Assume your laptop will be stolen
Dark Reading has an article up called Assume your laptop will be stolen. There are some interesting stats and anecdotes, but the bottom line is this:
As Latalladi observes, if you’ve got dozens of laptop users, eventually someone’s going to lose one. There are plenty of technical options to calm IT staff, senior executives, and shareholders when it does occur. "Some kind of technical solution means everyone’s going to be a lot more comfortable when a laptop gets lost."
This is Yet Another Reason why hardware-based two-factor authentication is crucial. Every stored password is now likely at the fingertips of the crooks. Any cookies, certificates, or other data are free for the taking.
But, if your accounts are secured with PhoneFactor, none of this will matter to you: the bad guys still can’t get in, because the passwords alone aren’t sufficient to access the system.
Incidents like this will, I hope, make people seriously consider the kind of two-factor they’re getting in systems like SiteKey or certificate-based systems. Hardware-based two-factor is the only way to go if you want to insulate yourself from attacks like this.
-Steve
I would say the confidential data (documents, logs, etc) are more of a security concern than protecting the user’s password. I mean, it’s not like the user doesn’t realize his laptop is gone and therefore the administrator can just quickly change the user’s password to avoid a system breach.