Hundreds of devices declared missing by government departments
The findings of 14 Freedom of Information (FOI) requests to the UK's government departments regarding the security of devices held by public sector employees has been released.
The investigation performed by Apricorn, the manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, has found an alarming return into its requests.
The Home Office declared 469 lost and stolen devices between September 2021 and September 2022, with the UK Ministry of Defence (MoD) not far behind with 467 mobiles, tablets and USB devices unaccounted for.
The UK Ministry of Justice (MoJ) declined to provide answers to the FoI questions posed despite numerous requests by Apricorn. This was regardless of having provided information in previous years which highlighted 345 lost and stolen devices and an alarming 2152 data breaches (September 2020 and September 2021).
Her Majesty's Revenue and Customs (HMRC) declared 635 lost and stolen devices, including 387 mobiles, 244 tablets and four USB drives.
Concerningly, this is a 45% increase over the numbers shared for the same period in 2020-2021 (346) and 40% more than 2019-2020 (375).
Furthermore, the Department of Business, Energy and Industrial Strategy admitted to 204 lost and stolen devices - almost double the 107 declared in the previous year. The Prime Minister's Office also worryingly reported 203 misplaced devices.
"We have asked these same questions via these FoI requests for the last three years and whilst it's not surprising to see devices unaccounted for, we would hope to see the numbers declining as cybersecurity becomes more established," says Jon Fielding, Managing Director, EMEA Apricorn.
"Robust, regularly reviewed and tested policy and practice, with appropriate technology choices and implementation, supported by education and comprehensive backup and recovery strategy, is a must for optimum protection."
Research into the UK's MoJ Annual Report, which covered April 2021-March 2022, uncovered a considerable number of breaches declared to the ICO. Most unsettling was the disclosure of a COVID status spreadsheet of 1,800 staff and offenders sent by email to all staff within a prison.
This contained confidential data for offenders and staff, including health data. In addition, another 1400 MoJ employees were potentially affected when a compromised Office 365 account allowed access to personal data.
"It's worrying to think that a government entity that holds so much responsibility, and retains so much sensitive and personal information, can pose this much risk. The number of recorded security incidents, whether reported to the ICO or not, should alarm security teams," adds Fielding.
"A good place to start would be through education and awareness. It's not simply about putting critical policies in place, but equally ensuring that awareness is maximised among employees so that the risks associated with applications, actions and devices are understood."
The Foreign, Commonwealth and Development Office (FCDO) also declined to respond to requests, but its Annual Report for 2021-22 recorded 117 personal data incidents between March 2021 and April 2022.
Of these incidents, 96 were considered personal data breaches under the UK General Data Protection Regulation (UK GDPR), 76 of which were deemed human error, two were tech issues, ten resulted from partners across government (PAG) and suppliers, and eight were deliberate contraventions.
The FCDO also had 16 incidents considered serious enough to be reported to the Information Commissioner's Office.
Continuing the trend, The Department for Education (DfE) confirmed the loss and theft of 356 devices, including 296 USB drives. With so many USB devices unaccounted for, it further highlights the importance of encryption on portable drives to keep data safe when moving beyond the confines of the government network.
While the number of devices that had been misplaced was certainly concerning, all of the government departments questioned by Apricorn confirmed that all missing devices were encrypted as standard.
"The good news is that encryption is obviously recognised, and in the case of government departments, mandated, as a critical component of device security," continues Fielding.
"Hardware encrypted storage devices should be provided as standard to ensure that any sensitive data held on them should always be unintelligible if they happen to be misplaced and fall into the wrong hands. Additionally, encryption should be combined with the automation and enforcement of security policies through technology wherever possible."