Security Basics - Do You Know Where All Your Computers Are?

Such a simple question, do you know where all your computers or devices are? Before you say ‘yes’ of course, let me point you to a recent Guardian newspaper article (https://www.theguardian.com/technology/2025/jun/22/uk-government-laptops-phones-tablets-lost-stolen-cybersecurity) based on a freedom of information disclosure stating that there were 2,000+ devices recorded missing across 18 Whitehall departments and public authorities in the last year. Over time, every organisation will probably experience devices getting stolen or lost. I’ve known colleagues to forget their laptop rucksack in lifts, pubs, bars or taxis, and with hybrid working everyone carrying a laptop, after work socialising in bars and leavers events gives thieves endless opportunities. Also, thieves have casually walked into our offices (some posing as cleaners) clearing desks of mobiles and wallets, while others have smashed windows to enter, looking for laptops and tablets left in view overnight. I’ve even had a colleague return from a construction site with the news that he dropped his new mobile phone 20ft into a wall cavity and it would be 25 years before we would probably be able to get it back. 

Then there is the common issue of hybrid and remote workers leaving the organisation and not returning devices. Sometimes this is due to them already leaving the country, moving home, changing mobile numbers or often, just refusing to engage with any communications from their former employers. Couriers arriving to collect are just told that there is nothing for them to collect, or some other excuse. Even when couriers do collect, they may not be given all the devices held, as some users may have accumulated multiple devices over the years.

Less sinister is the IT storage cupboards containing returned devices, from refreshes and leavers that are forgotten about and now gathering dust. Some of these may be old devices that would be hard pressed to be used today, as well as newer broken or damaged devices that are due for repair or recycling. Either way the records of their status and location are often no longer available (if they were ever logged in the first place). Office moves can also generate multiple opportunities for devices to go missing or astray. Sometimes boxes are moved into storage warehouses and never reopened for years. In other scenarios, devices may be collected by recycling firms without the correct internal processes being followed, so the relevant IT department is never informed. Also, a lot of older or spare devices tend to go missing in the chaos of an office move or shutdown.

Robust asset tagging was and still is part of the solution for many organisations, along with real-time location tracking software. Tracking software is normally reserved for laptops, though both Microsoft Windows and Apple MacOS have built-in options tied to the user IDs. Whether these services are correctly configured though is another question. Unfortunately, there are many tools and workarounds available to bypass the tracking. Now if you don’t know where all your devices are, the more important question is, do you at least know which ones are connected to your data and services. Closely followed by, do you know which ones have your data stored on them. Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) solutions can remotely wipe or block internet access, if configured to do so. though many devices can be reset to factory settings and if the drive is not encrypted, accessed via data recovery software. All of these ‘missing’ devices are potentially security breach entry points if they end up in the wrong hands. A data protection strategy is needed that ensures that devices are encrypted and accounts for devices that go missing are deactivated.

IT asset management (ITAM) is a key component in a data protection strategy, so long as it is updated and includes the relevant questions. Knowing what you have and where it is, is part of basic security hygiene, yet many organizations struggle with this. Partly because it’s quite dull and not in the least bit exciting, or they find it hard to find the time for the constant admin. Reallocating returned devices to other users, repairs, recycling and decommissioning need a process to update the ITAM spreadsheet or database. It doesn’t have to be complicated, just something that can be easily followed and the necessary information logged. If you don’t know where to start, my Vendor & IT Asset Management spreadsheet template helps you to keep track of your key software vendors and IT assets using an easy to use, colour coded Excel based template, aligned to the Cyber Essentials (Willow) certification. The certification has specific questions that need to be tracked, many with multiple options, together with additional useful information to help address general IT security management. Even if you don’t intend to pursue the Cyber Essentials certification, having the answers to hand can greatly assist in difficult situations. For more information see: https://www.booleanlogical.com/internet-security/it-asset-management/ 

#CyberSecurity #infosec #ITAM #security #CyberEssentials