Three things that could help if your work laptop is stolen

It’s a terrible sinking feeling – you put your shopping in your car, you turn your back for a moment to return your trolley, and then your laptop bag is missing.  A lot of crime is opportunistic and all it takes it a moment of forgetfulness.  A loss of a laptop is always more than an inconvenience (apart from that call to your Boss) – hardware can be replaced, and, depending on your companies policies, so can your data.  But it’s the data we’re focusing on here, as ultimately that is more important and more valuable than any physical asset.

This article was written after the events at the US Capitol on January 6th 2021, but before the news broke that the FBI was investigating whether or not a laptop had been stolen to sell to a foreign power.  I’m hoping that the IT support team at the Capitol had implemented some (all?) of the points I’m going to cover here.

Hard Drive Encryption

A key security component should be encrypting the hard drive so that without a valid logon, a password or a strong recovery key, the drive is inaccessible and unreadable, even if the drive is removed and analysed.  There are various third party options to do this, but since 2007 BitLocker has been part of Windows.  BitLocker works best when there is a Trusted Platform Module (TPM) installed on the laptop which means that the drive will only automatically decrypt inside the laptop – if the drive is removed, a recovery key will be required.  This means that to get access to any data, a valid logon is required once Windows has booted – and this logon can be protected by your normal logon process, including Two-Factor Authentication (such as RSA SecurID or Duo).

It’s worth nothing that BitLocker can work without a TPM, but we typically don’t recommend this – you’ll have to either enter a password on every boot (separate to your normal logon) or connect a USB stick to get it to decrypt).

It’s important for any IT support department to keep hold and securely store all BitLocker recovery keys, as these are used when normal decryption fails, or hardware changes; you don’t want to be in a situation where you lose access to your own data! Thankfully, Active Directory can securely store these keys against the Computer object which is a really clever way of collecting these. Just make sure your Active Directory is secure!

Device Backups

If the device is lost and not recovered, you certainly don’t want to lose data that you have been working on.  Device backup is possible through various means and we’ve configured several methods recently for our clients.  If you’re a regular reader of our blog, then you may remember that we’re big fans of Veeam at deeserve.  Veeam has evolved as a product and can now also backup devices such as laptops on a schedule so all may not be lost (depending on the schedule and when the device was lost).  Another solution is to use Offline Files (part of Windows), which can keep certain folders in sync with a central file server – this may include your Documents, Desktop, etc.  You could also use OneDrive, or any other Cloud storage product, but this may create issues for your data governance – maybe we’ll create a whole blog post about that in the future.

Mobile Device Management (MDM)

Mobile Device Management, or MDM, has become ever more important with more and more devices deployed around companies.  Whilst this can be useful to control general monitoring and software deployment, they can also be used to remotely wipe a device and effectively cause it to self-destruct (although this does require whoever took it actually connect it to the internet).  Depending on the device, it may even report geographical information which could be passed onto the authorities and the device recovered.

Losing an expensive piece of hardware is never fun but, with the right precautions, the integrity of your corporate data can be preserved.

Contact us today about any of the points above, to see how we can help your business protect itself.

Posted on: 25th January 2021.