As the technology for mobile computing becomes more efficient, easier to access and less expensive, the number of workers working remotely is increasing rapidly. Unfortunately, so are the security risks.
Midmarket companies without the resources for complicated and expensive network access control systems
Fortunately, there are solutions that don't require expensive hardware or software and can protect both laptops and the networks to which they connect. By using an established set of policies and procedures combined with some reasonably priced and easy-to-deploy products, there is no longer an excuse for sloppy mobile computing security practices.
Two-pronged approach to security
For midsized companies, there's a two-pronged approach to securing laptops that I think works best.
First is the low-tech approach. This involves teaching the basics of laptop security -- never leave your laptop unattended, use privacy filters to prevent shoulder surfers and other wandering eyes from stealing user IDs and passwords, and be aware of your surroundings. A little bit of education goes a long way. Put this information in a PowerPoint presentation or a company policy and make sure mobile workers sit through a review of this policy once a year as a condition of employment.
While laptop theft at airports is rampant, there is just as much risk in hotel rooms and rental cars. In hotels, it's probably best to take a laptop with you rather than leave it in the room unattended. As for rental cars, laptops shouldn't be left on car seats where they can be seen during appointments or visits to client sites. Make it a policy to lock a laptop in the trunk. Better yet, lock it in the trunk via cable to the spare tire.
When traveling, especially through airports, have employees carry laptops in briefcases, not in easily identifiable laptop carrying cases. Briefcases, carrying cases and the laptops themselves shouldn't have company markings, corporate logos or other features making them stand out. Your marketing department might not be happy with the lack of public exposure of the company's brand, but it'll be another step to keeping laptops out of the wrong hands. Laptops, like employees, should blend in the crowd as much as possible when on the road.
My second approach is using security tools, such as antivirus protection, firewalls and virtual private network (VPN) software. The first rule is that anyone working remotely can use only a company-issued laptop both out of the office and when connecting to the network.
Every company laptop should have a standard build reviewed and approved by your IT department or staff to ensure it meets information security standards. That means it should have updated antivirus protection, personal firewalls and VPN software for communicating back to the network.
As the CIO you should have a complete inventory of all laptops in use at the company. At the very least, have a list of makes, models, serial numbers, dates of purchase, the employee to whom each laptop was given and the date of issuance. If possible, barcode every laptop before it goes out the door, preferably with something tamperproof or even engraved on the case. You can't secure what you don't know you have, and a full accounting of where all your laptops are and who has them is vital to implementing any security controls.
Employees using laptops outside the office, whether at home or on the road, should be allowed to access the company network by only mobile VPN. If an IPSec VPN is too cumbersome for a smaller company, consider a Secure Sockets Layer VPN, which is just a Web-based VPN without some of the extra client software and hardware of its heavier-weight IPSec counterparts.
VPN access also protects the network from laptop users connecting from wireless access points, which are now common in airports and hotels. Public wireless hotspots are notoriously insecure -- and frequently unencrypted -- but a VPN creates a secure encrypted tunnel that lowers the risk tremendously.
Encryption is best defense
Now, despite all these controls, be forewarned: Laptops will get stolen. You can bet on it. So the best way to protect your company's data is full-disk encryption (FDE). With FDE, all the data on the laptop is constantly encrypted behind the scenes while the user is working. When the user shuts down, the entire hard drive is encrypted. When the user boots up again, he or she is prompted for a password that unlocks the machine. To a laptop thief without the password, the data on the disk will appear as gibberish.
A market leader in FDE is SafeBoot Technology N.V., which is now part of McAfee Inc. SafeBoot is geared to companies of all sizes and comes complete with management tools for centralized control of laptops by your IT staff. Another commercial product offering centralized management is PGP Desktop Professional.
Two popular free tools, similar to SafeBoot but lighter weight, are TrueCrypt and FreeOTFE. Both provide either full or partial disk encryption but don't offer the same centralized management options of a commercial product, like SafeBoot or PGP. But if you have a limited number of laptops to manage, free encryption tools might be a good option.
A policy for policies
All of these aforementioned suggestions should be enshrined in your company's IT security policy. Though policies are only as strong as the paper they're written on, they at least are a guide to what's expected of employees if a question comes up. And written policies, at least, rather than verbal directives, can (and should) be enforced.
Finally, have an incident response plan in case a laptop is lost or stolen. Have a number employees can call 24/7 to report a missing laptop. There should be an on-call rotation schedule with someone able to take action, to notify the police if necessary, mark the laptop as missing in the inventory and, if possible, wipe or disable the laptop remotely.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.
This was first published in April 2008