Learn the VA lesson NOW

Here is a story about another stolen VA laptop. But thankfully, this one has a happier ending.  A VA employee brought his laptop to his apartment (he was authorized to do so via policy - I understand why it was noted in the story, but I am not sure why he wouldn't be if he has a laptop), and it was stolen from there (I assume during a break in).  But the VA is doing security the right way now, and the laptop was protected.  They used encryption, authentication timeouts, two-factor auth, physical locks, inventory, etc.  The only thing I see that could have been done (at least it wasn't mentioned in the story) was a product to track the laptop's location.

Now, you may have already seen this story, and that is fine.  And you probably have drawn the same conclusions about the VA, who seems to now be doing things right now.  But let's take this a step further.  I know everyone has to make their risk equations to figure out whether or not to implement a security technology.  I know factors are different in every organization.  But at a certain point, things just make sense no matter who you are. 

If you are a company that has sensitive data on laptops, and if you let those laptops out of your doors, then this needs to be a case study you read backward and forward.  I see companies adopting this type of policy and product all the time.  But for everyone I see doing it, I see three not doing it.  Again, I know it comes down to a business decision and risk analysis.  But think about this.  I was the youngest of three brothers, and I got through the first years of my life by NOT doing all the things my brothers did that got them in trouble.  That worked very well for me.  Take that story and think about how the VA let the first incident happen because they had become very lax on security.  OK?  Now use their mistake to keep your company out of trouble.