Great question and one that I can appreciate! There are many opinions on the risk prioritization and analysis debate, but I tend to side with the technology that will address the higher probability risk in the easiest manner. My choice would be full-disk encryption for all laptops across the organization.
My reasons for this are rather broad, but, in my experience with full disk encryption, it is a fairly robust and mature technology. Also, it is moderately transparent to the user, which means that there are few buttons or options the user needs to remember when running the machine. For comparison, my experience with data loss prevention (DLP) technologies is that they are more useful for protecting sensitive data in enterprise-wide email and other outgoing electronic messaging, but that would not necessarily address the laptop security problem.
In April 2009, Ponemon Institute issued a report called "Business Risk of a Lost Laptop." The report included the results from a Web survey of 3,100 information technology practitioners around the world, including the U.S., U.K., Germany and Brazil.
The report asked those surveyed at what locations employees commonly lose their laptops. The list, in general order from highest to lowest, was:
- Rental car
- Conference or event
- Home location
- Train or subway
- Customer office
This list strikes me as interesting, because you probably have executives with their laptops at one or all of these locations during the week (and weekend). Hence, the risk of losing a laptop seems pretty high, which means full disk encryption may be the easier and quicker solution to a real, impending risk.
For more information:
This was first published in February 2010