Almost half of UK educational establishments have had mobile devices stolen

While the majority of UK institutions (83%) polled have an information security policy in place, more than half (53%) do not use encryption
While the majority of UK institutions (83%) polled have an information security policy in place, more than half (53%) do not use encryption

This is the result of a survey of 100 UK schools, colleges and universities undertaken at the BETT Show 2012 in January. Most of the stolen devices were laptops and netbooks.

While the majority of institutions (83%) have an information security policy in place, more than half (53%) do not use encryption. This lack of security is surprising given the possibility of sensitive student information being lost, and the potential for a fine of up to £500,000 from the ICO.

“It is vital,” commented Denise Crouch, a director at LapSafe Products, “that educators have sufficient plans in place to reduce the risk of mobile ICT theft. This should include measures for physically securing laptops, netbooks and tablets, and should be supported by regular IT security training to help avoid the negative consequences of having devices stolen.”

Part of school policy should perhaps be required study of a recent PhD thesis written by Trajce Dimkov at the University of Twente in The Netherlands and published last month: 'Alignment of Organizational Security Policies – Theory and Practice'. In this paper, Dimkov describes a task given to students: to steal 30 computers given to randomly selected members of staff. The members of staff were given strict instructions to keep the computers safe. However, out of sixty student attempts to steal them, 30 were successful, showing that security policies are irrelevant if ignored by the people concerned. 

Dimkov commented, “Some people forgot to lock their door. In other cases, the students were able to think up a cover story that was sufficiently convincing to get a cleaner or caretaker to open the door for them. Other students were able to obtain the laptops by posing as technicians. Some claimed to have left their laptop in their supervisor’s office, and that they needed it urgently, to complete an assignment. People tend to make an effort to be helpful, and a good cover story often does the trick.”

The ease with which staff in educational establishments can be socially engineered and the habit of just leaving the devices lying around, coupled with the UK’s lack of encryption, could cause serious problems if left unaddressed. “Our research,” says Denise Crouch, “suggests that theft of laptops and other mobile ICT devices from UK schools, colleges and universities is on the rise. Although the exact reasons for this increase are unclear, it is likely that the economic downturn and the fact that education establishments are often hotbeds of technology is somewhat responsible.”

What’s Hot on Infosecurity Magazine?