls and antiviral software and virtual private network (VPN) connections. Also, all laptops should have a standard build and be required to authenticate to your network like any workstation. In fact, look at a laptop as an extension of your company network, not something separate from it.
Encryption is vital for making sure data on the laptop doesn't fall into the wrong hands, in case the laptop is lost or stolen. Full disk encryption makes the laptop unusable to anyone who doesn't have the encryption key. Even if the disk is foisted out of the machine and installed on a test bed, the data is gibberish.
Products such as SafeBoot Device Encryption provide full disk encryption and are designed specifically for laptops. SafeBoot N.V.'s product requires the user to authenticate with a user ID and password before the operating system loads. Because it loads before the operating system, it can't be defeated by Linux boot disks, such as Knoppix, which bypass operating system logons to access machines.
SafeBoot works behind the scenes, continually encrypting the hard drive while the user is working. Similar products are offered by PGP Corp. and GuardianEdge Technologies Inc.
All laptops, like their stationary desktop counterparts, should be outfitted with personal firewalls and antiviral software. They should be up-to-date with the latest security patches. If you use Active Directory for authentication, laptops can be further locked down using Group Policy Objects, again like the desktops that are also connected to the network.
Consider a VPN for secure communication back to the office for those on the road. A Secure Sockets Layer VPN doesn't require any software installed on the laptop but could cost more than an IT professional at an SMB is willing to spend. Products include those from Aventail Corp. and Juniper Networks Inc., and the open source OpenVPN.
If the worst happens, and a laptop is lost or stolen, a theft should be reported to the police and to the incident response team, if you have one, in your IT department. Even without a dedicated information security team, an SMB's IT staff should be informed of what happened. Free tools, like LaptopLock, can be used to register your laptops and can then remotely delete files or encrypt and disable the machine.
With these options, laptop security can be part of an SMB's overall IT security program with existing staff at minimal cost.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.