Public sector still losing user devices in high numbers

British government departments are struggling to keep tabs on their device estates, with USB drives, smartphones, PCs, laptops and tablets still being lost or stolen with alarming frequency, according to answers to Freedom of Information (FoI) requests filed by Apricorn, a supplier of encrypted USB drives.

The firm submitted FoI requests to five government departments, the Department for Education, the Ministry of Defence (MoD), the Ministry of Education, the Ministry of Justice (MoJ), NHS Digital and NHS England, asking for information relating to their device security statistics and policies.

The Department for Education lost 88 devices in 2017, 130 in 2018, and 91 in 2019. In the same period it also lost one USB or other storage device.

The Ministry of Justice (MoJ) lost 125 devices in 2016/17, 229 in 2017/18, and 354 in 2018/19. In the same period it lost two USB drives or other storage devices.

NHS Digital lost 58 devices in 2018, and 35 in 2019 (including RSA tokens). In the same period, it lost one storage device. It did not provide data for 2017, owing to a system migration error affecting its database for that period.

The statistics gathered reflect devices that were both lost and stolen, and Apricorn’s EMEA MD, Jon Fielding, described the statistics as concerning, particularly given the departments’ responsibility for vast amounts of sensitive public data.

“Modern day mobile working is designed to support the flexibility and efficiency increasingly required in 21st century roles, but this also means that sensitive data is often stored on mobile and laptop devices,” he said. “If a device that is not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with GDPR now in full force.”

In addition, the Department for Education and the MoJ both provided some details of their security policies in the event of a device loss or theft.

The Department for Education includes an acceptable use policy that ensure staff take “all reasonable care” of their devices and offer guidelines on reporting if lost or stolen. The MoJ said it encrypts all its laptops and USB drives, and stores individual data in the cloud. It remotely blocks or disables any lost or stolen device to minimise the risk of a data leak.

“Knowing that these government departments have policies in place to protect sensitive data is somewhat reassuring, however, they need to be doing a lot more to avoid the risk of a data breach resulting from these lost devices,” said Fielding.

“Corporately approved, hardware encrypted storage devices should be provided as standard. These should be whitelisted on the IT infrastructure, blocking access to all non-approved media. Should a device then go missing the data cannot be accessed or used inappropriately,” he said.

Two of the bodies approached declined to provide information. Both the MoD and NHS England said that to research and deliver answers to the requests would exceed both the cost and time thresholds above which FoI requests do not need to be honoured.