Device Encryption And Lock Screens: The Basics

A real estate agent in Gulf Breeze left her laptop in her car while she grabbed dinner. Her car was broken into. The laptop had a client list, transaction records, and digital signatures.

She called us in a panic. We asked: is the laptop encrypted?

She didn't know.

We checked. It wasn't.

That laptop was a data breach by legal definition. Client information, potentially Social Security numbers from mortgage transactions, financial data — all accessible to whoever took it.

If it had been encrypted with BitLocker (Windows) or FileVault (Mac), the data would have been unreadable. The theft would have been a hardware loss, not a breach reportable to the state and potentially to affected clients.

What this solves (in real business terms)

Device encryption makes the data on your hard drive unreadable without the correct credentials. It's transparent to you during normal use — you log in, everything works. But if someone steals the drive and tries to read it directly, they see gibberish.

Lock screens prevent casual access. You step away from your desk. Someone else sits down. With a lock screen, they can't read your email, access your files, or impersonate you.

Together, they're the difference between a stolen laptop and a stolen laptop + data breach + regulatory notification costs + potential lawsuits.

What can go wrong

Unencrypted laptops stolen from vehicles. This is the most common scenario for Gulf Coast businesses. Work vehicles, personal vehicles, hotels, coffee shops — if your team works remotely, laptops travel. A stolen laptop with unencrypted data is a breach.

Laptops left at job sites. Contractors, field service workers, real estate agents showing properties — laptops get left behind. Without encryption, whoever finds (or takes) the device has full access.

Tailgating in office environments. Someone without credentials follows an employee through a locked door. If the employee's laptop is unlocked, the intruder has access to everything.

Devices disposed of without wiping. You upgrade to a new laptop. The old one goes to an employee, gets donated, or sits in a closet. If it's not encrypted and not wiped, whoever ends up with it has your business data.

Weak lock screen PINs. A 4-digit PIN is better than nothing, but easily guessed. "1234," birthday years, addresses — attackers know what people use.

What it costs (honest ranges)

• Encryption (Windows Pro/Enterprise): Free — BitLocker is built into Windows Pro. Windows Home has Device Encryption (similar).
• Encryption (Mac): Free — FileVault is built into macOS.
• Encryption management: $0-$5/user/month (Microsoft Intune, Jamf for Mac) if you want centralized control
• Managed security provider: Usually included in $10-$30/user/month

The encryption itself is free. The "cost" is configuration time: 15-30 minutes per device to set up and verify.

Vendor questions (copy/paste)

1. "Are all company devices encrypted? Which encryption product is used?"
2. "How do we verify encryption is actually enabled and working, not just configured?"
3. "If a device is lost or stolen, what's the process for remote wipe or lock?"
4. "What's our lock screen timeout policy? How quickly do devices lock when idle?"
5. "When an employee leaves, do we have a process to verify their devices are wiped or reassigned properly?"

Minimum viable implementation

Step 1: Enable BitLocker (Windows) or FileVault (Mac)

Windows (Pro or Enterprise):

1. Open Control Panel > System and Security > BitLocker Drive Encryption
2. Click "Turn on BitLocker" for each drive
3. Choose "TPM only" authentication for most users (no PIN required at boot, just Windows login)
4. Save the recovery key in your Microsoft Account — not on the device itself

Mac:

1. System Preferences > Security & Privacy > FileVault
2. Click "Turn On FileVault"
3. Choose "Allow user to reset password using Apple ID" or create a recovery key
4. Store the recovery key somewhere safe (not on the Mac)

Step 2: Verify encryption is on

Windows: Run manage-bde -status in Command Prompt. Look for "Encryption On."

Mac: System Preferences > Security & Privacy > FileVault. It shows whether FileVault is on.

Step 3: Set lock screen timeout

Windows: Settings > Personalization > Lock Screen > Screen timeout settings. Set "Turn off display after" to 5 minutes.

Mac: System Preferences > Battery > Turn display off after 10 minutes on battery, 10 minutes on power adapter.

Step 4: Require password on wake

Windows: Settings > Accounts > Sign-in options > "Require sign-in." Set to "When PC wakes up from sleep."

Mac: System Preferences > Security & Privacy > Require password after sleep or screen saver begins. Set to immediately.

Step 5: Enable Find My Device (for remote lock/wipe)

Windows: Settings > Update & Security > Find My Device. Enable it.

Mac: System Preferences > Apple ID > iCloud > Find My Mac.

When to hire help

Do it yourself if:

• You have fewer than 10 devices
• All devices are Windows Pro or Mac (not Windows Home, which has limited BitLocker features)
• You can check each device manually

Get help if:

• You have mixed environments (Windows Home, older Macs, Chromebooks)
• You want centralized verification that encryption is enabled on all devices
• You need remote lock/wipe capability managed across the fleet
• You've had a device loss or theft and need to implement this fast