Securing Your Work Laptop: What Actually Matters

Your laptop is a target. It stores credentials, connects to sensitive systems, and holds data worth stealing. Here's how I secure mine.

Enable Disk Encryption

If your laptop gets stolen, encryption is the difference between "lost hardware" and "data breach."

Windows: BitLocker. Settings → Update and Security → Device Encryption. Store the recovery key somewhere safe - not on the laptop.

macOS: FileVault. System Preferences → Security and Privacy → FileVault. Save the recovery key to iCloud or print it.

Encryption protects data at rest. When the laptop is running and unlocked, data is accessible - encryption doesn't help with that.

Most successful attacks exploit known vulnerabilities with available patches. Delayed updates create unnecessary exposure.

Enable automatic updates. On both OS and applications. Yes, they're annoying. They're less annoying than getting compromised.

Don't ignore browser updates. Browsers are constantly processing untrusted content. They need current patches.

Check third-party software. Some apps don't auto-update. Periodically review what's installed and update manually.

Unique passwords for every account. You're not going to remember 200 unique complex passwords. A password manager does this for you.

I use 1Password, but Bitwarden, LastPass, and others work too. The important thing is actually using it.

The password manager won't autofill on fake sites. This is a side benefit - if it doesn't recognize the domain, something might be wrong.

Two-factor authentication on all accounts that support it. Especially:

Hardware keys for the most critical stuff. Authenticator apps for everything else.

Set automatic screen lock to engage after a few minutes of inactivity. This is basic, but I still see unlocked laptops in coffee shops.

Windows: Settings → Accounts → Sign-in options. Require sign-in after the PC wakes.

macOS: System Preferences → Security and Privacy → Require password immediately after sleep.

Public networks are untrusted. Attackers can position themselves between you and the internet.

Use a VPN when on coffee shop or airport WiFi. Your traffic is encrypted before it hits the local network.

Use your phone hotspot when possible. Cellular is harder to attack than open WiFi.

Don't access sensitive accounts without VPN on public networks.

Ransomware, hardware failure, theft - backups handle all of these.

3-2-1 rule: Three copies, two different media types, one offsite.

Test your backups. Periodically restore something to verify backups actually work.

Disconnect external drives when not actively backing up. Connected drives get encrypted by ransomware.