The UK Ministry of Defence (MoD) has egg all over its face following its admission that over 269 of its phones went missing between January 1 and February 27. This is a record number, even for the MoD, which lost 262 phones in total in 2023 and 2024.
The astonishing total of how many phones were recorded as lost, misplaced or stolen in the first two months of this year only came to light in response to a question asked in the UK parliament by the shadow defence secretary, James Cartlidge. The fact that a security-conscious organization such as the MoD could lose track of so many devices only evidences the increasing overlap between cybersecurity and physical security. Once a device such as a smartphone is in the hands of a threat actor, it can provide a portal to enable all kinds of cyber-attacks.
At the simplest level, it can be used to access the organization’s IT systems in order to upload off-the-shelf malware designed to encrypt crucial data and install ransomware. Even if the device is not enabled to access internal systems, its call history can be used as the basis for targeted spear phishing directed at other members of staff and, in some cases, senior executives such as the company finance officer. These attacks have become increasingly sophisticated and difficult to spot. The phone itself can also be used either to make a fraudulent call directly or to enable multi-factor identification, again allowing the cybercriminals to breach the organization’s cyber-defences.
While, in the MoD’s case, robust security is said to be in place to prevent data being accessed from a lost phone, cybercriminals need only a very brief window in which to execute a breach. The level of risk is also dependent on the circumstances in which the phone went missing. If, for instance, it was simply left in the back of a taxi, the chances of it falling into the hands of skilled cybercriminals would be relatively slim.
Stolen phones represent a direct security breach
But if the phone were deliberately stolen, it is far more likely that it would immediately be used to execute a security breach. There is also the possibility that, in the case of some staff members, the phone’s messaging and call history could be used to blackmail an employee into granting the cybercriminals direct access to corporate data.
The only truly effective way of securing phones used by staff is to ban employees from using their own devices for work-related functions and also to forbid them from using corporate devices for non-work related activities. The recent trend for companies to save money by following a ‘bring-your-own-devices-work’ (BYOD) policy is a recipe for disaster. Any devices that are issued by the organization should also have tracking software installed so the phone can be instantly located and retrieved if it is reported missing.
The UK’s MoD is now facing demands from parliament on whether any sensitive information may have already fallen into the wrong hands.
UK shadow armed forces minister Mark Francois said: “At a time when Russian espionage activities against the UK are clearly increasing, the news that large numbers of MoD phones – and presumably the data on them – are routinely being lost, is really pretty concerning…Of all Departments, the MoD should appreciate the importance of security so clearly they need to tighten up in this area, as a matter of urgency.”
