Laptop security

Don't leave it in the lap of the gods

By Matthew Stibbe

Your laptop is stolen. You have two options. Either the thief has access to all your data, your login password and your wireless internet settings - or they don't. Which would you prefer?

Of course, you can't make the choice after the wretched thing has been nicked.

"I can't think of a big organisation that hasn't lost some laptops," says Ken Munro, MD of SecureTest, a penetration testing company.

Casual theft isn't the only risk. A criminal can even look up the names of directors at Companies House, go to the Electoral Roll and get addresses, and then steal to order.

The weakest link

Laptops are often the weakest link in the security chain, according to Munro:

•	BIOS passwords are easily bypassed on most machines.
•	Even if it isn't, a thief can remove the hard disk and plug it into another machine.
•	Once they have access to the disk, there are free programs on the internet that will figure out your Windows user name and password.
•	From there, it's easy to crack locally stored VPN passwords, wireless network settings including encryption codes, locally cached email and anything else that is stored on the computer.

In other words, without proper protection, if they own your laptop, they own your data. Game over!

Proper protection

So what does a properly protected laptop look like?

•	Choose laptops with ATA-3 BIOS passwords which are harder to circumvent and which lock the hard disk to the specific computer.
•	Look for computers that include TPM (Trusted Platform Module) hardware.
•	Make sure users actually set a BIOS password.
•	Set up new laptops so that they can only boot from the hard disk.
•	The most important thing is to use encryption on your data. Windows XP Encrypting File System does the business. You could also try PGP.
•	For short, one-off secret files (e.g. a list of passwords) take a look at fSekrit. It turns text-only notes into encrypted files. It's also free.
•	Ensure that the Administrator account has been renamed and given a strong password.

A sterling tip

Encryption is vital. Although it is a bit fiddly to set up at first, it means that if your laptop is nicked, there are virtually no consequences apart from an insurance claim.

Take a minute to think about what happens when an employee does lose a laptop. The best setup is that you have a 24/7 reporting number so that accounts can be locked quickly to stop a thief getting into your business. If employees know that there will be no consequences providing they report a loss promptly, you will end up with more security.

Munro has one final tip which is both simple and effective. When choosing passwords, he recommends including a Pound or Euro sign. Why? Because most hacking tools are written in America and assume everyone has a US keyboard!

What next?

•	Laptops do get lost sometimes. Find out how not to lose yours, and what you should do if you do.
•	You can get free security training with Microsoft Small Business+ right now. (Free registration required).
•	Matthew writes a new column every fortnight. Subscribe and get each edition direct to your inbox.

Sign into Microsoft Small Business+ for free web-based training, online chat help and software support.

More info >

Our free newsletters are packed full of business advice and ideas - plus all the latest news

See an example

Get the latest bulletins and updates direct from Microsoft

All recent updates

Internet Explorer update