Every company has an intricate policy regarding what is acceptable use when it comes to issuing staff with laptop computers. The rules cover what the laptop may be used for (no pornography, for example) and how it is to be transported.
Unfortunately, the rules most companies come up with are designed to protect the corporation from embarrassment or legal issues, and to ensure that if the device is stolen, the insurance will pay out. Few companies actually have rules to protect anything of real value.
The real value is the data contained on the laptop in unstructured files. By this I mean the user's documents and spreadsheets containing anything from sales proposals and budgets, to client lists and even corporate strategies.
Most companies do not see this as anything to worry about if the laptop is stolen, because there is no monetary value associated with these files. This is, of course, a fallacy since competitors can use these documents and spreadsheets to undercut or outmanoeuvre the company in the market, causing it to lose customers and money.
Admittedly, most of the laptop theft in SA is opportunistic and not part of an industrial espionage plan. Nevertheless, as globalisation gathers steam and affects more South African companies, there are those that will take every opportunity to gain a competitive advantage.
Single policy
Technology has reached a level where encrypting and decrypting data can be done automatically without affecting the user.
Amir Lubashevsky is director of Magix Integration.
However, there is no reason for companies to rush off and develop specific security rules for laptop users. The rules to secure the real value of a laptop must be part of the overall corporate security policy since it is no use securing one aspect of the corporation's information infrastructure while others are open to all and sundry.
When looking at the mobility aspect of the corporate security policy, it should be mandatory that all data stored on laptops (and any mobile device) should be automatically encrypted. Technology has reached a level where encrypting and decrypting data can be done automatically without affecting the user.
Another useful technology to consider is to include a "Here I Am" solution in each laptop. These solutions allow the laptop to "phone home" if someone tries to log in without the correct credentials and tell its rightful owners or the authorities where it is. The system needs to be activated and connected to the Internet for this to work.
When it comes to smaller mobile devices, such as smartphones or PDAs, many vendors offer the facility to automatically delete everything on the device if it is reported stolen. This is the optimal solution for ensuring any data on the device does not fall into the wrong hands.
Another option is to replace the traditional password with a USB security key. When the key is inserted into the laptop, it unlocks the system and when removed, it locks the system and prevents access.
My personal recommendation, however, is to opt for digital biometric solutions to lock and unlock laptops, and this includes decrypting data on presentation of the correct biometric key.
Backup plan
There are a plethora of security solutions designed to keep the data on a laptop private and even some to prevent unauthorised use of the laptop altogether.
However, it is unlikely that spending enormous amounts on security will prevent theft. This is especially true in SA, where there are millions of poor people who would take an opportunity to steal a laptop and sell it for a few rand without even knowing how to switch it on.
In these instances, it is highly unlikely that the device will ever be recovered. The most important issue therefore is to ensure that data is backed up. If it is, the user may lose his/her device but the data will be safe.
Of course, any IT manager will tell you how difficult it is to get people to backup their data, no matter how easy the process is made. Fortunately, there are solutions available that are installed on a person's laptop and operate in the background, backing up data without the user even being aware of it. Some even allow backup files to be stored offsite so that the user can retrieve them from anywhere in the world in an emergency.
Securing a laptop is not a case of travelling with the device in the car boot or making sure it is not left unattended at an airport. The physical machine can easily be replaced. The data is the critical aspect of a mobile device and businesses must have a security policy in place to firstly prevent the data from falling into unauthorised hands, and secondly, to ensure it is quickly and reliably recoverable from backup systems.
* Amir Lubashevsky is director of Magix Integration.
Share