Hello! I build IT teams and design IT Systems for startups and nonprofits. I consistently encounter the same problems, so I set out to create a series of guides to help others navigate the IT Ecosystem. You can learn more about my philosphies via my website dave-bour.com or via my weekly newsletter.
These are the steps I’ve ingrained in myself and my team before we issue a new computer laptop. Most of these tools are free and available to any company of any size. Let’s get started.
Rule № 1: Turn on Full Disk Encryption
Cost: Free using built-in tools
Apple calls their tool Filevault while Microsoft Windows refers to theirs as Bitlocker. Apple’s is available on all devices while Windows Home does not offer Bitlocker — you must be using Business or Pro.
How To Do It
While taking 30 seconds to turn on, encryption will occur in the background over the course of several hours. You can follow Apple’s instructions or Microsoft’s instructions based on the device you’re issuing.
What This Step Protects Against
Encryption prevents a malicious actor from accessing your data after removing your computer’s hard drive and plugging it into their own as if it were an external USB drive. This is a common practice in IT to recover data from a broken computer, which is why you must take the following precautions.
Precautionary Measures
When you turn on encryption, the hard drive essentially locks itself and allows two keys to open it — your computer account password and the encryption key provided when you turn it on. Always save the encryption key in cloud storage — throw it on Google Drive and share it with the employee who is receiving the laptop in case they need it in an emergency.
Rule № 2: Run All Available Updates
Cost: Free using built-in tools
Software and System Updates are avaible through the System Preferences/Control Panel in either operating system.
What This Step Protects Against
Updates resolve known bugs and security vulnerabilities in the operating system and the software running within it. Malicious actors exploit vulnerabilities to gain access to the device. If your device is compromised the data on it (including passwords you store to your bank and other sites), other devices on the network, and the functions of the computer (webcam, mic) may be exposed to the malicious actor.
Precautionary Measures
After rebooting the computer, check again for updates — especially with Windows. More will often show up as the reboot triggers a new current state.
Rule № 3: Turn on a BIOS/Firmware Password
Cost: Free using built-in tools
This recommendation is the most technical in nature. Every computer ships with a Recovery mechanism that allows you or someone who gains access to the computer to wipe it.
How To Do It
This recommendation will take 5–10 minutes as you will need to shutdown the computer and boot into the recovery system to secure it. You can follow Apple’s instructions for a Mac. For Microsoft Windows, each manufacturer maintains their own instructions and you may need to Google the make/model of your device plus “how to enable bios password”. Generally, How-To-Geek maintains a good instruction list.
What This Step Protects Against
Most often, the intent when stealing a computer is to resell it. To resell it, a thief must often restore it to factory defaults to make it appear new or unused or remove the trail of who it was stolen from. This step locks access to the recovery partition.
This also protects against an employee from reformatting the computer. This is a useful protection when they are leaving on bad terms or of the ‘do what they want’ personality type.
Precautionary Measures
It will be very important to remember and save the password you set for the recovery partition.
With Windows, I do not set this until Bitlocker is showing 100% complete for full disk encryption.
Rule № 4: Create an Administrator account
Cost: Free using built-in tools
In most small businesses and startups, computers are issued to staff with an account that is already an administrator. You should maintain a separate account on the computer should you need to access it when it is returned or for support purposes. Never require an employee to share a password.
How To Do It
This step takes a minute or less. 9-to-5 Mac maintains clear documentation for creating a new user account on a Macbook while Microsoft maintains their own.
What This Step Protects Against
When you issue a new device to an employee, the first step is changing the password. Without another account on the computer, you will be locked out unless they share that password with you. If they leave the computer under poor circumstances or require support, you’ll be unable to access it without their involvement.
Precautionary Measures
You may wish to give a generic name to the account such as Admin or Administrator.
Rule № 5: Enroll in a Device Management Program
Cost: Varies, usually $2/device/month
Device management programs allow you to remotely track, wipe, or lock the device. They provide a single pane to view an inventory of your company’s devices and to control certain settings that you may need to enforce or simply do not want your employees to change.
How To Do It
This step involves third parties and may require an account manager. You should pursue this option with some technical guidance and policies which outline the circumstances under which you would use the recovery mechanisms on a company laptop.
Sign up for an account at Meraki Systems Manager, JAMF, Microsoft In-Tune or a variety of others. This is also one of my top three recommendations to any business of 50 or more employees.
Once you have an account, you can purchase licensing and install the agent on the machines. The agent will handle the rest.
What This Step Protects Against
This step allows you to remotely locate, wipe, or lock the device in the event of theft or loss. You may also view a dynamic inventory of all your devices. You will also be able to control settings on the devices which may be required for regulatory purposes.
Precautionary Measures
Please consider your employees privacy and federal and local laws. In many cases, you will have the ability to remotely connect to the computer (with the intent of providing support with the employee’s consent) and view information about it, such as: installed applications, WiFi network names, and more.
Reach out!
If these recommendations are helpful and you’d like to explore more ways to improve your security posture, please contact me for a consultation.
