The figures, obtained by memory and storage firm Crucial, show that 3,533 laptops have been reported lost in the last five years on the TfL rail network. An additional 801 have gone missing in the last three years at eleven Network Rail operated stations across the UK.
Despite the increasing emphasis on cyber security in organisations, it seems that many employees are neglecting information security practises in the physical world, whether it’s storing passwords on sticky notes or leaving devices on public transport.
In 2014, Londoners left 25,000 devices such as phones, tablets and USB sticks on trains, buses and trams, including 21,291 phones and 755 laptops, with USB devices numbering more than 1,449.
Those that are left unclaimed on the tube become property of TfL after three months, after which they can be sold at auction, donated to charity, recycled or destroyed – that’s if a dishonest passenger doesn’t nab it first.
To increase your chance of getting your belongings back, TfL recommends noting the serial numbers of all devices you carry and labelling them with you or your company’s contact details.
But losing a device in the first place represents a significant security risk to enterprises, whose senstivie data may get into the wrong hands.
In fact, losing an information asset is now so common that it was deemed worthy of its own category in Verizon’s 2016 Data Breach Report. Verizon found that laptops were the top asset lost by employees and that devices were 100 times more likely to be lost as opposed to stolen.
Laptops often come with low-grade pre-installed hard-drives which lack encryption technology and can only be protected by software, which is one of the weakest forms of encryption and slows down system performance.
Given how easy it can be to bypass the user’s password, the data held on these assets is certainly at risk,’ said Luke Brown, VP and GM of EMEA, India and Latam at Digital Guardian.
‘The good news, however, is that breaches resulting from lost devices don’t have to drive companies off the rails. Whilst there’s not much that can be done to prevent a device from being lost, there are measures businesses can take to prevent a data breach if the device did get into the wrong hands.’
‘A data-centric security solution is capable of preventing someone from accessing, copying, moving or deleting data without the right approval. The right technology can effectively render the lost device useless and entirely remove the risk factor associated with human error.’
The new figures from TfL highlight yet again that it is increasingly difficult for organisations to minimise data breaches caused by human error. And under new EU data protection regulations being adopted from 25th of May, if the data on these devices wasn’t encrypted, the organisations they belong to could face serious consequences.
As Richard Beck, head of cyber security at QA explained: ‘Under GDPR, companies will be required to report the loss to the ICO and it will be thoroughly investigated. Companies could face fines of up to 4% of global turnover.’
‘Whilst organisations cannot be responsible for how employees look after their assets, they can limit the impact of a data breach suffered should these devices got lost by increasing staff awareness of the threats. By educating staff, organisations can ensure an understanding of the need for encryption on all devices.’