The portability of laptops makes them handy but also easy to steal or lose. Although replacing a missing company laptop is expensive, the consequences are much more serious if the missing laptop contains sensitive data. Having sensitive data lost or stolen exposes the company to problems such as the loss of consumer confidence and legal action.
You can help secure your company’s laptops and the data stored in them by creating a laptop security policy. This policy documents the rules and requirements that employees must follow when using a company laptop.
Laptop security policies cover what laptop users should not do. For example, they often state that laptop users should not:
Equally important, laptop security policies cover what laptop users should do. For example, they often discuss how users should:
Discussing what should be done is more involved than stating what shouldn’t be done, so here is a closer look at what you might include in these sections.
In the section on physically securing laptops, you can document how you want laptop users to secure their computers, especially when not in use. For example, when laptop users are in the office, you might want them to store their laptops in a locked cabinet. When they are on a business trip, you might want them to store their laptops in a hotel’s safe deposit box rather than leave the laptops unattended in a hotel room.
Protecting laptops from cyberattacks is an important section to include in your laptop security policy. Laptops usually do not stay connected to the network. As a result, they might not get the necessary software updates, including updates to the software that detects viruses, malware, and spyware. For this reason, it is a good idea to require that laptop users log on to the company network at least once a week to update company software.
Plus, if your company laptops are WiFi enabled, you should require users to verify any free WiFi hotspots before using them. Cybercriminals have set up fake WiFi hotspots at hotels, cafes and restaurants that look legitimate. If a laptop user logs on to a fake WiFi hotspot, the cybercriminal will see everything the user does online, including any usernames and passwords being entered. In addition, if the laptop is set up to allow file sharing, the cybercriminal can steal data and install malware on it. Verifying a free WiFi hotspot with the establishment supposedly offering it can help prevent this type of cyberattack.
In the section on protecting company data, you can cover the measures you want laptop users to take to protect their data. There are general measures you will want to include, such as creating strong passwords and not sharing them with anyone. You will also want to include any encryption requirements, such as requiring users to encrypt their files or encrypt a drive using the company-approved encryption tool. Plus, if your company has a virtual private network, you will want to require laptop users to use it when traveling for business or working from home.
Laptops that are not connected to the network during a company’s network backup operation will not get backed up. To make sure that backups are performed on laptops, you can require that laptop users perform a backup at least once a week. You will need to specify the backup method. There are many types, including backing up to a server on the network, backing up to a DVD or an external drive, and backing up to a company’s private cloud. If laptop users are backing up to a DVD or external drive, you need to make sure they encrypt and physically secure their backups.
Your laptop security policy should address how and when laptop users must return the company-supplied laptops and peripherals upon termination of employment. If the users backed up their laptop files to DVDs or external hard drive, those backups need to be returned to the company as well.
Including these sections is a good way to start your laptop security policy. You will likely want to customize it by adding rules and requirements you feel are necessary and removing those that do not apply.
After creating the laptop security policy, you need to have each laptop user read and sign it. You also need to enforce all the rules and requirements in it.