Skip to content

How to Protect Data on Lost or Stolen Devices

Laptops and USB sticks go missing all the time. Here is how encryption, device hardening, backups and staff training keep your data safe when they do.
How to Protect Data on Lost or Stolen Devices

Contents

    Picture the morning after a heavy night out: a thumping head, a hazy memory of the last bar, and a work laptop that is no longer where it should be. In one widely reported case, that laptop held an entire city’s worth of personal records, tax and banking details included. By daylight, the hangover was almost certainly the smaller problem.

    (Vice / BBC)

    Incidents like that are far from rare. Freedom of Information requests to UK government bodies turn up the same pattern time and again, with devices going missing on a regular basis.

    (National Archives 1 / National Archives 2)

    If laptops and USB sticks routinely disappear from the public sector, the same is almost certainly happening across private business. That should concern any organisation, because a great many of them have no real data loss prevention strategy in place. A single mislaid laptop or memory stick can become a serious breach, and with it the risk of regulatory fines and lasting reputational damage.

    The encouraging part is that this is a solvable problem, and a handful of practical measures will keep data on a device safe even if the device itself falls into the wrong hands. Here’s a quick guide on how to protect data on lost or stolen devices.

    Disallow USB storage devices

    One of the simplest ways to cut risk is to switch off features the business does not actually need, especially the ones that make data easy to walk out of the door.

    Blocking USB storage is a quick win. Cloud based file sharing has largely replaced the memory stick anyway, so for most teams the disruption of turning it off is minimal while the security benefit is real.

    There is a second reason to do it. A “USB drop attack” is a social engineering trick in which an attacker loads a malicious payload onto USB sticks and scatters them around a target’s car park or reception, often with a tempting label such as “Salary Info 2022”, hoping a curious member of staff plugs one in. Disabling USB storage on corporate devices closes that route off completely, since the malicious stick simply will not run.

    Encrypt any USB storage you do keep

    If removable storage cannot be removed altogether, then any corporate data on it has to be encrypted, using both a strong algorithm and, just as importantly, a strong password. Our guide to creating strong passwords covers what that looks like in practice.

    Microsoft’s BitLocker handles this well, both for removable USB media and for full disk encryption on laptops. One word of caution: encryption takes time to apply, so do not pull the device out mid process or you risk losing the data for good. Backing everything up before you start is sensible in any case.

    Encrypt the whole laptop

    Full disk encryption on every corporate device is not optional. BitLocker covers this too, and in a managed environment you can enforce it through Group Policy rather than leaving it to individual users.

    The relevant policy sits here:

    Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

    Strong encryption backed by good credentials means a laptop going astray does not automatically mean sensitive data going astray with it.

    Harden the device

    Encryption is essential, but consider the awkward scenario: the device disappears while it is powered on and already unlocked. At that point the operating system and the user’s credentials are the last line of defence.

    Out of the box, operating systems are rarely set to their most secure configuration. Vendors leave room for legacy software and a smooth user experience, which is understandable but leaves gaps behind. Hardening corporate devices against attack closes those gaps and keeps data protected even when encryption has already been bypassed.

    Keep backups

    Leaked data is one half of the problem. The other half is simply losing access to whatever was stored on the missing device.

    Regular backups, or a shift to a cloud based way of working, mean that a lost or stolen laptop becomes an inconvenience rather than a crisis. The business carries on because the data still exists somewhere safe.

    Train your people

    This one is the most obvious and, oddly, the most neglected. People are involved in the overwhelming majority of security breaches, so staff who understand the risks of carrying corporate devices and data into public spaces are one of your strongest defences. Clear, regular training on looking after kit does more than most technical controls to keep data where it belongs.

    Conclusion

    No single measure will protect a lost device on its own, but together they add up to a solid position:

    • Turn off USB storage where the business does not need it, and encrypt it wherever it stays in use.
    • Apply full disk encryption to every corporate laptop, enforced centrally rather than left to chance.
    • Harden device configurations instead of trusting the defaults, and keep regular backups so a lost device never means lost data.
    • Train staff to handle devices and data sensibly in public.

    Many of these controls, device encryption, removable media restrictions and secure configuration among them, also sit at the heart of Cyber Essentials, so tightening them up strengthens your certification position at the same time. If you want to know how your devices and wider setup would stand up to a real attacker, a penetration test is the way to find out.

    How can we help?

    A stolen laptop assessment or laptop build review can help organisations build a better understanding of the risks that may be present within their current environment.

    Get in Touch Today

    Recent posts

    The Cybersecurity Industry Has Let You Down

    Read more

    Cybersecurity for Law Firms in 2026: Which Threats Are Most Likely to Breach Solicitor-Client Confidentiality

    Read more

    ICS & SCADA Penetration Testing: How to Test Live OT Systems Safely

    Read more

    OT Penetration Testing: A Complete Guide to Securing Operational Technology

    Read more