By Tom Jowitt | Silicon UK
FOI requests from Apricorn reveals soaring levels of missing laptops from government departments, with the Ministry Of Justice the chief culprit.
Government departments have admitted in a rise in lost laptops, with the Ministry of Justice alone reporting a 400 percent increase in lost laptops in three years.
This is according to Apricorn, a security firm that specialises in 256-bit AES XTS hardware-encrypted USB drives, after it made Freedom of Information (FoI) requests to five government departments.
Lost laptops have been a problems for years in the public sector, but in the light of GDPR, the consequences may be more severe. In 2011 for example the Department of Health admitted it had lost more than 250 laptops over the past ten years.
But now in 2019, the Apricorn research revealed that the Ministry of Justice (MoJ) lost 354 mobile phones, PCs, laptops and tablet devices in FY 2018/19.
This is compared with 229 lost devices between 2017/2018.
And the number of lost laptops alone, has risen from 45 in 2016/17 to 101 in 2017/18 and up to 201 in 2018/2019, an increase of more than 400 percent in three years.
Apricorn submitted FoI requests to the MoJ, Ministry of Education (MoE), Ministry of Defence (MoD), NHS Digital and NHS England during September-November 2019.
It said that of the five government departments contacted, three out of five government departments responded. The MoE also reported 91 devices lost or stolen in 2019, whilst NHS Digital have lost 35 to date in 2019.
“Whilst devices are easily misplaced, it’s concerning to see such vast numbers being lost and stolen, particularly given the fact these are government departments ultimately responsible for volumes of sensitive public data,” said Jon Fielding, managing director, EMEA at Apricorn.
“A lost device can pose a significant risk to the government if it is not properly protected,” he added.
And all three government departments that responded to the FoI, admitted that staff use USB devices. The MoJ added that all USB ports on laptops and desktops are restricted and can only be used when individuals have requested that the ports be unlocked.
The good news is that each of the responding departments noted that all USB and storage devices are encrypted.
“Modern day mobile working is designed to support the flexibility and efficiency increasingly required in 21st century roles, but this also means that sensitive data is often stored on mobile and laptop devices,” said Fielding. “If a device that is not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with GDPR now in full force”, noted Fielding.
Another security expert agreed and said that endpoint devices are often used in a cyberattack.
“Unfortunately, lost or stolen devices are problems that any large organisation will face,” said Saryu Nayyar, CEO of behaviour analytics and cloud security specialist Gurucul. “Endpoints such as laptops boost user productivity, but they are also commonly used as an entry point into an organisation during a cyberattack.”
“When a laptop goes missing, so does the sensitive information which exists in its files, which could lead to a data breach if the device falls into the wrong hands,” said Nayyar. “The best way to reduce your exposure to such risks is by proactively planning for just such an incident. That means establishing an incident response plan to follow in the event a laptop is stolen.”
“But it also means having the right cybersecurity solutions in place,” she added. “For example, behaviour-based security analytics technology can identify unusual user or device behaviour that could be indicative of a cyberattack or insider threat so that IT can intervene before a data breach occurs.”