I’ve lost a string of pocket knives over my lifetime, some of them very nice, but I’ve got no idea who, if anybody, is finding them. I did find a pocket knife once, but it was a cheap Swiss Army knockoff, and I didn’t keep it. My turnover ratio is barely -6.
Dogs are not currently a part of my daily life, but I’m fond of them and enjoy the companionship and entertainment value. Unfortunately, dogs are only good for about a decade, and even less if get one those pricey purebreds that have the genetic robustness of a Saxe-Coburg.
Like dogs and pocket knives, you can’t expect a single laptop to last your entire lifetime. I’ve had 1 laptop stolen from my house, and 1 stolen from my office. I’ve never found one, so my laptop turnover ratio is -2.
In spite of the fact that laptops are so slippery, I’m still seeing corporate and government policies that require employees to maintain physical possession of their laptop at all times. Is a laptop really safer sitting next to you in a restaurant than it would be back in your hotel room? I have yet to encounter a company that issues watertight laptop cases to enable their travelling employees for the shower or spa, so I have to question how seriously anybody takes these policies. They are yet another form of “we won’t help you do the right thing, but if you do not do it, we reserve the right to punish you” policy. This is not conducive to cultural change, it does not encourage cooperation with IT or the infosec function, it is counterproductive. Period.
Anybody with a role important enough to be issued a laptop is almost certainly putting sensitive data on that laptop. Encrypt it. Its time for full hard drive encryption to be considered a standard practice. If this is not acceptable, and you still need to provide employees with remote access, then figure out some secure way to access the necessary applications from kiosks and home PCs. If this is not acceptable, then give up. Telling people not to lose their laptops is a non-starter.
Writing policies that forbid the inevitable is a waste of everyone’s time. If your data is important to your organization, and your employees need to access it when they are outside your facility, you need to pay for data protection technology.
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.