400%-plus increase in lost laptops at Ministry of Justice across last three years

Apricorn has announced findings from Freedom of Information (FoI) requests submitted to five Government departments focusing on the security of devices held by public sector employees. According to Apricorn, it emerges that the Ministry of Justice lost 354 mobile phones, PCs, laptops and tablet devices in FY 2018-2019 compared with 229 between 2017-2018. The number of lost laptops alone more than doubled from 45 in 2016-2017 to 101 in 2017-2018 and has risen again to 201 in 2018-2019, representing an increase of more than 400% across the last three years.

FoI requests were submitted to the Ministry of Justice, the Ministry of Education, the Ministry of Defence, NHS Digital and NHS England during September-November 2019. Of the five Government departments contacted, only three responded. The Ministry of Education also reported 91 devices lost or stolen in 2019, while NHS Digital has lost 35 to date in 2019.

“While devices are easily misplaced, it’s concerning to see such vast numbers being lost and stolen, and particularly so given the fact these are Government departments ultimately responsible for volumes of sensitive public data,” said Jon Fielding, managing director for the EMEA at Apricorn. “A lost device can pose a significant risk to the Government if it’s not properly protected.”

When questioned about the use of USB and other storage devices in the workplace, or when working remotely, all three Government departments confirmed that employees use USB devices. The MoJ added that all USB ports on laptops and desktops are restricted and can only be used when individuals have requested that the ports be unlocked. Each of the responding departments noted that all USB and storage devices are encrypted.

“Modern day mobile working is designed to support the flexibility and efficiency increasingly required in 21st Century roles, but this also means that sensitive data is often stored on mobile and laptop devices,” noted Fielding. “If a device that’s not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with the General Data Protection Regulation (GDPR) now in full force.”

Mobile working and data loss

In a survey conducted by Apricorn earlier this year, roughly one third (32%) of respondents said that their organisation had already experienced a data loss or breach as a direct result of mobile working, while 30% of respondents from organisations where the GDPR applies were concerned that mobile working is an area that will most likely cause them to be non-compliant.

All responding sectors did confirm that they have security policies in place to cover all mobile, storage and laptop devices.

“Knowing that these Government departments have policies in place to protect sensitive data is somewhat reassuring, but they need to be doing a lot more to avoid the risk of a data breach resulting from these lost devices,” concluded Fielding. “Corporately approved, hardware-encrypted storage devices should be provided as standard. These should be white-listed on the IT infrastructure, blocking access to all non-approved media. Should a device then ‘go missing’ the data cannot be accessed or used inappropriately.”

*The research was conducted through Freedom of Information requests submitted through Whatdotheyknow.com.  The requests, submitted between September and November this year (along with the successful responses), can be found at: https://www.whatdotheyknow.com/list/successful

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts