One could certainly argue that today’s laptops are the “best friend” of small and medium businesses (SMBs). They’re increasingly powerful, flexible tools that have enabled field reps and remote workforces to be massively productive while untethered to a physical office location. Astounding in their versatility and applications, the modern laptop has emerged as the main computing device for millions and millions of users every day.
However, the laptop could also be labelled as the “worst enemy” of many SMBs. Roaming free, out in the wild, laptops are subject to numerous security risks – including loss, theft and hacking – that are a real cause for concern, particularly in regulated industries and for companies that use or share third-party data. As such, laptops in the field need to be inventoried and tracked, as well as managed and secured, in order to prevent their data from falling into the wrong hands.
As a first step, laptops must be encrypted so that in the event they are lost, stolen or hacked, the data stored on each machine is not accessible to the thieves. For SMB firms, that could mean managing dozens or even hundreds of machines and dealing with the headaches of tracking logins and passwords across employees, office locations and geographies. In addition to providing security, companies must ensure that employees have ready access to their organisation’s own data and need to avoid inadvertent “lock-downs” which can kill productivity.
Compounding the “worst enemy” problem is the fact that managing encryption and things like routine security updates and laptop password resets are activities ideally handled by an in-house IT department. Given that most small businesses don’t have and can’t afford an in-house IT group and that security expertise and knowledge often reside with a single individual who may or may not remain with the company, SMBs can find themselves at even greater risk, particularly when it comes to handling sensitive third-party data.
Establishing a security policy
Locking down laptops that use or share third-party data can also fall under regulatory control, such as the State of New York’s recently adopted cybersecurity regulations that direct financial, healthcare and insurance firms to follow policies that aim to protect both companies and consumers. Notably, companies are now responsible for third-party contractors who handle their information and shared data. This third-party information can include a myriad of things, such as Social Security numbers, names, birth dates and addresses, all of which are tempting targets for cyber thieves. New laws “expand the perimeter of responsibility” and squarely place the onus on businesses for compliance. Regulation will ultimately have a broad impact – organisations affected can range from medical facilities that outsource lab testing and small companies that hire a recruitment firm or use a job search website to find more employees to an insurance broker that sells policies for a larger national company. All will need to address security and compliance issues.
While a third-party security policy is the law for some, it makes good sense for businesses everywhere – even small businesses – to establish a security policy, especially in advance of potential new regulations. Here are three ways to start:
1. Conduct a security assessment. Ensure that every device is encrypted – phones, tablets and laptops. As many as one in four data breaches are a result of lost or stolen laptops. There is even an annual spike in laptop thefts in summer, just in time for back-to-school, so the spring is a great time to prepare. A very effective way to manage IT security is to execute a strategy of managing all devices via a cloud-based solution that avoids IT headaches but ensures machine-level security. Avoid BYOD (Bring Your Own Device) if you don’t have a security plan for it and proactively manage the devices your company owns. Remember: creating a strong IT security chain means many “links” (or layers), and assembling a robust security policy requires some effort!
2. Understand where sensitive data lies. SMBs should know where sensitive data is located in the organisation and have detailed knowledge about how it is protected in the day-to-day process of doing business. Encryption in the cloud protects you from the wrong people getting your data in the cloud, but full endpoint (laptop, desktop and device) encryption is necessary to have a complete security chain. Without endpoint encryption, data thieves can access everything that you store in the cloud by simply stealing login credentials. In effect, without endpoint encryption, you’re locking the front door but leaving the keys on the front step. Data in transit must also be secured, including providing for the use of firewalls and virtual private networks (VPNs) to ensure that it isn’t intercepted and stolen.
3. Employ multifactor authentication. This is the process of confirming a user’s identity by making them provide “something you have and something you know” for proper verification to gain access to corporate systems.
Keeping information safe is simply good business hygiene, and failure to be vigilant can be costly. Whether it is ransomware, spyware or malware, cybercrime is the latest and most virulent form of terrorism, and government and private sector spending on IT security continues to increase. Current research* says the average cost for a lost or stolen record is $158, so even one missing laptop or other breach can do serious financial damage, particularly to a small business. However, even greater than the financial cost can be the damage to a firm’s reputation, especially if that firm cannot demonstrate cybersecurity preparedness to regulatory authorities and/or the public.
Remember that anyone who shares data with anyone else needs to extend their security policy to that party, and you can’t have a weak link in the IT security chain. Businesses can expect that data protection standards like New York’s will roll out across other states, given the persistent threat of cybercrime in the form of highly publicised data breaches.
Regulatory compliance and implementing security doesn’t need to be complicated or expensive. Your organisation’s most commonly used tool, the laptop, is a great place to start, and your machines can be secured and managed through cost-effective and convenient cloud-based solutions designed to prevent their hacking in the event of loss or theft. As part of an overall strategy, robust laptop security can keep your best friend from becoming your worst nightmare.
Ebba Blitz, CEO, Alertsec
Image source: Shutterstock/Eugenio Marongiu