Laptop stolen: the first 30 minutes
Someone calls: laptop stolen from the car. The clock is ticking. Here are the 10 steps you MUST take in the first 30 minutes, in order.
Every minute a lost or stolen laptop could be online is a risk. These 10 steps must happen within the first 30 minutes.
\n \nMinutes 0–10: containment
\n-
\n
- Report it to IT / security lead. Record the date and time. \n
- Trigger a remote wipe via Intune / Jamf / Kandji. Now — not later. \n
- Lock the user's account in M365 / Entra. Force sign-out of all sessions. \n
- Revoke MFA tokens — the device is no longer trusted. \n
- Change passwords for the primary accounts used by this user. \n
Minutes 10–20: scope
\n-
\n
- What was on it? Check OneDrive sync, local files, vault cache. \n
- Any customer data on board? If yes: this may be a data breach — see data breach notification. \n
- Encryption mitigation: was disk encryption enabled? Usually yes (BitLocker / FileVault) — in that case the physical device is inaccessible. \n
Minutes 20–30: police report and communication
\n-
\n
- File a police report for insurance purposes and in case the device is recovered. \n
- Log entry in the incident log. Update later as more information comes to light. \n
Prevention (set up in advance)
\n-
\n
- Mandatory disk encryption on every device (Intune compliance policy). \n
- MDM enrolment for remote wipe capability. \n
- No passwords stored as plain text on the laptop. \n
- Use a password manager — not the browser's built-in password vault. \n
- Minimal data on device — work cloud-first with OneDrive. \n
See also: security pillar, Intune basics.
Volledige gids: Seguridad para pymes sin departamento de TI: ¿qué haces este trimestre?
Dit artikel is onderdeel van onze uitgebreide Security zonder IT-afdeling-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →