Laptops may be great for making even the smallest workforce more productive, but they can be a security nightmare. It’s an advantage that data can be worked on outside the office, but that means the same data can also be lost or stolen. And, since those laptops communicate with the office over the internet and wireless networks, hackers have more opportunities to subvert the hardware, and steal the data.

Luckily, these dangers are both blindingly obvious and well understood. Naive users might overlook them but the IT industry hasn't - so there are plenty of technologies to lock-down laptops. But do they work in smaller businesses?

The core principles of effective security are common-sense. Firstly, whatever technologies you use to secure your data, you need users to understand the need for them, to be familiar with how they operate, and to co-operate in their use. While you need to block people from outside the organisation, you have to make sure that those inside aren’t tempted to try to turn off or work around security provisions, to make their jobs easier.

"The end user needs to realise they're responsible," says Mike Walker, mobile business development manager for the UK at PC maker Lenovo. "It is up to the individual to make sure they are following company guidelines."

Small businesses won't have the resources to do much work on laptops they buy, which can be an issue, says Rob Bamforth of analyst company Quocirca: "From an SMB perspective, the more that security is built in the better, as most will have few resources to run managed security systems across clients."

Walker adds, "A lot of vendors haven't grasped this. They charge money for security add-ons and recovery features. When a small company buys laptops, s ecurity should be part of the package."

Lenovo's security approach relies on hardware because, as Walker says, " software is the first thing to get hacked". The most obvious and visible sign is the embedded fingerprint reader that is now standard on Lenovo machines, designed to restrict access to the device to trusted users. Similar technology is offered by other laptop makers.

But the fingerprint reader isn't likely to be the most important security feature. "Fingerprint readers are good in principle, but they need configuring properly," warns David Hollway, technical marketing engineer at Intel. Given the current stage in the development of biometric technology, he prefers to limit access to the machine with a hardware token. RSA's SecurID is an example of this approach, where users are given a keyfob-sized device that displays one-off numeric passwords that change at regular intervals.

More important, in Hollway's view, is the Trusted Platform Module (TPM) chip that Lenovo and all the other major vendors include in their systems, a processor unique to each machine that assists in encryption tasks. TPM is a useful business technology that has had a bad time from consumer-oriented commentators, says Hollway: "There was a perception that TPM was people spying on you. On our side we didn't do enough to clarify that and explain. TPM is neutral technology - it strengthens the cryptographic features built into Windows." Other features include a password manager that can hold multiple passwords for users.

Business edition

In practice, hardware buyers won't get the benefit of features like TPM unless they shell out for the full Busines s edition of Microsoft's Windows Vista. This includes BitLocker, a full-disk encryption feature. Users buying PCs for very small businesses may be unaware of this, and go for the Home versions, warns Hollway.

All this may sound complicated to manage when your company is too small to have its own IT manager, but outsourcing can be the answer, suggests Hollway, as a managed service provider (MSP) can use management technologies that are beyond the reach of a small company working on its own.

Intel's AMT remote management technology can be used in two security modes, he says: " SMB mode just gives username and password security. Enterprise mode goes beyond that but requires more advanced technology, such as Active Directory and Kerberos." A managed service provider can arrange it so a small business can use the enterprise mode of AMT, he said.

"If there is someone nominated as IT person, they can log in to the MSP, using a web browser, to view a digital dashboard, showing the health of their machines," Holway explains. The MSP also tracks the machines, and can lock them down or wipe their disks if they go missing, as well as taking over the worry of making sure each machine's anti-virus software is up-to-date. When the machine is on the road, a management agent is visible in the system tray.

In the future, laptops will get even more manageable and more secure. Virtualisation, usually seen as a way to run multiple instances of an operating system on a server, can actually help secure laptops, says Hollway. "Security vendors like Symantec are working on products that boot up a hypervisor [a software layer that managers multiple operating systems] and run a 'service operating system' or SOS," he says. "The user sees the Windows desktop, and no obvious sign of antivirus, but all traffic in and out - including from USB sticks - is filtered through the SOS."

One benefit of this is that there is no software firewall running within the operating system: "There is no firewall.exe task that can be interfered with, so users can't disable the firewall." Intel has included hooks for virtualisation in its chips, and written a reference hypervisor for other vendors to work with.

Another hardware-based approach is the OmniAccess 3500 Nonstop Laptop Guardian, from Alcatel Lucent. It is a PC Card that includes a 3G modem, and batteries fed from the laptop. It keeps in touch with the central server, and can be used to track the installed software and data, and lock the computer down if it goes missing.

Personal-area wireless technologies will become more important, says Walker, using technology similar to the keyless entry systems that some car manufacturers have brought to market. "Vicinity readers won't allow you to log onto the machine unless you have the card near it," he says. The same smartcard chip that lets a worker into the building could also grant access to the laptop - but he warns that when technology is less integral to the laptop, it can cost money and may bring business dispruption: "When a person forgets their card, it can take a while to get them up and running."

Laptops may have become cheaper to buy, but their value to small businesses has increased. The hardware and software is worth a fraction of the value of the data on the machines. This is driving future developments in laptop security, and there's also plenty of help out there for today's laptops.

"It's a hot area," says Hollway, "because companies are moving towards laptops."

See also:

Competitive edge computing for SMBs part 1: Mobility

Competitive edge computing for SMBs part 3: Performance