In many companies it is common practice to hand out a company laptop to employees, and most places the employee may bring that laptop home – sometimes it is even a requirement. But are these laptops secure, or are companies sending their IT security out the door with their employees?
The reality companies are facing
The level of threat that companies and individual users face is constantly changing – but in general we see an increase in both number and severity of the threats. Most companies have done a lot to secure their systems and overall company network. This has forced most attacks to be aimed directly at the users – more specifically the users laptop. Once it leaves the office, and the company network, you will potentially have hundreds – and for some companies thousands of company gateways spread out in public places, cars and private homes - guarded only by your security measures on the laptop and of the users compliance with your security policies.
New and updated operating systems contain many security measures, but they only work when they are implemented and deployed consistently. At the same time we have to respect that the laptop is often the employees primary work tool, so closing down the laptop too tight with security measures could disrupt the users ability to work efficiently. Choosing the right security measures for the laptop is thus often a question of evaluating the actual level of security it would provide, the user experience – and often also the cost of implementing and maintaining the measures.
And then there is the people dimension
Even the strongest security measures are only as efficient as the people using and managing the laptops. If security measures are not set up, deployed and maintained consistently and if security policies are not adhered to by the users then every laptop will be a potential security risk. Implementing IT security is not only a technical exercise – it is as much an educational task to get the users to understand the policies and why it is vital that they adhere to them.
How secure are your laptops really and how well have your users adopted a security mindset?
One way to find out is to complete a vulnerability assessment of your laptops including management and policies. It is a fairly simple exercise and will give you a picture of how secure your laptops are. Typically you will also get concrete input and recommendations on additional security measures that can be deployed.
It is essential that these recommendations are put into context of the company, discussed with insight and prioritized. As stated previously you cannot lock down the laptops entirely – and for most companies it will not be possible to implement all security measures at once. Also, criticality and impact of a specific security vulnerability may vary significantly from company to company.
Are you getting the most from your investment in IT Security?
Assessing where you will get most security from your investment is the important next step. This is not only a financial evaluation but should also consider the expected impact of the security measure, the technical complexity of the implementation and the impact on organization and processes. The assessment should result in a prioritized list of security measures and a plan to implement them.
Monitor your security measures!
Once security measures are implemented you need to consider how the security measures are monitored over time. Implementing security measures are an important first step but as stated above - even the strongest security measures are only efficient when they are set up, deployed and maintained consistently. Monitoring the laptops will enable you to act quickly on any inconsistencies and to mitigate threats – and not least– it will give you the assurance that you are not letting your IT security walk out the door!