Keeping your organization safe and secure has never been more difficult, not least of all because of the distributed nature of the workforce in today's landscape combined with the explosion in endpoints (or entry points, if you're a cyber criminal). As an IT administrator, you're also on the front line and responsible for implementing procedures that may often be the difference between business as usual – and an employee carelessly letting one of the biggest ransomware groups into the corporate network.
When configuring new laptops for employees, there are several key measures and policies that your business should adopt to minimize risks. You cannot account for everything – such as highly sophisticated phishing campaigns targeting employees through their email inboxes, or even shoulder surfing. But there are things you can control – like installing antivirus on all machines or a firewall as a service (FWaaS) by default – and it's imperative that your organization does everything within its power to ensure employees preserve the security of the organization that you and your colleagues work so hard to maintain.
Pick the most secure laptops
The first step to enjoying good laptop security starts before you get your hands on the laptop in the first place. When choosing the best business laptop to distribute among workers in the business, plenty of factors should come into play – strong battery life is essential, as is a healthy amount of RAM and processing power. Its size and weight are key considerations. But an often overlooked component to this equation is the security that's baked into the design of the machine itself. Which features does the laptop have, either in terms of its hardware or software suites, that may give employees that added protection?
There are several key features that we would look out for in particular. Support for monitoring solutions is chief among them, as is platform integrity validation, Intel vPro Remote Management, and many more. Ensure the laptop is embedded with a Trusted Platform Module (TPM) 2.0 chip and that it supports BitLocker device encryption. Secure Boot, too, is a key piece of technology that ensures the firmware checks the signature of each piece of boot software – including firmware drivers, EFI apps, and the OS itself. Other features we'd look out for include webcam switches – that shutter the webcam when not in use – and biometric login devices like fingerprint scanners or Windows Hello-compatible webcams.
Encrypt laptop hard drives
Cloud computing is widespread and plenty of data and workloads are run remotely. But that doesn't mean that you should neglect the importance of protecting local storage. By far, the most effective way to protect the data stored locally on a hard drive is by encrypting it. The purpose is to avoid the data falling into the wrong hands should the laptop be lost or stolen. Fundamentally, it creates a massive barrier at the first hurdle. There are easy ways to implement this, with BitLocker device encryption settings built into Windows – but there are plenty of alternative providers that can be implemented on machines to handle the process and don't require a Microsoft account tie-in. There are plenty of services, for example, like VeraCrypt, that allow you to encrypt a disk sector by sector.
Set up MFA for all users
Enroll all devices into some kind of multi-factor authentication (MFA) system – that should be a non-negotiable. Whether they are logging into their desktops or into a cloud-facing system, users should verify their identities using a crucial extra step in addition to requiring their passwords or biometric authentication. Windows Hello for Business, for example, can be configured with 'multi-factor unlock' – which relies on reading trusted signals and using additional authentication factors to ensure that devices cannot be unlocked unless they are guaranteed to be in a safe environment. Otherwise, there are plenty of third-party systems – Cisco Duo, Watchguard AuthPoint, OneLogin, Microsoft Entra ID, and so many more – that let you set up an MFA step when employees use their laptops. However, make sure to configure any policies to avoid the phenomenon of MFA fatigue – there is a balance to strike, so long as you are not in any way compromising security. Of course, this step also comes hand-in-hand with ensuring that employees set a strong password.
Issue regular mandatory updates
Patch management is a huge issue – and you absolutely cannot rely on employees to manage their own update regimes. Whether there's a minor Windows security update or key driver updates, there must be a regular cadence of updates that are beamed out to all the laptops in your device fleet. We've only seen to often the risks in failing to adequately patch systems on time – and this is certainly one of the easiest and most effective ways to ensure your organization's laptops are as protected as they can be.
There are plenty of tools out there that let you do this, thankfully, without much hassle. Windows has its own in the form of Microsoft Intune, but there are plenty of third-party services that you can also lean on to support your patch management efforts, including NinjaOne, Ivanti PatchLink, SolarWinds Patch Manager, and others.
Implement VPNs to protect corporate networks
Depending on your business' policy, workers may be encouraged to work from home and even remotely – away from the desk in a public setting like a coffee shop. But connecting to insecure and often unencrypted public Wi-Fi networks may create a security risk that is needless. You may opt to prohibit employees from accessing public Wi-Fi networks altogether – but it certainly reduces the 'quality of life' they may expect from flexible working.
An alternative is to implement the mandatory use of a virtual private networks (VPN). The VPN service will encrypt their network traffic and route it through a secure server. You should, of course, first evaluate whether your business needs its own VPN before diving into picking one of the best business VPNs – but if your business engages in frequent remote working, it may be a no-brainer. There are added benefits too, including speed throttling for certain websites, and adopting a VPN can also help to evolve remote working policies and give workers that added flexibility if it's something they're craving, but lacking, due to the potential security risks.
