3

We have a policy that everybody who leaves their laptop at the office must put it in a cupboard or cabinet when they leave for the day. To make this easier, all laptop users are also provided with docking stations. The policy was introduced many years ago after the office was broken into at night.

Does it make sense to continue enforcing this policy, or is it security theater?

Details about our environment:

  • 40% of staff use remote desktop (no client data stored locally)
  • 60% of staff use thick applications to access client data on the file server
  • Client data is occasionally copied to laptops for use in the field
  • Outlook is installed locally on all laptops and connected to an Exchange server

Additional thoughts:

  • We are insured against theft, but the deductible is close to the cost of a laptop.
  • Privacy breach probably more expensive than loss of physical assets
  • The server room is considered sufficiently secure (no windows!)
  • Full disk encryption is being considered for all laptops
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Nic
  • 13,425
  • 17
  • 61
  • 104

2 Answers2

5

You'll have to gauge this for yourself, but in general I answer Yes to this question. The level of security measures you implement is largely about how much risk you are willing to assume. You have the financial risk of losing assets, as you've mentioned, and also the risk of losing data. If you are unwilling to accept that risk then yes, they should be locked away.

Toward your specific points:

  • "no client data stored locally" - Do you have ABSOLUTE control of this and can ensure this 100%?
  • "Client data is occasionally copied to laptops for use in the field" - sounds like that contradicts the first point
  • "the deductible is close to the cost of a laptop" - how about the cost of many laptops? How much do your premiums go up every time you have an incident and how much will you save over time by locking them up?
  • Privacy breach is almost ALWAYS more expensive than the cost of a physical asset. Your reputation is beyond gold.
  • "The server room is considered sufficiently secure" - what about theft from inside the company? A high percentage of malicious behavior comes from within.
  • "Full disk encryption" - since you have client data on mobile devices this should be mandatory and not even in the realm of consideration
squillman
  • 37,883
  • 12
  • 92
  • 146
  • 1
    That part of the answer alone deserves a +1: "Full disk encryption" - since you have client data on mobile devices this should be mandatory and not even in the realm of consideration – Alex Jun 28 '11 at 18:37
  • Excellent answer, thanks. The server room is locked separately and access is granted on as-needed basis. The other points are all very good. – Nic Jun 28 '11 at 18:47
  • 1
    I would surmise that probably better than 90% of data loss, theft, or security breach at privately held companies occurs internally. The percentage is probably equally high for publicly traded companies that aren't high profile enough to be targets for Anonymous et al. – joeqwerty Jun 28 '11 at 19:23
  • @joe Aye. That was the number I was initally going to post, but I didn't have the hard stats handy to back it up. – squillman Jun 28 '11 at 19:35
  • That's only a guess on my part but it seems logical as most companies aren't "on the radar" except from disgruntled current or former employees (although you probably couldn't call a former employee internal, except for the knowledge they have regarding the internal systems). – joeqwerty Jun 28 '11 at 22:53
2

Sounds like a sensible policy to me.

I wouldn't consider revisiting the policy until you have full-disk encryption on all of the laptops. Protecting customer assets is worth a minor inconvenience. Whatever your policy is, users can and do break it by putting documents in places they shouldn't.

Once you do, you have a simple theft scenario to worry about. Things to think about there:

  • How reliable is the office cleaning crew? High turnover for these jobs increases your chances of theft.
  • Who has access to secure areas? (Sometimes employees swipe, but the cleaning people have an all-access key)
  • Do the secure areas have a good door?
  • Do you/landlord have cameras at doors to your offices and the building entrances?
  • Is there a perimeter alarm?

If you've protected the customer data, and have answered the other questions to your satisfaction, you can ease up on the "lock your laptop" policy.

Locking things in a cupboard may seem silly, as they are easy to pry open, but keeping valuables out of sight and making them hard to get to has a deterrent effect on some break-in type scenarios.

duffbeer703
  • 20,797
  • 4
  • 31
  • 39