Despite the proliferation of smartphones and tablets in the enterprise, 26% of workers use office laptops to conduct business, according to a 2012 study conducted by Harris Interactive. Of those workers, 61% store critical data on their systems, including sensitive information about the organization and its clients.
Given the continued and well-publicized number of laptop thefts -- United HomeCare Services, Family Health Enterprise and the Washington State Department of Social and Health Services, to name a few -- IT is under great pressure to ensure enterprise laptop security. Yet devising and enforcing an effective mobile security policy is no small task. IT must implement robust usage policies, manage the physical devices, take steps to protect data, enforce password requirements and control access to corporate resources.
Define a mobile security policy and proper usage
No matter what steps IT departments take to protect corporate laptops, the effectiveness of those steps depends on an endpoint security policy that clearly defines how workers are expected to use and protect those laptops.
Usage policies must be carefully defined and communicated. A good place to start is to include information about how to physically protect laptops, covering such details as not leaving them unattended and using physical locks to secure them.
The mobile security policies should also include information about network connectivity. For example, employees should know when and where Bluetooth or peer-to-peer networking can be used and whether these features have been disabled. IT should instruct workers about the dangers of unsecured Wi-Fi networks, as well as external devices that can enable secure network connections, such as travel routers that protect Ethernet access.
A laptop security policy should consider unsafe practices, such as unsecured Internet surfing, clicking links and opening attachments in unfamiliar emails, and installing third-party software and services.
In addition, the organization should specify what steps it would take in the event a laptop is lost or stolen or data is compromised in any way. All workers who use company laptops should receive extensive security training and acknowledge their awareness of corporate policies.
Before handing out laptops, IT must configure them with domain policies and management software to ensure ongoing maintenance of each device. Administrators must be able to install security patches, change configuration settings, and regularly monitor and audit laptops to assess risks and ensure regulatory compliance.
In addition, admins should disable any features deemed a security risk, such as Bluetooth, peer-to-peer networking or the ability to boot from a CD or USB drive.
IT must also set up each laptop with anti-malware software and cloud-based services to stay current with breaking threats. Such endpoint defenses should include kernel-level host intrusion protection, firewall security and whatever other safeguards meet the organization's specific requirements.
In addition to protecting them from malware, desktop admins should configure laptops with the software or services necessary to track and disable devices and remotely wipe sensitive data.
When it comes down to it, safeguarding sensitive data is what endpoint protection is all about. Although hardware can be pricey to replace, those expenses are nothing compared with the potential costs of compromised enterprise data. At the top of the list of precautions should be full-disk encryption that uses 256-bit Advanced Encryption Standard encryption or stronger, and requires preboot user authentication.
Even with full-disk encryption, critical data should not be stored on laptops. Workers should have on their systems only the data needed to conduct business. Sensitive data should primarily be stored in a secure data center with secure means provided for accessing that data.
Peripherals such as portable external hard drives and USB flash drives should also be encrypted, or the laptop should be configured to prevent their use. Laptop data should also be backed up regularly in case data is lost or compromised.
Enforcing password requirements
This should be a no-brainer, yet workers continue to share and reuse passwords, use weak passwords or in some cases, use no passwords at all. For this reason, all enterprise laptops should require workers to use strong passwords to sign into their computers at startup or wake-up.
In addition, the laptop should lock itself after a prescribed number of minutes of inactivity. Passwords should tie into the full-disk encryption system, if one has been implemented. Note that biometric authentication could affect password usage and policies.
More on laptops and a mobile security policy
Don't skimp on a mobile security strategy
Rounding up the latest Windows laptops for the enterprise
Foil malicious insiders with data loss prevention on endpoints
Do you need the biometrics support in Windows 8.1?
DVD data is still accessible, even if you don't have an optical drive
A strong security policy can inoculate against laptop infections
Employees should also be encouraged to set passwords that are difficult to decipher and are not used elsewhere. And they should be trained not to share their passwords. IT should include these instructions in the usage policies provided to all laptop users.
Controlling corporate access
When users have their laptops in the office, they're likely to connect physically to the corporate network or via corporate Wi-Fi, in which case the organization's usual safeguards will apply. However, when workers take these mobile endpoints out of the office, they leave behind many of those safeguards. Yet they usually still need to access corporate resources from outside the organization's firewall.
A virtual private network (VPN) continues to be one of the safest and most effective ways to provide remote access to corporate resources. A VPN lets workers communicate with the corporate network via a public network -- most notably, the Internet -- from any geographic location. Data transfer between the laptop and corporate network is encrypted, so hackers eavesdropping on the public network cannot intercept sensitive data.
In cases where workers are unable to establish a VPN with their organization's network, they might still need to send and receive email. As a result, IT should ensure that all messages sent from and received to the laptop use Secure Sockets Layer or Transport Layer Security to safeguard their communications.
Safeguarding the laptop
Protecting enterprise laptops is an ongoing task, and security threats are constantly evolving. A good mobile security policy governs not only laptops, but also many other portable devices. Endpoint protection should also consider data protection, password control and network access.
Too much is at stake not to make laptop security a priority. All it takes is one incident to damage an organization's credibility. Rebuilding reputation can be more costly than any enterprise laptop security measures.
This was first published in December 2013