The UK Government Employees Lose Thousands of Mobile Devices Per Year

If you are a government employee, there is a good chance that you have both personal-use and work-use phones, tablets, flash drives, and other mobile devices. Depending on how many devices you own and how they are handled, it could be challenging to keep an eye on them all. If you are jumping from building to building to keep up with all meetings, if you use the tube daily, and if you are leading an extremely busy life, you might end up losing a device. If it is your personal device, you might be able to recover all data via backup. It might be a real pain to get a new device to replace the lost one, but generally speaking, it might be an inconvenience rather than a major issue.

On the other hand, if you lose a work-use device, you might end up jeopardizing the security of your team or even the entire department. That, of course, depends on what kind of information is stored on the lost device and whether or not the data is encrypted. Unfortunately, as it turns out, not all stolen or lost devices are protected appropriately.

At least 2000 devices were lost between June 2018 and June 2019

Phil Muncaster at infosecurity-magazine.com analyzed the research conducted by Viasat, who used Freedom of Information (FOI) data. 47 UK government departments were asked to participate in the research, but only 27 replied. Due to this, the real magnitude of the problem is not known yet. Looking at the data that was available to Viasat, it was discovered that during a period of 12 months (between June 2018 and June 2019), 2004 mobile devices that belonged to UK government employees were reported lost or stolen. 767 of the lost devices belonged to the Ministry of Defence, 288 to HMRC, 197 to the Department for Business, Energy and Industrial Strategy, and 193 to the Foreign Office.

Shockingly, the most devices were lost by the workers in the department that is meant to ensure national defense. The only good news was that 1824 lost devices were encrypted and only 65 were not. The encryption status of 115 lost devices was unknown. Of course, it takes only one unprotected device to make a mess. If a stolen device reveals sensitive information, the entire department could fall at risk.

What is data encryption?

If you do not use any “locks” for your devices, they can be used by anyone who has physical access to them. So, for example, if your device is lost, anyone could pick it up, press the Power button, and go through the apps, notes, browser tabs, social media accounts, and everything else that is available. For example, if the browser on the device is used to log into some government department account, anyone could access that account. If email apps are logged into work-related accounts, the thief or the finder of the mobile device could read emails, send emails, gather sensitive information, check calendars, and so on. We are not always quick enough when it comes to reporting missing devices, and someone might only need a few minutes or a few hours to impersonate the victim and gather intelligence.

As the data collected by Viasat has revealed, the majority of affected UK government employees had their devices encrypted. That means that all data on the devices was converted into something that a thief could not read. Password encryption is one method to lock a device; however, it is not a secure method because most people set up weak, easy-to-guess passwords that can be cracked by hand or using hardware built for it. Also, a thief might already know the password if you are not careful about typing it in when in public. In this instance, biometric authentication is superior because the attacker cannot guess, let’s say, a fingerprint. Of course, if your device is stolen while unlocked, that does not matter.

Fortunately, full encryption is possible on most devices, and how you encrypt a device depends on its type. For example, Android phones and tablets can be encrypted via the Security settings. Encrypting flash drives might require specific software and access to a specific operating system. The bottom line is, it is NOT enough to just slap on any password and forget about the device completely. All in all, if you want to ensure that you are safe in case you get your device lost, you want to encrypt it.

You also want to go an extra step further to ensure your devices’ security. The apps you have installed on your tablets and phones need to be protected too. For example, if you use a password manager app, you need to make sure that it offers the highest standard of encryption. The Cyclonis Password Manager encrypts all data using AES-256 encryption. The so-called full AES encryption ensures that all data is protected appropriately. If both sensitive information and your device are encrypted, you are safe even if your device is lost or stolen. The only problem you might have to deal with is the wrath of your boss.

What should governments do to protect intelligence?

Education. That is the first thing that needs to be on the minds of security teams in all government structures. It is not enough to just hand a mobile device and expect an employee to take care of it. First, they need to be educated about encryption of devices that might contain sensitive information or provide access to accounts and systems that belong to the government. It is also important to make it clear that employees need to report lost devices immediately. That is because if the stolen device reveals sensitive information, major security issues could occur. The sooner data protection steps are taken, the better.

Information. The more information we take in, the more knowledge we gain. The IT security teams working with government-level systems need to be quick to respond to any news about cybersecurity vulnerabilities and backdoors. For example, it was recently discovered that criminals could disable Windows 10 security using a Thunderbolt vulnerability, but only if they gained physical access to the device. Therefore, it is not a good idea to just focus on mobile devices, although it has been proven by Viasat that many UK government employees do not know how to handle them either.