Sometimes it feels like IT and physical security professionals are in a constant race to stay ahead of the latest challenges created by mobile technology. One day, attackers try to steal corporate laptops to use them as entry points into corporate networks. Next, they try remote attacks to compromise IoT physical infrastructure.
Through all of these back-and-forth physical and network attacks, one truth remains constant: The weakest link in physical and network security is always the endpoint—in other words, the user and the device. This article explores why improving laptop physical security is important and offers 12 best practices that any security team can use.
Why Corporate Laptops Need Enhanced Physical Security
The two most common concerns driving corporate security teams to institute better laptop physical security are loss prevention and regulatory compliance.
Mobile assets, such as laptops and tablets, are high-value targets. Petty criminals want them. Attackers after corporate data also want to steal them to gain entry to your wider network.
The costs stemming from a laptop loss or theft can add up quickly. There are direct replacement costs, but the indirect costs arising from lost productivity and the labor spent on remediation efforts frequently are more significant.
Despite being mobile and increasingly used in the field, theft in the workplace should still be security professionals’ primary concern for laptop physical security. Workplace theft is much more common and potentially much more dangerous if the device is connected to internal network resources.
Industry regulatory compliance
Many industries have regulatory standards for how electronic data and the devices that carry them must be handled. Security personnel in those sectors will be very familiar with these standards, but if your organization's customers or business partners must abide by these standards, you will likely need to comply with them too in some capacity.
Some of the most commonly encountered regulatory standard in the U.S. for electronic data and laptops are:
The Sarbanes-Oxley (SOX) Act passed by Congress in 2002 mandates strict controls over financial data and requires businesses to institute fraud prevention measures. Those fraud prevention measures include requirements for securing electronic data. SOX violations can incur both civil and criminal penalties.
The Federal Information Security Management Act (FISMA) requires federal agencies, their contractors, and other business partners to implement strong data security measures. Any business that works for or with the federal government will likely need to abide by some FISMA regulations.
Congress passed the Health Information Portability and Accountability Act (HIPAA) in 1996. It updated HIPAA several times with significant additional protections for electronic patient data, most significantly in 2013 with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Losing laptops that hold patient records can trigger staggering fines under HIPAA-HITECH. For example, recently, the Rhode Island-based Lifespan Health System had to pay a $1,040,000 fine for losing a single unencrypted laptop.
12 Best Practices for Physically Securing Laptops and Other IT Devices
Here are 12 best practices for laptop physical security that can help organizations reduce their risk of theft and regulatory breaches. These practices only scratch the surface of what you can do to improve your laptop physical security, but they are broadly applicable and useful for businesses of any size in any sector.
1. Authenticate everywhere
Work backward, and begin by planning your defenses if a laptop is in the hands of an attacker. Work with your IT department to require strong authentication on all mobile devices. They can do this using a password policy in their IT directory services platform.
Strong passwords are essential but not foolproof. Once an attacker gets their hands on a device, their options to crack it skyrocket. In addition to on-device authentication, institute a program for authenticating users who request access to shared laptops, such as with an asset management system.
These physical security systems provide additional in-person authentication options to strengthen your security. Newer systems also offer contactless authentication for better workplace health, including radio frequency identification (RFID) fobs, which users simply wave near a scanner, smartphone apps, and biometrics, such as facial recognition and iris eye scans.
2. Use deterrents
Beyond your authentication process, you should look for ways to deter threats to corporate laptops before they even have a chance to get near your assets. Use conspicuous physical security to discourage attackers. For example, deploy visible security cameras that record the user signing out equipment from your asset management system.
You can also use deterrents to help prevent accidental losses. Post notices by time clocks or facility exits reminding users to return corporate assets before they leave.
3. Train everyone
Savvy criminals will always try to exploit the “human factor” in security programs. Laptop security training for regular users, security staff, and IT staff alike can mitigate that risk.
Include loss prevention as a topic in your new employee orientation. New employees should know from the jump your policies and how to use your organization’s security systems. Follow that training up with annual refreshers, ideally as part of broader yearly security refreshers.
4. Provide security in BYOD environments
Provide secure storage options in bring your own device (BYOD) workplaces for idle laptops and other mobile electronics. Any device connected to your network and in your facility is a risk to your organization. Provide options for employee-owned BYOD devices and those belonging to contractors and temp workers.
5. Find opportunities to leverage for business growth
Security doesn’t have to be a cost center. Look for ways to turn physical security into a competitive advantage.
If your business involves holding customer data or protecting customer trade secrets, then your up-to-date security program can set you apart from the competition. For example, a customer in the financial services sector will be thrilled to know you’re aware of Sarbanes-Oxley and that you structure your laptop physical security program to align with it.
6. Have an intake process
You can’t secure what you don’t know you have. Set aside time to conduct a detailed equipment inventory. Then, create a process to inventory and secure every new device as it’s purchased.
7. Have a disposal process
Even old devices can be a liability if they’re not properly retired. You need cradle-to-grave physical security for laptops.
Just as you have an intake process, when a department removes a laptop from circulation, that should trigger a decommissioning process. Have IT wipe data from the laptop and remove it from your network.
8. Have a response plan
No security program will ever be 100 percent effective. Loss and theft will occur, especially when work habits change, such as shifts from in-office to remote work and back again. It’s critical to have an incident response plan in place so your organization can respond quickly.
9. Report losses immediately
Keep the inventory you’ve collected up to date with new additions, retired devices, and especially as soon as losses occur. The faster a loss is reported, the faster security and IT teams can respond, which increases the chance of recovery.
10. Back up your data
Your physical security program can’t neglect that laptops, tablets, and other mobile devices are also network assets. Mobile technology should never hold the only copy of corporate data. Use a combination of acceptable use policies and automated backup systems to ensure a copy of all data stays on central storage systems.
11. Balance security against productivity
By design, physical security measures create barriers to access. Determine how much risk you’re willing to tolerate in each business unit, such as the cost of lost equipment, stolen data, and regulatory fines. Then structure your physical security barriers for each team accordingly.
For example, you may want to apply strict laptop security for your accounting department laptops, which hold sensitive financial data, and less stringent security for warehouse department laptops, which don’t.
12. Monitor and adapt
Create mechanisms for gathering data about your security practices, such as with your asset management system’s reporting features. Automated data collection allows you to see hidden usage trends, informing how you adjust your processes. For example, is one work unit within the second shift reporting 200 percent more lost devices than all others? You might want to investigate that.
Reliable Physical Control Options for Laptops
When it comes to controlling who can take laptops and other mobile devices, your options fall into two main categories.
Manual: locking cables, locks, and safes
These offer security right at the device, which can be desirable when you want straightforward control. However, these methods are inefficient and somewhat risky because they offer no centralized management or oversight. They are usually only viable in lower-security environments.
Automated: laptop locker solutions
These offer centralized management and better organization, making them ideal for organizations that need to manage a large volume of laptops or who use laptops in high-security environments. While they are an excellent choice for immediate device security, their greater value comes in the long run by offering smart asset management.
Laptop lockers allow you to automate physical device management and set special conditions on device transactions, such as curfews or inventory rotations. You can also collect comprehensive usage data and streamline your workflows, such as by automating equipment handoffs to tech support.
Good Laptop Physical Security Protects Your Entire Organization
Good device security protects everyone. The company is happy that its technology is protected. Workers are happy that thefts and network compromises don’t disrupt their days. Business owners are happy to see equipment budgets stay in the black.
Want to learn more about physical security for laptops and other mobile electronics? Check out our e-book Increasing Efficiency & Decreasing Costs with Mobile Device Management.
About the Author
Shannon Arnold is the VP of Marketing and Strategic Partnerships at Real Time Networks.