Why are criminals so keen to swipe your company devices? (We’ll give you a clue – it’s nothing to do with their resale value!).
When it comes to security, the line between the online and the offline world is blurring. It’s one of the reasons why IT and facilities teams need to work together on company security strategies to ensure all threats are covered.
It’s a topic we’ve previously written about here: ‘Physical security versus cyber security’.
That’s because the security risk works both ways.
Online actions can lead to increased physical security risks. One example being the use of social media by employees, who may share posts that inadvertently reveal sensitive company information – like the team all being out of the office for a special lunch. Read our blog: ‘How employee behaviour online could be putting your physical security at risk’ for more on that.
On the other hand, the loss or theft of physical property, such as company devices (phones, laptops etc) could open the door to online security risks. And that’s the topic we’re going to be focusing on here.
Criminals now have a different prize in mind when it comes to company devices
Where phones and laptops were once stolen for quick cash, today’s criminals are far more interested in what’s inside the device than the device itself.
A single, compromised, mobile phone could unlock access to everything from cloud storage to banking apps, email accounts and authentication tools. The result being a gateway to identity theft, fraud, and even corporate espionage.
So, while the resale value of a company device might be £100+. The value of the data it holds is potentially thousands.
300 laptops go astray at the Bank of England
It’s been revealed that the Bank of England lost or had stolen over 300 laptops, tablets, and phones between May 2022 and March 2025; company devices worth nearly £300,000.
While the Bank has confirmed that all the devices were encrypted and remotely disabled, it highlights the fragile boundary between physical and digital security.
Think of your own business – what would happen if an employee had their work phone or laptop stolen?
On top of the financial loss, it could provide criminals with a ‘way in’ and lead to consequences that extend far beyond the value of the physical item. Each lost or stolen device could be a potential gateway to:
- Cached credentials and passwords
- Access tokens for cloud platforms
- Sensitive emails and internal documents
- VPN certificates and network maps
- Multi-factor authentication apps
Remember, even with encryption in place, sophisticated attackers will try to exploit hardware vulnerabilities or use social engineering or user error to try and bypass protections.
Other physical security risks
The Bank of England incident highlights how deeply interwoven physical and digital security are, with organisations that treat them in silos likely to be leaving themselves exposed.
Here are some other example scenarios:
- A stolen laptop is used to access internal systems via saved credentials
- A lost phone containing MFA apps gives attackers a way around two-factor authentication
- A USB drive left in a public space is later used to inject malware into a corporate network
Tailgating
It’s not just outside of the workplace that these risks exist.
A tailgating security incident, also known as a “piggybacking” attack, sees an unauthorised person gaining physical access to a restricted area by closely following someone in who is authorised to enter. It’s a classic example of a social engineering tactic that exploits human behaviour rather than technical vulnerabilities.
Once inside, they may swipe devices or even install a rogue device, with consequences that then unfold in cyberspace.
Opportunistic crime
An opportunistic crime is where someone takes advantage of a momentary lapse in security or awareness. It’s spontaneous, based on an easy opportunity rather than deliberate targeting.
For example, they may swipe an employee’s phone from their desk or an open bag; take a laptop left in a meeting room; or access IT equipment left in unlock cupboards or rooms.
So, what steps can organisations take?
1. Treat devices as critical assets
Every laptop, phone, or tablet should be logged, tracked, and managed. Use asset management tools to monitor device status, location, and user access.
2. Train staff on physical security
Cybersecurity training often focuses on phishing and password hygiene, but physical awareness is just as important. Teach employees to:
- Never leave devices unattended in public
- Lock screens when stepping away
- Report lost devices immediately
- Avoid storing sensitive data locally
- Never wedge security doors open
- Beware of tailgating
3. Collaborate on security
Break down the silos between IT security and physical security. Shared protocols, joint incident response plans, and cross-training can help teams respond faster and more effectively.
4. Plan for the worst
Assume that a device will be lost or stolen at some point. Build your security architecture around zero trust principles, where access is continuously verified and no device is inherently trusted.
5. Get expert support
Work with an expert security partner, like ourselves here at Venture, who can support you to keep your people, property and assets safe.
In summary
The Bank of England’s company devices going stray may not have led to a known breach, but they’ve exposed a deeper vulnerability. In a world where cyber threats are increasingly sophisticated, the simplest mistakes can open big doors.
For organisations of all sizes, the message is clear: cybersecurity doesn’t end with firewalls and encryption. It begins with the physical world – at the desk, in the pocket, and on the move. That’s why bridging the gap between physical and digital security isn’t just best practice, it’s essential.
In need of expert security support for your business?
Our experienced team, here at Venture Security, currently supports more than 400 customer sites across Hampshire, Wiltshire, Somerset, Surrey, and Dorset, including iconic landmarks such as Stonehenge, Newbury and Salisbury Racecourses, and The Roman Baths.
To find out more about our comprehensive range of corporate security services, and how they could help you, contact us on 01264 391538 / office@venturesec.co.uk
