Firms are increasingly transitioning employees from traditional desktops to laptops as their only workstation to connect to the firm’s information resources and production applications. This has a variety of benefits, including increasing mobility of staff, providing secured remote access through a firm managed laptop, and allowing the employee to have a workstation in the event of a disaster (as highlighted by the recent series of hurricanes).
However, with this added mobility also comes additional responsibility to make sure the laptop is protected both physically and digitally. When issuing laptops to employees, it is important that the firm and personnel are both cognizant of the increased risks and responsibilities involved, and that the appropriate measures are being taken to protect the firm’s resources.
Laptops are easy targets for thieves, so employees must be reminded that it is their responsibility to:
- Physically secure their laptop by locking the door of the office where it is being utilized or securing it via a physical cable lock if they have to leave.
- Maintain proximity awareness of their laptop when in transit, meaning either visually having it in their line-of-sight by carrying it on their shoulder, or by always touching their computer bag (i.e. with their leg if it is placed on the floor).
- Either place laptops in the trunk or hidden from view within the car when getting in and not upon arrival of their destination. Thieves have been known to monitor parking areas, specifically watching for personnel placing their laptops in their trunks after they park.
Encrypted Hard Drives
Unfortunately, data is still being downloaded onto laptops, either because the employee wanted the convenience of saving and working locally, or they are concerned that they will not have Internet access where they are going and need to work on certain files. Be sure that employees:
- Encrypt all data drives to protect the firm in the event the laptop is lost or stolen.
Any access to a firm workstation and network:
- Must require a complex password that is changed on schedule and whenever there is any concern that an employee’s password could have been compromised.
- Should require multi-factor authentication (Xcentric uses Duo Security), meaning that in addition to entering their password, the employee’s identity would be verified biometrically (thumb print, facial recognition, etc.) or by inputting a secure code sent to the employee through their smartphone or via a call back phone number.
Employees must be reminded that client confidentiality rules extend to wherever they may be working. They should:
- Utilize a screen privacy filter when accessing confidential data when in transit or in public places.
- Have automatic screen savers set for a shorter period on laptops, rather than the 30 or 60-minute settings used on desktops.
Secure Operating Systems
Employees should be reminded that:
- Checking social media and non-work email accounts can expose workstations to a broader range of malware and viruses, so it is also important for the IT team to ensure the anti-virus/malware applications and operating systems are automatically updated.
- Regularly shutting down and rebooting their laptops will allow updates and background maintenance to occur.
- The risks of using public WiFi and USB thumbdrives can introduce malware to the laptop. Instead they could use mobile hotspots for internet connectivity, and web-based portals and secure email for file transfers.
Updated Policies/Reminder Training
As firms transition to more mobile computing, it is important that the firm’s policies on remote usage are updated to reflect how and when laptops are utilized.
- IT and HR personnel should review all technology-related policies together and then provide training to staff.
- Firms should present mandatory annual security training for all personnel that would include the use of laptops.
Digital security has never been more important than it is today. When going through the checklist of threats that firms are dealing with, it is important not to assume that everyone is aware of mobile computing standards, particularly those that are transitioning to a laptop environment.
This article was originally published for the American Institute of Certified Public Accountants (AICPA). Copying or distribution without the publisher’s permission is prohibited.