Lost laptop data needs P45-level protection
Laptop theft, like the poor and Windows security patches, will be with us always. If something's useful enough to be carried, it's tempting enough to be carried away.
Today's laptops are different to their forebears, though. They're as fast and capacious as yesterday's servers, and just as capable of carrying the data for an entire payroll — or customer base. At the same time, they're cheap enough to give to everyone. What could be more natural than for your database administrator to whisk away the database for a weekend's tweaking at home? Or more dangerous: after all, your company's value — and untold liability — lives in that data.
If the laptop is stolen and the information compromised, then that machine becomes just as expensive as your data centre. Yet while your data centre lives behind bolted doors deep in the bowels of a secure building, the laptop will follow its owner into bars, cafés, the back of the car and the front room at home. It cannot be made physically secure.
The answer, of course, is to protect the data. There are many ways to do this, few of them new. Encrypt the hard drive behind two-factor authentication. Configure the laptop as a thin client and leave the data behind locked doors. Buy an intrinsically secure laptop in the first place.
But the most important part of the equation is the wetware atop the keyboard. If you're responsible for carrying major company assets around in an easily thievable form, then it's your job to make sure they can't escape. It's a very great responsibility — and one easily disguised by the extreme simplicity of taking it on. One drag and drop, and you're in charge of information that could go wrong to the tune of millions of pounds.
If that doesn't scare you and the people you work with, you shouldn't be doing the job. At the moment, it seems too few people are scared, because too few people take the security measures available to them. That's why we keep running the stories.
Set a solid security policy for off-site data, include draconian penalties to staff and contractors, and check it's being followed. Provide the means to follow that policy as painlessly as possible, but set the penalties for evasion or carelessness at a truly terrifying level. That might sound harsh — it is harsh — but if you assume the responsibilities for the livelihoods of hundreds or thousands of people, the implications cannot be left unsaid.
Get it right and you'll still lose laptops. You won't lose any customers, and you won't lose any sleep. And you won't lose your job.