Some significant data breaches in recent history have happened because media on laptops, computers, USBs and other data storage devices have been lost or stolen.
For instance, in October 2017, a USB stick was found in Queen’s Park, West London. The device, which wasn’t encrypted, contained 76 folders of confidential information about London Heathrow airport. It included CCTV camera locations, patrol information, and even the route that the Queen would take to Heathrow. It also contained information about the security measures used to protect government officials, and even ID information used to access protected areas of the airport. If the wrong person had found this USB, you can only imagine the risk there could be to national security. For this incident, Heathrow was fined £120,000 by the ICO for failing to secure personal data.
Device loss like this happens a lot more than you’d expect. Between 1st June 2018 and 1st June 2019, the UK government alone lost 2,004 devices. That averages to almost 40 devices every week! 767 of these lost or stolen devices belonged to the Ministry of Defence. While most devices were encrypted, some were not, and the encryption status of some remains unknown.
When it comes to confidential information, it’s crucial to both encrypt devices and also take steps to safeguard against their loss or theft.
Recent data breach trends
The Information Commissioner’s Office regularly publishes quarterly information about recent data security incident trends. Their latest report (at the time of writing Q2 2021), shows a huge number of data breaches caused by unauthorised access or misuse of hardware. Out of the 2431 reported incidents, 45 were due to the loss or theft of a device containing personal data, 4 were caused by the incorrect disposal of hardware, and a further 65 were caused by unauthorised cyber access. There could also be even more device-related incidents! 64 reports were made without a reason provided, and 353 were listed as being caused by other non-cyber incidents.
So, how can we keep devices containing confidential information safe?
There are so many simple things we can do to keep our devices safe.
Firstly, encryption. Encrypting devices is very easy to do with the correct software. When you encrypt, you make sure that any information stored on your devices is not accessible to anyone without the encryption key – sort of like a password that keeps all of the documents on your device safe. Just make sure you don’t lose the encryption keys! Without these, you will not be able to retrieve your files.
Lock devices away when not in use
When you’re leaving the workplace or even leaving your own home, make sure any valuables are out of view of any windows or doors. Lock devices away if they are valuable and easy to steal. Not only are devices often expensive to replace, but there is also the cost of the hours of work or wonderful memories you could lose by having your files stolen.
Do not leave devices unattended
If you or your team members are working remotely, make sure they are aware of the risks of leaving their work laptops or phones unattended in public spaces – even if it’s just for a few moments. It is thought that a laptop is stolen in the UK every 53 seconds. Don’t give thieves their window of opportunity.
Even if you are not working remotely, you should also be extremely cautious in leaving your devices unattended. If you are away from your office computer for just a moment, lock it. There will be files on your computer that not everyone at your workplace should have access to, whether that’s confidential client information or your emails. A colleague even seeing confidential information they shouldn’t have access to by accident constitutes a data breach. Your organisation could even receive large fines for such a breach occurring. It is much safer to keep portable devices with you and keep them locked anytime you aren’t using them.
Back up your files
Backing up your files is incredibly important. Firstly because, if you have backups, you won’t lose everything if your devices are lost or stolen. Secondly because if your devices are lost or stolen, you will know exactly what information has been exposed to vulnerability. If your device contained information such as business secrets, email databases, or even things like scanned copies of your passport, you’ll know exactly what data could have been compromised. From that, you will be able to contact anyone who has potentially been affected by data loss. Your backups should also be secure. Treat them like original copies of your documents. Make sure they are encrypted, locked away, and aren’t vulnerable to unauthorised access.
When devices are no longer needed, they should be securely destroyed through degaussing (if the device is magnetic), shredding, or both. This guarantees any information that ever existed on things like computer hard drives can never be recovered.
If you are worried about data loss or breaches at your organisation, you may find our Fraud Awareness Guide for Businesses helpful. This guide covers many things you can do to safeguard against other risks such as cyber-security attacks and espionage.
Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.