Keeping track of the hardware is the first priority but not the only one. Protection of the data on a hard drive starts with a BIOS password and good password habits. That's easier said than done, of course. Everyone knows that the longer and more unique a password is, and the more often it's changed, the more cumbersome it becomes. "It will slow users down," EDS's Milholland says. "The more secure you get, the more there is to pay at both ends: dollars and time." Besides, anything that requires a password means more calls to the service line. Already, Milholland notes that the biggest percentage of calls to help desks involve password resets for all kinds of devices.
Assuming that users won't bother with passwords unless they have to, some IS departments set up systems so that passwords must be changed at specific intervals or network passwords cannot be saved on the machine -- never mind the service calls. Some places combine these procedures with physical spot checks for password cheat sheets taped to computers.
The only way to truly keep data safe is with a sturdy encryption program, although many companies don't see the need for such a strict system. According to Ken Dulaney, the San Jose, Calif.-based vice president of mobile computing at Gartner, "You'd better be dealing in nuclear secrets" before implementing companywide encryption. He says that even on-the-fly encryption programs -- which automatically decrypt and encrypt documents as users open and close them -- slow users down and are often seen as too intrusive.
The Prudential Insurance Co. of America, based in Newark, N.J., however, decided to install encryption software on each of the 13,000 laptops that have been issued to its agents and field support staff during the past three years. Meanwhile, when users dial in to check e-mail, access customer information or download forms, laptop management software can see what they're doing and even take control of the machine to do upgrades, for instance, or check for unauthorized software. Mike Scoda, systems architect of field infrastructure, has a sunny take on getting users at the insurance giant to comply with security policies. He says his team had no trouble convincing people to follow security precautions because employees want to protect customer information. Besides, he says, "you can't get into the laptop unless you have the proper password. That really self-enforced the whole environment." The downside? If an agent forgets the password, the laptop is useless until he contacts the help desk to get one-time codes generated based on the machine's serial number. Scoda is mum on how much time the help desk spends doling them out.