Developing a Workplace Laptop Security Plan

Developing a Workplace Laptop Security Plan
Page content

The Need for Laptop Security

Laptops containing critical, confidential or sensitive data provide employees in the workplace with access to the information they need for their daily activities. Keeping those laptops secure requires creating a solid plan to mitigate or minimize the risks of loss or other security threats. Companies or organizations that do not develop a workplace laptop security plan expose the business to the possibility of civil and/or criminal litigation.

In June of 2006 an employee of the IRS lost a laptop containing the names and personal information of over 290 employees. Earlier in the year a laptop with the information of over 26 million veterans was lost. After the British Petroleum Gulf oil spill, a laptop was lost along with the names and social security numbers of 13,000 victims of the spill.

While loss or theft of a laptop is not necessarily avoidable, companies must be proactive to protect the data on them to avoid loss of reputation, cost of remediation, and any fines or penalties from court cases.

Plan for Basic Security

Data loss on a laptop is not always from theft or misplacement. Laptop users browse the internet, connect to strange networks, or attach flash drives from different sources. It is essential that the workplace laptop security plan account for viruses and malware. Every laptop needs anti-virus and anti-malware utilities to protect the system as part of its standard deployment. Firewalls configured to prevent access from internet sources must factor into the plan while allowing corporate applications to reach the information they need.

Strong passwords must be implemented to prevent casual attackers from gaining easy access to the contents of the laptop. The Center for Internet Security recommends a minimum length of 8 characters with a mixture of upper and lower case letters, numbers and special characters.

Advanced Laptop Security

Laptops containing critical data require additional levels of security to protect the contents. Disk-level encryption renders the entire drive containing the operating system and any data unreadable without the correct authorization. Two-factor authentication provides a layer of security beyond passwords. This level of authentication not only requires the use of a strong password but also needs the entry of a randomly generated passcode displayed on a separately carried token. RSA provides one technology that makes this level of authentication possible.

Use of software tracers increase the recovery chances of lost or stolen laptops. zTrace provides a suite of products designed to track stolen laptops and in some cases delete the contents of the laptop to ensure that the data does not fall into the wrong hands.

Developing the Incident Response Plan

The plan for laptop security in the workplace must deal with the eventuality that a laptop is hacked, lost or stolen. Careful inventory of all laptops with their contents is maintained in a central location. The type of data on the laptop, the location of the loss, or the jurisdictions the organization does business in dictate how the group responds when laptops are lost.

Escalating tiers of alerting and reports equate to the criticality of the data involved. The loss of low severity data may only require alerting the personnel involved, whereas the loss of credit card data or social security numbers requires the alerting of law enforcement, the people potentially affected by the loss, and other stakeholders.


Sullivan, Bob, “Lost IRS Laptop Stored Employee Fingerprints”, “BP Loses Laptop Containing Thousands of Oil Spill Victims’ Personal Information”,

Evers, Joris, “Getting Over Laptop Loss”,


RSA SecureID,

Center for Internet Security Benchmarks,

Image credit: graur razvan ionut /