The laptop had been compromised through a known vulnerability. The machine had been in the field for a year without being properly patched and updated. Even though this happened years before such incidents had to be disclosed to consumers, it got upper management's attention. After long ignoring the screams and pleas of the security and IT teams for a way to secure and manage remote laptops, the company suddenly coughed up the funds to buy remote management software.

That was a step in the right direction, but the laptops that we allow staffers to check out when they travel can be used wirelessly through a broadband provider. I know of only one company that manages wireless laptops in a truly secure fashion, and even it faltered at first. A friend of mine works at a large telecommunications company. When it first enabled wireless connectivity on the sales force's computers, the salespeople couldn't use it to log into the corporate network. To do that, they had to revert to the old dial-up connection to a VPN. For the security team, this was preferable because it was highly secure, using RSA Security Inc.'s SecurID technology. But for the sales force, the painfully slow dial-up connection discouraged any laptop use on the road. Instead, they tended to work out of the local sales offices, where they could authenticate to the local network. The whole purpose of giving them laptops was lost.

Eventually, the company started to provide secure broadband wireless connections for the sales force. The cost, of course, is beyond what we can afford at this small state agency. As always, we have to figure out how to enable our workforce on a shoestring budget. We have a technologically unsophisticated workforce to boot, so however we do this, it has to be simple. Our employees don't know the difference between one network and another. All they know is how to turn the laptop on, make sure the network cable or card is plugged in and log in.

The Dilemma So, here I sit, pondering the dilemma. Between sips of latte and handfuls of M&Ms, I start to think out loud. We can start by building a secure laptop image that has all unnecessary services turned off. The image should include these features: a personal firewall that is set to automatically update over the Internet; antivirus software (that prohibits spyware, preferably) that's also set to automatically update; an up-to-date operating system and applications, set to automatically update; an alternative browser, such as Mozilla's Firefox; a disabled guest account; and a user account that has restricted permissions so that the user can't save anything to the hard drive or install any programs.

We could also supply a USB flash memory device for holding confidential data, which would have to be password-protected and encrypted, and a connection to the state network via a Cisco VPN client, with IPsec encryption.