I spoke recently to Rob Humphrey, director of security products in the Global Business unit at Kensington Technology Group, about implementing physical security for your laptops. Speaking with Humphrey left me wiser on the merits of implementing physical security, which I condensed into a number of tips for companies that might be considering a move in that direction.
While I have always advocated using encryption technologies such as BitLocker to protect data stored on hard-disk drives, Humphrey does make a valid point when he highlights that "it's better to keep the laptop out of the hands of thieves as the first line of defense."
The Value of Deterrence
One common misconception is that a laptop lock is impossible to defeat. This is wrong, since someone with a large-enough bolt cutter will always be able to cut just about any portable cable, steel-reinforced or not. But if a laptop lock can be defeated with the right tools or sufficient time, then why bother with one? The short answer has to do with its deterrence value. All things being equal, a thief confronted with two laptops-one secured and another that is not-will always go for the one that is not secured.
Humphrey described how he would secure his laptop to a lamp or chair in a hotel that might lack a proper fixture to loop around. He says, "The idea is to make it difficult for the thief to take your laptop. I will want to make sure that the potential thief will have to bring a lamp or chair along."
Consider Implementing a Master Key Solution
A common scenario with many businesses implementing physical security is to buy a whole bunch of individual laptop locks. While there is nothing wrong with doing that, flexibility with unlocking and relocating the laptop is lost should staffers go on extended leave, are temporarily indisposed due to health issues or perhaps even terminated abruptly.
A master key, however, will allow the IT manager or system administrator to unlock the device. This allows more control over equipment while still offering deterrence. And depending on the vendor, other options such as shared keys might also be available for easy, large-scale securing of infrequently moved hardware.
Issue Guidelines on Use
A common concern among employers is that issuing laptop locks might prove to be nothing more than an expensive logistical exercise if staffers don't use them. This is certainly true. Without guidelines for use, they're likely to be relegated to the bottom of a (deep) drawer. SMBs need to know that implementing physical security is more than just about buying locks and giving them out. Usage guidelines must be drawn up and made known.
While the exact guidelines will depend on individual businesses and culture, one suggestion that comes to mind might be the stipulation that employees are liable for the loss of laptops (either in part or whole), if they are stolen in situations in which it was possible to secure them, but this wasn't done. As a carrot, they might not be held liable after a theft if the laptop was properly secured.
Do you implement physical security in your SMB, or personally make use of a laptop lock wherever you go? Do feel free to share your experiences and anecdotes with us here.