UK government organisations have invested heavily in strengthening their cybersecurity posture over the last few years. As a sector that’s responsible for so much sensitive, confidential and classified information, its policies must be stringent and completely effective. However, one specific aspect of cyber risk – the number of mobile and removable devices being lost by or stolen from staff – appears to be on the rise. This trend should ring warning bells for security officers in every industry.
Each year, Apricorn submits Freedom of Information (FoI) requests to government departments and local authorities, to examine the security of devices held by public sector employees. This year, the Home Office revealed 469 of its devices had been lost or stolen between September 2021-2022, while the MoD had 467 mobiles, tablets and USB devices unaccounted for. HMRC declared 635 lost and stolen devices – 45% up on the same period the previous year, and the figure had doubled for the Department of Business, Energy and Industrial Strategy, at 204.
At local government level the situation was similar, with the UK councils contacted admitting that more than 600 devices had been lost or stolen during 2022.
Out of sight, out of mind?
It’s possible that the increase in devices going missing in action is being driven by a gradual erosion of visibility and control over what employees do when they’re out of the office. As they become more used to working peripatetically, they might be more likely to let their guard down, or to use corporate and personal devices interchangeably.
They also want greater autonomy when they’re ‘out in the wild’, and this includes being able to get things done without needing to make contact with the IT team. Meanwhile, the desire to provide a good employee experience is leading some organisations to be conspicuously more hands-off, or to relax their BYOD policy, for example.
Employees and the devices they use to do business have become the new cybersecurity perimeter. It’s vital that the security team retains oversight of these endpoints, and is able to properly protect them.
Pin down the policies
The bedrock of this protection needs to be a set of policies and procedures that set out precisely how employees are required to behave when using mobile and removable devices. Ideally, only IT-approved devices should be permitted to connect to the corporate network. This policy must be enforced through endpoint controls – for example by locking down laptop ports so they only accept approved USBs.
Policies should cover the specific types and models of devices that are approved by the organisation for work purposes, and how they are to be used. There should be no ambiguity around if and when individuals are allowed to use their own personal or home devices. All policies should be regularly reviewed as technology and cyber threats evolve.
While they must be rigorous, policies shouldn’t impede productivity. If employees find them too difficult to grasp or frustrating to follow, they might decide to ignore them, find a workaround, or resort to non-sanctioned tools and devices. This will of course increase risk.
A security-first mindset
Employee education is the next part of the puzzle. A comprehensive and ongoing awareness programme will ensure everyone understands the policies associated with the devices they use, and their responsibilities around protecting the information they handle.
All training should be personalised – made relevant to the roles and activities of the employee, and contextual – specific to the organisation, and the risks to the data, applications, tools and systems they access from mobile and removable devices.
Encrypt as standard
Even with the best education programmes in place, humans will still slip up, which makes encryption of all data a critical component of device security. It’s worth mentioning that all of the government departments that were contacted with FOI requests confirmed their missing devices had all been encrypted.
Providing all staff with storage devices that automatically encrypts the data written to them will ensure that the information remains unintelligible if they happen to fall into the wrong hands. Hardware encryption generally delivers better protection than software-based encryption. Keys are held in a hardware crypto module, and all authentication processes take place on board the device, which mitigates the risk of counter resets, software hacking, screen capture, keylogging and brute-force attacks.
Back up the backup
Finally, the ability to fully recover data that was stored on a lost or stolen device depends on having a sound backup and recovery strategy in place. In a survey carried out by Apricorn in 2022, while 99% of IT decision makers had backup strategies in place, a quarter (26%) had been unable to fully restore all data/documents when recovering from a backup.
Backing up data locally to a high capacity removable hard drive or USB, for example, is sound security practice when someone is working away from the office. It allows them to restore the most recent copy of their data quickly and easily if something goes wrong. The device can also be disconnected from the network to create an ‘air gap’ between information and threat. Offline solutions must be used in combination with other media such as cloud storage, however, to avoid the risk of losing information if the device is misplaced or compromised in some way.
Multiple automated backups, made multiple times a day, will minimise the likelihood of data loss.
It’s concerning that data held on devices remains so vulnerable to exposure in the public sector, despite increased cybersecurity awareness and efforts. The disparate workforce and their smartphones, tablets, laptops and USBs are now the edge that security teams must patrol.
Cyber criminals are alert to the fact that staff members are storing, processing and physically carrying copies of vital information away from the office environment, on hardware that can very easily be misplaced or taken. All organisations should refocus on building resilience into that frontline: setting out clear and rigorous policies, making best practice ‘business as usual’ through education, and reinforcing them with appropriate tools and solutions.
. However, one specific aspect of cyber risk – the number of mobile and removable devices being lost by or stolen from staff – appears to be on the rise. This trend should ring warning bells for security officers in every industry.
Each year, Apricorn submits Freedom of Information (FoI) requests to government departments and local authorities, to examine the security of devices held by public sector employees. This year, the Home Office revealed 469 of its devices had been lost or stolen between September 2021-2022, while the MoD had 467 mobiles, tablets and USB devices unaccounted for. HMRC declared 635 lost and stolen devices – 45% up on the same period the previous year, and the figure had doubled for the Department of Business, Energy and Industrial Strategy, at 204.
At local government level the situation was similar, with the UK councils contacted admitting that more than 600 devices had been lost or stolen during 2022.
Out of sight, out of mind?
It’s possible that the increase in devices going missing in action is being driven by a gradual erosion of visibility and control over what employees do when they’re out of the office. As they become more used to working peripatetically, they might be more likely to let their guard down, or to use corporate and personal devices interchangeably.
They also want greater autonomy when they’re ‘out in the wild’, and this includes being able to get things done without needing to make contact with the IT team. Meanwhile, the desire to provide a good employee experience is leading some organisations to be conspicuously more hands-off, or to relax their BYOD policy, for example.
Employees and the devices they use to do business have become the new cybersecurity perimeter. It’s vital that the security team retains oversight of these endpoints, and is able to properly protect them.
Pin down the policies
The bedrock of this protection needs to be a set of policies and procedures that set out precisely how employees are required to behave when using mobile and removable devices. Ideally, only IT-approved devices should be permitted to connect to the corporate network. This policy must be enforced through endpoint controls – for example by locking down laptop ports so they only accept approved USBs.
Policies should cover the specific types and models of devices that are approved by the organisation for work purposes, and how they are to be used. There should be no ambiguity around if and when individuals are allowed to use their own personal or home devices. All policies should be regularly reviewed as technology and cyber threats evolve.
While they must be rigorous, policies shouldn’t impede productivity. If employees find them too difficult to grasp or frustrating to follow, they might decide to ignore them, find a workaround, or resort to non-sanctioned tools and devices. This will of course increase risk.
A security-first mindset
Employee education is the next part of the puzzle. A comprehensive and ongoing awareness programme will ensure everyone understands the policies associated with the devices they use, and their responsibilities around protecting the information they handle.
All training should be personalised – made relevant to the roles and activities of the employee, and contextual – specific to the organisation, and the risks to the data, applications, tools and systems they access from mobile and removable devices.
Encrypt as standard
Even with the best education programmes in place, humans will still slip up, which makes encryption of all data a critical component of device security. It’s worth mentioning that all of the government departments that were contacted with FOI requests confirmed their missing devices had all been encrypted.
Providing all staff with storage devices that automatically encrypts the data written to them will ensure that the information remains unintelligible if they happen to fall into the wrong hands. Hardware encryption generally delivers better protection than software-based encryption. Keys are held in a hardware crypto module, and all authentication processes take place on board the device, which mitigates the risk of counter resets, software hacking, screen capture, keylogging and brute-force attacks.
Back up the backup
Finally, the ability to fully recover data that was stored on a lost or stolen device depends on having a sound backup and recovery strategy in place. In a survey carried out by Apricorn in 2022, while 99% of IT decision makers had backup strategies in place, a quarter (26%) had been unable to fully restore all data/documents when recovering from a backup.
Backing up data locally to a high capacity removable hard drive or USB, for example, is sound security practice when someone is working away from the office. It allows them to restore the most recent copy of their data quickly and easily if something goes wrong. The device can also be disconnected from the network to create an ‘air gap’ between information and threat. Offline solutions must be used in combination with other media such as cloud storage, however, to avoid the risk of losing information if the device is misplaced or compromised in some way.
Multiple automated backups, made multiple times a day, will minimise the likelihood of data loss.
It’s concerning that data held on devices remains so vulnerable to exposure in the public sector, despite increased cybersecurity awareness and efforts. The disparate workforce and their smartphones, tablets, laptops and USBs are now the edge that security teams must patrol.
Cyber criminals are alert to the fact that staff members are storing, processing and physically carrying copies of vital information away from the office environment, on hardware that can very easily be misplaced or taken. All organisations should refocus on building resilience into that frontline: setting out clear and rigorous policies, making best practice ‘business as usual’ through education, and reinforcing them with appropriate tools and solutions.
