Laptops, National Security, and You.

Wow. If you think we’re safer when it comes to information security, think again. I don’t mean this in as bad of a way as you might think. Before I go in to details, let’s have a look at these headlines:

• Stolen laptop prompts Administaff to alert 159,000 of possible breach
• 10,000 Employees’ Data on Stolen Laptop
• Theft Of Gap Laptop Puts 800,000 Job Applicants At Risk
• TJX theft tops 45.6 million card numbers
• Laptop Stolen From D.C. Home

I could go on and on … but how many times does a mistake have to happen before it sinks in. Employee-issued laptops are a hot item these days, as they have confidential company information, personal information, customer information, and more. Information security starts with you, not the enterprise virus scan or the corporate firewall (but those are important, too.)

Trying not to sound like an anti-drug PSA, but it’s easily possible to take people’s information, fraudulently create accounts, false identification, and possibly use in the purchase of weapons. In essence, one laptop theft can result in domestic terrorism. A stretch, I know, but it only encourages it.

Here’s a detailed guide for protecting your work-issued laptop, and I don’t even work in risk management:

• Guard your laptop like it’s your next unborn child. Never leave it unattended in your car, house, coffee shop, or a friend’s house. Not that they will necessarily steal it, but you want to be accountable for where your computer is at all times.
• Going away for a while? Leave your work laptop in a secure location at work. You can’t steal something if it isn’t there, and it will be one less worry. If you’re on vacation, make it vacation and disconnect. The world will not stop if you don’t respond to your e-mail.
• Trust but verify. In downloading attachments, performing various troubleshooting, and responding to peculiar requests, trust it — but verify it. That means even though you regularly talk to someone, and they said something like “send me those records,” when you aren’t sure, take it offline and verify it with them via telephone or in person.
• Do not install “gateway” software. What is gateway software? P2P applications, simply. Anything that can download and/or share files from the computer to the rest of the Web. You really don’t want your financial document to be posted on Frostwire, do you?
• Periodically re-image your machine. While we all don’t want our laptop stolen, testing the reliability of recovering backed up data is good to familiarize yourself with types of information your laptop carries. In addition, re-imaging will ensure that unknown programs installed or collected over time are removed and don’t pose as a risk.
• Make frequent, Network-based backups — Don’t store locally. As tempting as it is to keep all your documents on your computer, it’s wise to store it over the network (at work), so you can find the files you need from any machine. In addition to adding this ability, it will also allow you to perform damage control by accounting for what files are on your computer and what’s not.
• Using Public Wifi? Don’t connect to “Free Public Wifi” or similar SSID names in a public area. Often these are other computers, and could be used to easily connect and circumvent your firewall. If you use wireless, make sure it’s encrypted, and if you’re doing work, connect to your VPN so you can guarantee a secure link and no sniffers can pick up your data.
• Engage yourself in security discussion. Don’t wait to be a victim, listen to the security folks at your work and listen to their advice. They know their stuff, they understand your frustrations and can help you work around them easily. Likewise, be sure you check for updates for your software, as that is another hole.
• Never write down passwords. When we were signing onto AOL in the early ’90s, having passwords written down on a piece of paper was acceptable, not these days when we’re all fighting embracing information security risks. Often the easiest way to defeat security, [sic] is often the easiest way.

Now that you are guarding your laptop like a paranoid conspiracy theorist with tinfoil on your head, take a moment to just step back and combine the information you know now along with reality. It’s acceptable to not follow all the above steps, just understand the risks involved and manage those risks accordingly.