AllBusiness.com
Laptop Security: Protect Your Data, Protect Your Business

Laptop Security: Protect Your Data, Protect Your Business

Technology & Telecommunications

Data breaches are an immense problem for businesses of any size. Whether it's an major attack like the 2009 Heartland Payment Systems incident or a simple case of a dishonest employee "skimming" customer credit card numbers, the fallout from a data breach incident can damage or even destroy a business.

While data breach incidents can take many forms, quite a few come down to one issue: laptop computer security.

For instance, according to the U.S. Department of Health and Human Services, laptops played a role in 24 percent of all significant health care record data breaches; another 14 percent involved smartphones and other mobile devices. Other incidents, such as a 2009 data breach involving tens of thousands of Starbucks employee records on a stolen laptop, reinforce the fact that laptops and sensitive business data are a volatile -- and dangerous -- mix.

And while the data breach incidents that make headlines usually involve large businesses, it's a mistake to think smaller companies are immune. Whether you're talking about 10 people or 10,000, data breach disclosure laws mean that you're probably on the hook for notifying customers about a breach. If a third of your customers walk away as a result of such an incident, could your business survive?

More to the point, do you want to find out?

If you and your employees use laptops, you're almost certain to lose one from time to time. In fact, in a 2009 study, 95 percent of IT security experts said their organizations have dealt with lost or stolen laptops.

Worse still, the same study found that 71 percent of those experts said lost or stolen laptops resulted in a data breach. That's where prevention can -- and must -- work for your business.

Encryption: Practice Makes Perfect -- or Does It?

Security experts agree: The best ways to improve laptop security are encryption, encryption, and more encryption. Even if somebody gets their hands on a laptop that uses data encryption, they don't necessarily get the data stored on it.

The good news is that laptop encryption tools are mature, readily available, and easy to use. They range from free products like TrueCrypt to commercial software from companies like Symantec and Check Point. Some versions of Windows 7 also include Microsoft's outstanding BitLocker disk-encryption tool.

In some cases, laptop manufacturers ship their products with preinstalled data encryption solutions set up and ready to use. This is especially true for laptops designed specifically for business users, which may combine encryption software with tools like fingerprint readers. When you're in the market for a business laptop, always ask your vendor whether they offer such solutions.

The downside to laptop encryption is that users can disable or work around these tools. And that's exactly what many users do: In the same study cited above, more than half of the business managers surveyed said they deliberately disabled the encryption software on their laptops. These aren't malicious actions; most users just want to do their jobs as quickly as possible, and encryption seems to get in the way.

Even if employees use encryption properly, you may have to prove that the data on a lost or stolen laptop was properly protected. Some encryption tools include this kind of policy-reporting and auditing functionality, but it's usually limited to enterprise-class products. That's a problem if you're sure the data was encrypted, since you'll still have to notify customers as though you had not taken precautions.

Remote Access: Take Control from the Cloud

Today, more small businesses are deciding that the best way to protect laptop data is to eliminate it. There are two ways to do this: traditional virtual private network software that creates a secure link between the laptop and your company's internal network servers, and cloud-based services that allow remote access to sensitive business data from any Web-connected device.

The VPN is a time-honored method of protecting sensitive data. If you're logged into a VPN, it's just like being logged into a company's internal network. And that's typically a far safer place to keep the kind of data at risk of a breach incident.

And then, of course, there's the cloud. Rather than storing sensitive customer records on a laptop hard drive, a company might, for example, put them on a secure cloud-based document-sharing service or an application like SalesForce.com.

Either way, small business owners face two challenges. First, secure remote access comes down to secure passwords. If an employee can't or won't practice basic password security, you're simply moving the data breach risk from the laptop to your own internal network or cloud provider.

The second challenge is to keep employees from downloading sensitive documents to a laptop -- perhaps en masse -- simply because it's quicker and easier to work with those documents offline.

The Common Thread: Good Technology Demands Good Training

Which solution you choose for protecting laptop-based business data will depend on the size of your business, your technology budget, the number of laptops you support, the nature of the data you're protecting, and many other factors. But as this discussion makes clear, any technology solution will probably fail without one key ingredient: rigorous employee training and enforcement.

Any training program should emphasize three points:

Your security procedures are in place for a reason. Educate employees about the potential impact of data breaches, and explain why security technology is so vital to your business.

Build a culture of accountability. Audit employee use of encryption tools, check laptops for sensitive data that violates your security policies, and enforce penalties against employees who violate the rules.

Real-world security demands real-world feedback. Give employees an active role in improving your security policies. Ask them what works and what doesn't; allow them to critique different security tools and explain which ones best fit the way they work.

Ultimately, there's no perfect solution to the laptop data-security problem. Employees need access to sensitive business data to do their jobs, and every security tool has its own unique weaknesses. But if security is all about minimizing needless risk, employing the right combination of technology and training is far better than doing nothing at all.

Profile: Matthew McKenzie

Matthew McKenzie has nearly 15 years of experience as a writer, editor, and analyst covering virtually every aspect of the business technology market. His work has appeared in a number of major print and online publications, and he has also worked with business clients to create effective Web content and marketing strategies for their companies.