Laptop Computer and Mobile Device Security Tips from CNA
Laptop computers are vital tools used by a wide population of contractors and are also the number-one risk they are facing due to theft. Since laptop computers and handheld devices are not typically used in a fixed, securable location such as a jobsite, additional measures are needed to protect them.
- A formal security policy detailing end-user responsibility for securing these devices and the data they contain is essential. Devices should never be left unattended.
- Cable locks and docking stations should be used but only when the device is left in a secure location, such as an office, for short periods.
- These security methods are easily compromised, and higher-security options should be used when leaving a laptop in an office overnight (locked in storage area, file cabinet, etc.).
- Travel procedures should address common high-risk situations:
- Avoid storage in automobiles.
- Do not leave devices unattended in hotel rooms.
- Airport security areas, check-in counters, baggage claim, restrooms, food courts, and curbside pick-up areas are all high-risk areas for theft of portable devices. Warn end-users to maintain extra vigilance in these areas.
Potential losses associated with exposure of sensitive data stored on stolen laptop and desktop computers can be much greater than the cost associated with replacing the stolen equipment. A key finding of the Ponemon Institute’s The Cost of a Lost Laptop study conducted in 2009 was that the average value of a lost laptop was $49,246. This value is based on seven cost components: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity, and legal, consulting, and regulatory expenses. Occurrence of a data breach represents 80 percent of the cost. Therefore, it is important to take additional steps to prevent losses related to data breaches associated with the theft of data storage devices and media.
- First, carefully evaluate the need for storage of sensitive information on any type of portable device or removable media. In many cases, it will be determined that the need for storing information on these difficult-to-secure devices is not worth the benefit given today’s threat environment.
- Where possible, prohibit such storage in an information security policy but also evaluate technical means of preventing this data leakage—disabling or monitoring usage of USB ports, content filtering, and other methods are possible.
- If it is determined that storage on portable devices or removable media is absolutely necessary, these data must be protected, and encryption is the most common means of doing so.
Encryption is the process of making data unreadable except to those who possess the appropriate key to decode and read the data. Many state breach notification laws do not mandate notification of affected parties if the data involved are encrypted. Following are two resources for encrypting stored data:
EFS—The Encrypted File System has been available on professional versions of Microsoft Windows® since Windows 2000. EFS allows file-level encryption of sensitive files. Additionally, Microsoft BitLocker® Drive Encryption is available on Microsoft Windows XP and Vista®. With BitLocker, all data on a PC can be encrypted, preventing unauthorized users from being able to circumvent operating system passwords and access data.
The Data Encryption Toolkit for Mobile PCs, from Microsoft, provides guidance and software tools needed to effectively use both EFS and BitLocker for encryption of sensitive data. See http://technet.microsoft.com/en-us/library/cc500474.aspx.
For more information, visit https://www.cna.com.
MCAA thanks CNA for being a benefactor of MCAA 2015.
This information is presented for illustrative purposes only and has been developed from sources believed to be reliable. CNA accepts no responsibility for the accuracy or completeness of this information. CNA is a registered trademark of CNA Financial Corporation. Copyright © 2014 CNA. All rights reserved.
