Lost Laptops; Lost Data

Don’t be lulled into a false sense of security just because news of security breaches and data loss usually involve attacks on enterprise databases and mainframes. You’re equally vulnerable and exposed on the other end of the IT spectrum— if employees lose smaller digital devices, such as phones, USBs, tablets and especially laptops.

No company can escape this risk, but companies that deal with clients’ more personal financial information, like private equity firms and hedge funds, are at even greater risk. At stake is their clients’ personal information as well as their corporate reputation and brand trust. In general, given financial firms’ fiduciary responsibility, they face stricter external compliance and conformance strictures from regulatory bodies, including the Securities & Exchange Commission.

So how big is this laptop loss problem, really? The numbers from device-security manufacturer Kensington are alarming:

  • One laptop is stolen every 53 seconds
  • 52% of devices are stolen from the office/workplace, and 24% from conferences

Laptops hold the key to almost everything

Employees lose their laptops in one of two ways: they’re careless and leave them behind (in a taxi or coffee shop), or the device is stolen. In both cases, if an employee’s laptop contains any of your corporate assets—sensitive information downloaded from your databases, internal emails, conversations about confidential data, or any information identifying client data—your data is at risk, and your reputation and company are now in jeopardy. You hear all the time in the cybersecurity community about how employees are your weakest link, which means the endpoints they use to do their work every day (i.e. laptops) is right up there with them.

Shadow IT

If your company subscribes to a Bring Your Own Device (BYOD) policy, you face an additional problem. Company-issued laptops likely adhere more closely to corporate IT rules and procedures, but when an employee brings in their own laptop, you face the introduction of additional applications, possible malware issues, and a host of unknowns that are less likely with your corporate-issued laptops.

If BYOD is in effect at your organization, treat these “guest devices” with the same diligence you do company issues: enforce device passcodes, require full-disk encryption when accessing any corporate data, and be sure you have strong mobile device management (MDM) procedures to quickly protect or remove data when a laptop is stolen or compromised.

Even if BYOD isn’t a part of your company, you need to deal with unsanctioned usage of personal devices—laptops, USBs, tablets, and other personal gear. Companies that downplay and don’t adequately protect against laptop loss, especially those dealing with highly sensitive personal and financial information, such as healthcare providers, private equity firms and hedge funds, are playing Russian roulette.

Do companies have procedures in place to deal with personal digital devices? Of course many do, but they often don’t treat this device class as seriously as their mainframe and database for the very reason we mentioned above: the headlines and attention to data losses goes to the big gear, not laptops.

This approach is a mistake. Recognize that even though laptops have smaller data sets at risk, they are critical pieces of your business and must be protected with the same care as you accord your mainframe and databases.  Remember, people are your greatest cybersecurity weakness, which means their endpoints are next on the list.

Your to-do list

It’s inevitable, your employees will lose laptops from time to time, which is why we recommend the following steps to keep your data and organization cyber-safe:

  1. Initiate preventive procedures to minimize loss and theft.
  2. Enforce laptop encryption. And don’t settle for partition encryption; protect the entire system with whole disk encryption. That way, if a bad guy has your laptop, when he powers it on and attempts to gain access, he’ll be prompted for a password. Use a strong password, and he’s out of options.
  3. Use an all-inclusive program like Microsoft Intune to protect ALL your mobile devices: phones, tablets, laptops, including mobile apps. You can also offer your employees personal device protection if you have a BYOD program.
  4. Make laptop and digital device usage and protection an integral part of your security governance program. If a loss or theft occurs, have an incident response plan in place to quickly deal with the situation.
  5. If your company has a BYOD policy, create and strictly enforce guidelines on personal device usage, maybe even requiring VPN access to corporate information.

There’s a lot when it comes to cybersecurity that shrinking IT teams are tasked to manage – we get it.  If things like lost laptops, and endpoint protection in general, is something your resources just don’t have the bandwidth for, contact us to see how we can help.