I have a client who manages a small firm with 4 remote employees and uses Google Workspace for sharing files. Recently, he was mugged and had his iPhone stolen, which led to unauthorized bank transactions, despite having Face ID enabled. Now, he's extremely anxious and wants to ensure his laptops are fully secured. He has been hesitant about using a password lock for Windows because he finds it inconvenient. I'm considering implementing BitLocker, but I'm worried about potential issues that may arise with updates. I've also thought about using Cryptomator, especially since his employees access files via Google Drive's file stream, but I'm unsure how compatible it is. Additionally, I'm concerned about the security of his browser credentials and other files outside of the encrypted work files, which are backed up securely. What are the best options to protect everything effectively?
5 Answers
We actually implement BitLocker through Intune, but it's been a bit of a nightmare. We face issues where BitLocker suspends unexpectedly and requires manual re-enablement, which is frustrating when trying to maintain compliance. Just something to keep in mind if you go that route.
If he's using Windows with no M365, I'd still recommend BitLocker. Just make sure he knows how to save the recovery keys, as they might come in handy in case of hardware changes. A crucial tip is to remind everyone to shut down their laptops when not in use to prevent any risks since the keys can be in memory if logged in.
I've never encountered an update crashing BitLocker. As long as you keep backup copies of important data, it should just be a minor nuisance if something does happen. Consider using Windows Hello for password alternatives and adding physical Yubikeys for extra security. A tool like Prey can help track stolen devices, too. Just ensure they maintain good password hygiene; their physical laptop security won't mean much if they're using weak passwords.
Great points! I have a password manager in place, so that should help with the hygiene aspect. The BitLocker concerns still linger, but I agree that following best practices is essential.
I'd definitely go with BitLocker and store recovery keys in a secure vault. For heightened security, you can set a BIOS boot password so it's required each time the laptop starts. Encouraging user account passwords and setting up 2FA everywhere is a must as well. Yubikeys are preferable, but if that's too much, a phone app can work, just avoid SMS verification, it’s not secure.
Honestly, BitLocker is a rapid solution. Just do it and handle the key storage properly. It's important to keep things straightforward and not overthink the security measures.
Got it! Definitely pushing them to shut down their laptops is a good call. I've already provided them with an overview of security best practices.