'Laptop security? Never heard of it...'

Is it any wonder we're hearing about so many breaches?

Is it any wonder we're hearing about so many breaches?

Despite rising levels of laptop theft and high-profile instances of data loss, businesses are failing to understand the need to encrypt their hard drives or better protect sensitive data.

Research conducted by silicon.com has found worrying levels of insecurity where it comes to laptops, with 63 per cent of respondents saying their company does not encrypt the data on their laptops. Furthermore, 67 per cent of respondents said their companies do not provide laptop locks to reduce the risk of opportunist theft.

Just 18 per cent of respondents are equipped with encrypted laptops and locks while almost half (48 per cent) are equipped with neither. (Take our latest two-second poll on laptop security.)

Bruce Schneier, CTO of BT Counterpane, told silicon.com too few businesses understand the need to secure the data held on laptops.

Schneier said: "It's really simple. Encrypt, encrypt, encrypt. Encryption is the solution."

He added: "The other solution is don't put things on your laptop."

That idea certainly fits with the kind of best-practice espoused by Citrix, which uses laptops as more of a dumb terminal to access sensitive information via a browser and VPN.

Kurt Roemer, chief security officer at Citrix, told silicon.com greater mobility need not mean less security, adding that businesses simply do not need to carry sensitive data on laptops.

As such Citrix encourages users to secure data centrally and use the laptop as a dumb terminal, accessing it securely over a VPN and saving nothing locally. As human error means users cannot be trusted not to lose a laptop and the threat of theft is ever-present, it is better, Roemer argued, to ensure no sensitive data is held on the laptop.

However, Stuart Okin, UK head of security at Accenture, said that approach isn't right for everybody and in businesses reliant upon distributed networks of partners it can prove impractical.

Okin said: "From a compliance point of view of course there is critical data you must show you are protecting. However, data wants to be free."

As such Okin said businesses must take the encryption approach and then allow encrypted data to travel with employees and business partners. However, companies should also be aware, he added, that their exposure could stretch well beyond the laptops they provide to staff.

He said: "Businesses can control the enterprise device because they own it and they can get hold of it," but warned lost laptops may occasionally belong to employees who used them to do some work at weekends.

Businesses must therefore also guard against what data can be transferred onto any device and Okin said business rights management is essential. Working more closely with business partners to ensure they use encrypted devices - even if this means supplying the devices - is also essential, he added.