The SMB Process for Securely Procuring New Laptops and PCs for Your Team

A new laptop arrives for a new hire. It is unboxed, powered on and handed over for the employee to set up themselves. While this ad-hoc approach to device provisioning is common among many small businesses, it carries significant hidden risks. One of the most important things to consider is that an unconfigured computer is exposed to security threats because it lacks the essential security software, policies and controls needed to protect your network.

Having a formal and secure laptop or desktop procurement process isn’t about creating red tape. It is about making sure every new device is a trusted, secure and productive asset from the moment it is powered on.

Getting new devices into the hands of your team safely doesn’t need to be complicated. These five steps make it straightforward for small and medium-sized businesses to procure and configure laptops and PCs securely.

Step 1: Establish the Minimum Hardware Requirements

Securing your IT assets starts before any new device is purchased. The first step is setting a standardized hardware baseline for your business. While not every laptop or desktop needs to be identical, each should meet minimum standards for processing power, memory, storage and security features.

Prioritize devices with modern hardware-based security features (like Trusted Platform Module (TPM) chips) which are essential for functions such as secure boot and disk encryption. Standardizing your devices also makes management and support easier by providing a consistent and secure foundation across your organization.

Step 2: Unboxing and Staging 

Once the computer arrives, it should never go directly to the end user. It needs to undergo a staging process that is either managed by your in-house IT team or a managed IT services provider. This step transforms a generic factory device into a secure company device and involves processes such as auditing hardware for defects, installing the approved operating system image and completing disk encryption to protect the data if the device is ever lost or stolen. This staging phase is what sets the foundation for a safe device deployment. 

Step 3: Hardening the Operating System and Applications

By default, a fresh Windows or macOS installation isn’t fully secure. These operating systems often come with unnecessary features enabled and default settings that could be exploited. Once the staging process is complete, the desktop or laptop should be hardened.

System hardening means securing a device and reducing the ways it can be attacked. This involves steps like disabling unused USB ports, setting BIOS passwords and security features such as Secure Boot, configuring firewalls and applying policies that enforce strong passwords and automatic screen locking. It is also the stage where you install and set up your IT management software for remote monitoring, tracking and support.

Finalize this step by installing your organization’s approved productivity and security suites such as antivirus, VPN clients and office applications and ensure that they are properly configured and updated. This helps eliminate common vulnerabilities that hackers often target in new and unconfigured systems.

Step 4: Final Configuration and User Handoff

This step involves customizing the computer to the specific user by installing the specialized software needed for their role and configuring their access rights based on the principle of least privilege (i.e., users are assigned the minimum access permissions needed for them to do their job and nothing more). 

Before handing over the device to the end user, record the serial number, asset tag and the assigned user in your IT Asset management system. This step allows IT teams to keep a record of IT assets and also helps in tracking, insurance and recovery in case of loss or theft and even for financial reporting purposes. 

Finally, give the user basic security training for their new device, help them sign in, set up biometric access like fingerprint or face unlock and choose a strong password. Before they take the computer, have them confirm that they received it in good condition. This handoff is your last chance to set clear expectations for the proper care and use of company devices.

Step 5: Implement Proactive Monitoring and Maintenance

Your job isn’t finished once the employee has their new device. The last step in secure device setup is ongoing management. If the hardening process was done correctly, the device should now be connected to your centralized monitoring and management system to keep it secure and up to date.

A centralized monitoring and management system allows your IT team to perform critical tasks remotely in modern workplaces with work-from-home arrangements. Some key ongoing management tasks include:

• Automatic Update and Patch Management: IT administrators can quickly apply application security and operating system updates and patches consistently across all company devices without user intervention.
• Security Policy Enforcement: IT administrators can push out new security settings and upgrade or revoke employee access rights as their roles change.
• Remote IT Support and Auditing: IT support teams can resolve technical issues for users and perform device health audits remotely without requiring physical device access.
• Endpoint Detection and Response (EDR): Endpoint detection and prevention systems actively monitor for potential threats on company devices and raise alerts to allow IT teams to rapidly respond to suspicious activity.

A secure device procurement process turns potential vulnerabilities into a security advantage by ensuring consistent and proactive device management. It also signals your commitment to IT security to your team and helps to foster a culture of responsibility and accountability.

Don’t leave device security to chance. At Sound Computers, we provide managed IT and IT security services to help you streamline device onboarding with a consistent and repeatable process that keeps every device on your network secure. Contact us today to handle your next device deployment so you can focus on running your business with confidence.