Could your laptop be one of the 10,000 or so found by London’s taxi drivers each year? Perhaps it might be one of the 130,000 pieces of lost property recovered by Transport for London on buses, taxis, trains, trams and stations. Even if you’re not the absent-minded type, you can guarantee it will happen to one of your staff.

There are 5.5 million business laptops in the UK. The number has been growing between 12 and 17 percent a year since 2000, according to IDC[iii]. Britain’s business is increasingly laptop-powered and mobile. They are convenient for employees and they increase productivity, so they are good for companies. However, they are “a major headache for IT managers,” says IDC analyst Michael Larner. Companies need to manage their laptop fleets – and their users – to make sure there isn’t a trade-off between mobility and security.

Serious consequences

A stolen laptop can be a major catastrophe. In February 2007, thieves stole a computer belonging to Worcestershire County Council. It contained the national insurance and bank details of 18,000 people[iv].

In the same month, the Financial Services Authority fined the Nationwide Building Society £980,000 for not protecting its customers’ data properly. In November last year, burglars pinched a laptop belonging to the company from the home of an employee. According to the BBC, the company did not know whether the laptop contained any confidential information. There are many similar stories.

No wonder that companies are getting more concerned about security. Three-quarters of UK businesses rate security as a high or very high priority to their senior management or board of directors, according to a 2006 DTI survey.

The risk extends beyond the loss of the information stored on a compromised computer. PointSec, a security firm says that the majority of information theft happens because of lost or stolen computers. In the hands of even a relatively unsophisticated hacker, a stolen laptop can be a backdoor into a company network. Half of all network intrusion – people hacking into company systems – is based on information recovered from lost or stolen laptops. Most mobile workers have remote email or network access to their employer’s systems. If they store their password on the computer, it is like giving someone the key to the office and the code to deactivate the alarm.

Each loss has the potential to damage a company’s reputation and share price. For the individuals concerned it could be, well, career-limiting. Companies everywhere face a choice between making sure that the inevitable laptop losses are nothing more than a nuisance and an insurance cost, and taking the risk that a single failure could cause millions of pounds of damage.

Prevention is better than cure

Although it seems that the answer to the problem is to encourage employees to take more care of their property – and a certain amount of education definitely helps – companies need to take a more holistic view.

It starts with basic things such as avoiding accidental damage. Nearly as many laptops are damaged as are stolen. Everyone needs padded laptop bags. Some laptops have impact-resistant hard disks and tough cases.

Next, encrypt any information stored on a laptop. This can be done easily by encrypting the whole hard disk with software like BitLocker drive encryption software (included in some versions of Microsoft Windows Vista) or HP’s DriveLock software. Computers with a Trusted Platform Module (TPM) chip, a technology developed by Intel and others, technology are more secure.

If people use their notebooks to access company networks, don’t rely on passwords alone. Hackers can break most passwords in a few hours using special software. Add a second way for people to prove that they are who they say they are. Typically, companies use fingerprints or smart cards to do this. Notebooks with smart card readers or fingerprint scanners make the extra security easier to implement. Increasingly, companies don’t let remote computers connect to the network unless they have a clean bill of health – no viruses – and they are up to date with the latest security software.

The IT department can implement processes that make laptops more secure. Access control will help the organisation manage who has access to different kinds of information. They should also be able to log what information is stored on each laptop. Lastly, they can help by backing up notebooks automatically.

Finally, there’s a question of culture. What happens when an employee loses a laptop? It is much better to have a 24/7 helpline that will let them report the loss. This allows the company to take preventative action if necessary, such as locking out network intruders using the stolen computer. A blame culture where people are afraid to report losses is actually much worse for security.

As more companies and more notebooks use 3G wireless broadband, it will be possible to design mobile applications that don’t rely on storing data on individual notebooks. It will be more like being in the office where you have access to all the company’s information over the network. It may even be possible to create a virtual PC inside the notebook, which is in fact running safely inside the corporate firewall.

Until then, notebook security isn’t just a geek thing. It’s a business issue. Security disasters reverberate outside the IT department. Consequently, business leaders as well as IT managers have a responsibility to make sure that the company is doing everything it should to protect itself – and its customers’ information.