Contents
Picture the morning after a heavy night out: a thumping head, a hazy memory of the last bar, and a work laptop that is no longer where it should be. In one widely reported case, that laptop held an entire city’s worth of personal records, tax and banking details included. By daylight, the hangover was almost certainly the smaller problem.
Incidents like that are far from rare. Freedom of Information requests to UK government bodies turn up the same pattern time and again, with devices going missing on a regular basis.
(National Archives 1 / National Archives 2)
If laptops and USB sticks routinely disappear from the public sector, the same is almost certainly happening across private business. That should concern any organisation, because a great many of them have no real data loss prevention strategy in place. A single mislaid laptop or memory stick can become a serious breach, and with it the risk of regulatory fines and lasting reputational damage.
The encouraging part is that this is a solvable problem, and a handful of practical measures will keep data on a device safe even if the device itself falls into the wrong hands. Here’s a quick guide on how to protect data on lost or stolen devices.
Disallow USB storage devices
One of the simplest ways to cut risk is to switch off features the business does not actually need, especially the ones that make data easy to walk out of the door.
Blocking USB storage is a quick win. Cloud based file sharing has largely replaced the memory stick anyway, so for most teams the disruption of turning it off is minimal while the security benefit is real.
There is a second reason to do it. A “USB drop attack” is a social engineering trick in which an attacker loads a malicious payload onto USB sticks and scatters them around a target’s car park or reception, often with a tempting label such as “Salary Info 2022”, hoping a curious member of staff plugs one in. Disabling USB storage on corporate devices closes that route off completely, since the malicious stick simply will not run.
Encrypt any USB storage you do keep
If removable storage cannot be removed altogether, then any corporate data on it has to be encrypted, using both a strong algorithm and, just as importantly, a strong password. Our guide to creating strong passwords covers what that looks like in practice.
Microsoft’s BitLocker handles this well, both for removable USB media and for full disk encryption on laptops. One word of caution: encryption takes time to apply, so do not pull the device out mid process or you risk losing the data for good. Backing everything up before you start is sensible in any case.
Encrypt the whole laptop
Full disk encryption on every corporate device is not optional. BitLocker covers this too, and in a managed environment you can enforce it through Group Policy rather than leaving it to individual users.
The relevant policy sits here:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Strong encryption backed by good credentials means a laptop going astray does not automatically mean sensitive data going astray with it.
Harden the device
Encryption is essential, but consider the awkward scenario: the device disappears while it is powered on and already unlocked. At that point the operating system and the user’s credentials are the last line of defence.
Out of the box, operating systems are rarely set to their most secure configuration. Vendors leave room for legacy software and a smooth user experience, which is understandable but leaves gaps behind. Hardening corporate devices against attack closes those gaps and keeps data protected even when encryption has already been bypassed.
Keep backups
Leaked data is one half of the problem. The other half is simply losing access to whatever was stored on the missing device.
Regular backups, or a shift to a cloud based way of working, mean that a lost or stolen laptop becomes an inconvenience rather than a crisis. The business carries on because the data still exists somewhere safe.
Train your people
This one is the most obvious and, oddly, the most neglected. People are involved in the overwhelming majority of security breaches, so staff who understand the risks of carrying corporate devices and data into public spaces are one of your strongest defences. Clear, regular training on looking after kit does more than most technical controls to keep data where it belongs.
Conclusion
No single measure will protect a lost device on its own, but together they add up to a solid position:
- Turn off USB storage where the business does not need it, and encrypt it wherever it stays in use.
- Apply full disk encryption to every corporate laptop, enforced centrally rather than left to chance.
- Harden device configurations instead of trusting the defaults, and keep regular backups so a lost device never means lost data.
- Train staff to handle devices and data sensibly in public.
Many of these controls, device encryption, removable media restrictions and secure configuration among them, also sit at the heart of Cyber Essentials, so tightening them up strengthens your certification position at the same time. If you want to know how your devices and wider setup would stand up to a real attacker, a penetration test is the way to find out.