GCHQ has advised businesses to consider banning bring your own device (BYOD) because staff represent the “weakest link in the security chain” who could potentially – be it intentionally or unintentionally – leak data to foreign espionage agencies.
The advice, as reported by The Daily Telegraph, is in a document entitled 10 Steps to Cyber Security issued by GCHQ’s information security arm, the National Technical Authority for Information Assurance (CESG), in conjunction with the Cabinet Office, Business Department and Centre for the Protection of National Infrastructure.
Speaking to Computing, IT leaders said that while they understood the sentiment behind the recommendation they doubted many organisations would follow it, especially when employees now almost expect BYOD.
The document is the latest attempt by government to raise awareness of the dangers of cyber crime and digital espionage. In it, CESG highlights the threat posed by vulnerable employees and other potential trouble-makers.
“A significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others,” the report states, adding that if personal smartphones, tablets and laptops have to be used, then it should only be on secure networks.
Mike Jones, CIO at Northern Devon Healthcare NHS Trust, agreed that “with most security issues of this level and nature, the human factor will be the weak link”. However, he said banning BYOD was too crude a response and that staff education and mobile device management tools offered a more workable solution.
Mobile devices form a significant part of Northern Devon Healthcare NHS Trust’s information technology strategy, and Jones argued that its managed BYOD policy offered better security than simply turning a blind eye to the use of personal devices in the workplace.
“I don’t think we should necessarily ban devices – people will find ways around [a ban] which could be worse. It’s much better to educate through awareness and control through MDM policies,” he said.
Jones conceded that tough rules on device use can sometimes be appropriate, however.
“I would always base this type of absolute decision on a risk assessment and may be there are some situations that do warrant strict controls but that should be balanced against the benefits that data sharing can bring,” he said.
Martin Sugden, managing director of secure messaging specialist Boldon James, agreed that staff can be the weakest link when it comes to security. But he argued that banning BYOD would be counter-productive.
“We don’t agree that businesses need to strip staff of access or mobile devices and therefore lose out on the huge benefits that the latest mobile technologies can bring in terms of productivity, collaboration, and flexibility,” said Sugden.
He said CIOs have a range of solutions to hand that can minimise the risks associated with BYOD.
“Properly applied, data classification and data loss prevention tools will prevent sensitive data being available on mobile devices, or accessible from inappropriate, insecure locations, and can prevent malicious misuse of data,” he said.
Tim Patrick-Smith, CIO of ICT managed services provider Getronics, said that the documents advice to limit personal device use to “trusted networks” was impracticable for smaller businesses or those that rely on flexible and remote working.
“Employees will continue to make demands of their employers to provide the right technology tools that enable them to do their jobs effectively – regardless of their location or device,” he said.
“Whilst exercising a degree of control is crucial to protect intellectual property, IT leaders today must accept shifting employee behaviours and take a position of leadership – educating and encouraging employees to be more vigilant about the data they have access to,” Patrick-Smith said.
Computing’s Enterprise Mobility Summit will take place on 10 June 2015. Register here.