Laptop security best practices

Large organizations have sophisticated network defenses and firewalls to block malware from compromised laptops. For outbound threats, they may also employ complex content control systems to prevent the loss of customer data or company information. Not so for small and medium-sized businesses (SMBs), which may operate simple firewall networks on a shoestring and don't have the cash to spend on expensive content filtering systems and software.

But there are solutions for SMBs that won't break the budget and involve little or no overhead. Many of these solutions rely on simple procedures and best practices that don't require bulking up stretched-thin IT departments or hiring a dedicated information security team.

There are three parts to laptop security: physical security, administrative access and technical controls.

• Physical security: A laptop should never be left unattended. If you have to get up, for any reason, power down the laptop and take it with you. Unattended laptops have been targets of thieves in airport lounges and at Starbucks.

  If it's absolutely necessary to leave the laptop, use a good lock. The Defcon SCL cable lock from Targus Inc. is especially designed for laptops. It consists of a cable with a combination lock that plugs into the locking port of any laptop. The cable can be used to lock the laptop to a table, if you have to step away for a minute.

  Other physical security measures for laptops include carrying them in nondescript briefcases rather than laptop bags, especially those emblazoned with big logos from the laptop manufacturer. Another thing to watch out for is shoulder surfing. Working on a laptop in a public place leaves you open to let people see everything you're doing. Try to work away from crowds in a secluded area like an empty gate at an airport or a table facing a wall -- not a window -- in a coffee shop. Shoulder surfers have been known to even peer through windows.

  Privacy filters also protect against unwanted wandering eyes. Privacy filters are screens that stick to a laptop monitor with adhesive tape. Only someone looking directly at the screen can see it, but to others it looks dark. Privacy filters range in price from $50 to $90 and are available from 3M Co. and Fellowes Inc.

• Administrative access: The best administrative controls are an inventory system for keeping track of who has a company ...
  

  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchCIO-Midmarket.com

  As an existing member of the TechTarget network please activate your SearchCIO-Midmarket.com account 

  By joining SearchCIO-Midmarket.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Information security management for the midmarket Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program Security tools for the midmarket Why CIOs need to get real about identity and access management in 2010 Free risk management tools and resources for the enterprise IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it? Security for the midmarket Information security program revamp adds outsourcer oversight and more Your IT security budget: How to get more bang for the buck Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it?

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  laptop, and what they're doing with it. Every employee allowed a laptop should be required to sign it out, whether it's given for temporary or long-term purposes. The laptop's make, model and serial number should be recorded along with the name and signature of the employee using it. The records should be kept by your IT staff, which is already probably managing the issuing and maintenance of your company's laptops.

  Personal laptops should never be allowed on a company network. You never know what's on a personal laptop that could infect your network.

• Technical controls: Technical controls include encryption, personal firewalls and antiviral software and virtual private network (VPN) connections. Also, all laptops should have a standard build and be required to authenticate to your network like any workstation. In fact, look at a laptop as an extension of your company network, not something separate from it.

Encryption is vital for making sure data on the laptop doesn't fall into the wrong hands, in case the laptop is lost or stolen. Full disk encryption makes the laptop unusable to anyone who doesn't have the encryption key. Even if the disk is foisted out of the machine and installed on a test bed, the data is gibberish.

Products such as SafeBoot Device Encryption provide full disk encryption and are designed specifically for laptops. SafeBoot N.V.'s product requires the user to authenticate with a user ID and password before the operating system loads. Because it loads before the operating system, it can't be defeated by Linux boot disks, such as Knoppix, which bypass operating system logons to access machines.

SafeBoot works behind the scenes, continually encrypting the hard drive while the user is working. Similar products are offered by PGP Corp. and GuardianEdge Technologies Inc.

All laptops, like their stationary desktop counterparts, should be outfitted with personal firewalls and antiviral software. They should be up-to-date with the latest security patches. If you use Active Directory for authentication, laptops can be further locked down using Group Policy Objects, again like the desktops that are also connected to the network.

Consider a VPN for secure communication back to the office for those on the road. A Secure Sockets Layer VPN doesn't require any software installed on the laptop but could cost more than an IT professional at an SMB is willing to spend. Products include those from Aventail Corp. and Juniper Networks Inc., and the open source OpenVPN.

If the worst happens, and a laptop is lost or stolen, a theft should be reported to the police and to the incident response team, if you have one, in your IT department. Even without a dedicated information security team, an SMB's IT staff should be informed of what happened. Free tools, like LaptopLock, can be used to register your laptops and can then remotely delete files or encrypt and disable the machine.

With these options, laptop security can be part of an SMB's overall IT security program with existing staff at minimal cost.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.