Apricorn has announced findings from Freedom of Information (FoI) requests submitted to five Government departments focusing on the security of devices held by public sector employees. According to Apricorn, it emerges that the Ministry of Justice lost 354 mobile phones, PCs, laptops and tablet devices in FY 2018-2019 compared with 229 between 2017-2018. The number of lost laptops alone more than doubled from 45 in 2016-2017 to 101 in 2017-2018 and has risen again to 201 in 2018-2019, representing an increase of more than 400% across the last three years.
FoI requests were submitted to the Ministry of Justice, the Ministry of Education, the Ministry of Defence, NHS Digital and NHS England during September-November 2019. Of the five Government departments contacted, only three responded. The Ministry of Education also reported 91 devices lost or stolen in 2019, while NHS Digital has lost 35 to date in 2019.
“While devices are easily misplaced, it’s concerning to see such vast numbers being lost and stolen, and particularly so given the fact these are Government departments ultimately responsible for volumes of sensitive public data,” said Jon Fielding, managing director for the EMEA at Apricorn. “A lost device can pose a significant risk to the Government if it’s not properly protected.”
When questioned about the use of USB and other storage devices in the workplace, or when working remotely, all three Government departments confirmed that employees use USB devices. The MoJ added that all USB ports on laptops and desktops are restricted and can only be used when individuals have requested that the ports be unlocked. Each of the responding departments noted that all USB and storage devices are encrypted.
“Modern day mobile working is designed to support the flexibility and efficiency increasingly required in 21st Century roles, but this also means that sensitive data is often stored on mobile and laptop devices,” noted Fielding. “If a device that’s not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with the General Data Protection Regulation (GDPR) now in full force.”
Mobile working and data loss
In a survey conducted by Apricorn earlier this year, roughly one third (32%) of respondents said that their organisation had already experienced a data loss or breach as a direct result of mobile working, while 30% of respondents from organisations where the GDPR applies were concerned that mobile working is an area that will most likely cause them to be non-compliant.
All responding sectors did confirm that they have security policies in place to cover all mobile, storage and laptop devices.
“Knowing that these Government departments have policies in place to protect sensitive data is somewhat reassuring, but they need to be doing a lot more to avoid the risk of a data breach resulting from these lost devices,” concluded Fielding. “Corporately approved, hardware-encrypted storage devices should be provided as standard. These should be white-listed on the IT infrastructure, blocking access to all non-approved media. Should a device then ‘go missing’ the data cannot be accessed or used inappropriately.”
*The research was conducted through Freedom of Information requests submitted through Whatdotheyknow.com. The requests, submitted between September and November this year (along with the successful responses), can be found at: https://www.whatdotheyknow.com/list/successful