Updated: 11 June, 2024
Laptops are a convenient solution for businesses of every size. Their portability makes them ideal for employees that need flexibility in when and how they work. But laptops are also a vulnerability. Being portable makes them easy to steal or lose, which is why it’s critical to have an effective laptop security policy.
Replacing a lost or stolen laptop is expensive, but the consequences can be much more serious if the missing laptop contains sensitive data. Losing sensitive data exposes the company to serious issues, such as a legal action, or a loss of consumer confidence.
This situation occurred in 2018, when a US healthcare provider was forced to notify 43,000 patients that their data was breached after the theft of an unencrypted employee laptop. That might sound far removed from your business, but a report published in Forbes shows that one laptop is stolen every 53 seconds.
Introducing a laptop security policy is the only way to reduce your business’ risk. In this article, we’ll discuss what to include in a laptop security policy, and how to implement an effective cybersecurity strategy.
What to Include in a Laptop Security Policy
You can help secure your company’s laptops and data by creating a laptop security policy. This policy documents the rules and requirements that employees must follow when using a company laptop. Laptop security policies cover what laptop users should not do. For example, they often state that laptop users should not:
- Let anyone else use the laptop
- Use the laptop for personal use
- Remove the tracking or mobile device management software installed on the laptop in case it is lost or stolen
- Install applications that are not approved by the company
- Use the laptop for inappropriate or illegal activities
Equally important, laptop security policies cover what laptop users should do. For example, they often discuss how users should:
- Physically secure their laptops
- Regularly updating laptop software
- Protect their laptops from cyberattacks
- Protect company data
- Back up their data
- Return the laptops to the company when they leave
Your policy should provide detailed information about each of these factors to help employees adhere to the rules. Each laptop security policy is different. Yours will depend on the size and scale of your business, how and where the laptops are being used, and the nature of your work.
As a general guide, we recommend including the following information in your laptop security policy:
1. Physically Securing Laptops
In the section on physically securing laptops, you can document how you want laptop users to secure their computers, especially when not in use.
For example, when laptop users are in the office, you might want them to store their laptops in a locked cabinet. When they are on a business trip, you might want them to store their laptops in a hotel’s safe deposit box, rather than leave the laptops unattended in a hotel room.
You may also want to discourage employees from using their laptops in public places, such as restaurants, cafes or public transport. Laptops can easily be stolen from these settings, increasing the risk to your business.
2. Regularly Update Laptop Software
Protecting laptops from cyberattacks is an important section to include in your laptop security policy.
Laptops usually do not stay connected to the network. As a result, they might not get the necessary software updates, including updates to software that detects viruses, malware and spyware. For this reason, it is a good idea to require that laptop users log on to the company network at least once a week to perform updates.
3. Protecting Laptops from Cyberattacks
Public WiFi networks are a major vulnerability for laptops that are frequently used outside the office. Cybercriminals are known to set up fake WiFi hotspots at hotels, cafes and restaurants that look legitimate.
If a laptop user logs on to a fake WiFi hotspot, the cyber criminal can see everything the user does online, including any usernames and passwords being entered. In addition, if the laptop settings allow file sharing, the cyber criminal can steal data and install malware on it.
Users should be required to verify any free or public WiFi networks they connect to. This is as simple as asking an employee to verify the name of their network. Verifying a free WiFi hotspot can help prevent this type of cyberattack, when combined with a strategy from a cyber security consultant.
4. Protecting Company Data
In the section on protecting company data, you can cover the measures you want laptop users to take to protect their data. There are general measures you will want to include, such as creating strong passwords and not sharing them with anyone. You will also want to include any encryption requirements, such as requiring users to encrypt their files or encrypt a drive using the company-approved encryption tool.
If your company has a virtual private network (VPN), you should require laptop users to use the VPN when travelling for business or working from home.
5. Backing Up Data
Laptops that are not connected to the network during a company’s network backup operation will not get backed up. To make sure that backups are performed on laptops, you can require that laptop users perform a backup at least once a week. You will need to specify the backup method.
There are several effective methods of backing up laptops, including:
- Backing up to a server on the network
- Backing up to a DVD or an external drive
- Backing up to a company’s private cloud
If laptop users are backing up to a DVD or external drive, you need to make sure they encrypt and physically secure their backups.
It can also be useful to establish a specific time to perform backups. This helps users form a habit. For example, requiring laptop users to backup their device at the end of each work week, prior to logging off, is a simple way to make sure data is always up to date.
6. Returning the Laptop
Your laptop security policy should address how and when laptop users must return company-supplied laptops and peripherals upon termination of employment. If the users backed up their laptop files to DVDs or external hard drives, those backups need to be returned to the company as well.
Why Your Business Needs a Laptop Security Policy
A study from the University of Maryland found that 95% of cybersecurity breaches are due to employee error. That risk increases when employees use laptops outside the office.
Developing a laptop security policy can substantially reduce the risk of data breaches and being targeted by cyber criminals. Without a laptop security policy, your business is at risk of:
- Loss of sensitive data – Customer information is a target for cyber criminals. If your business handles customer information, an employee’s laptop is an easy way for criminals to access that data. The average global cost of a data breach in 2023 was AUD $6.65 million, making this a substantial risk.
- Reduced consumer confidence – Data breaches lead to a reduction in consumer confidence. That can negatively impact your revenue for years to come. For example, following its major data breach in 2022, Optus lost 65,000 customers in three months, estimated to be worth approximately $55 million in revenue.
- Damaged brand image – Apart from lost revenue, the damage to your company image can be far worse. Customers expect businesses to keep their data secure, and avoidable breaches like the theft of a laptop are a major vulnerability.
- Increased costs – A laptop security policy can reduce the risk of damage, theft and cyber breaches, which lowers your IT expenditure. Replacing missing laptops may be a small expense in the long run, but the cost can add up if employees handle company assets improperly.
What Else to Include in Your Cybersecurity Policy
Data security is the biggest challenge surrounding employee laptops. Even if a user adheres to the laptop policy fully, it’s still possible for a laptop to be stolen, or for data to be compromised.
For this reason, your laptop policy should be supported by a comprehensive cybersecurity strategy that includes:
- Regular cybersecurity audits
- Employee education and training
- Vulnerability monitoring
- Regular software updates
- Hardware and asset management
- Data backups and disaster recovery strategies
- Encryption policies
A cybersecurity policy is only effective if it is tailored to your business. It’s important to work with a professional cybersecurity service to protect your business against threats, and prevent employees from accidentally compromising your systems.
Implement a Strong Laptop Security Policy With Surety IT!
Managing laptop security is a simple way to reduce your risk and IT expenditure. Including the items from our guide is a good place to start, but your policy is just one part of a comprehensive Managed IT strategy.
Surety IT specialises in outsourced cybersecurity and IT strategy. Our team is experienced in developing strategies to suit companies of every size, so we can protect your valuable assets and data. Our tailored IT strategies consider your business’ current needs, as well as your future goals. That allows us to design a strategy that can help your business thrive.
Contact us to learn more about laptop security policies, or speak with our team for a cybersecurity strategy that’s tailored to your needs!
Read more about data security:
How to Prevent Data Breaches in Your Business
Why Good Cyber Security is a Positive for your Business
Critical Tips for Improving Password Security
