GCHQ is advising organisations to consider stripping staff of smartphones and memory sticks in order to make themselves less exposed to cyber attacks.
The advice from the intelligence agency's CESG (Communications-Electronics Security Group) information assurance arm comes against a backdrop of increased concerns about the theft of intellectual property by cyber-spies.
Fair play on that score, you might think, but the advice is on more uncertain ground in pushing against the Bring Your Own Device (BYOD) trend that has transformed corporate IT plans over recent years.
Less controversially, the "10 Steps to Cyber Security" advice – issued by GCHQ and seen by The Telegraph – also counsels that staff should only use trusted Wi-Fi networks, in effect avoiding coffee shops or transport hubs without special protection (not stated but presumably VPNs).
Staff in general are the "weakest link in the security chain" and disgruntled employees and the mischief they can create are a particular threat, the spooks advise.
“Assess business requirements for user access to input/output devices and removable media (this could include MP3 players and smart phones),” the advice states, according to The Telegraph.
“Monitor all user activity", and make sure staff are aware that violations in acceptable use policies will lead to disciplinary action.
Martin Sugden, managing director of data classification and secure messaging provider Boldon James, commented: "We absolutely agree that employees are a big risk for organisations, for the simple reason that people are human and we all make mistakes. It’s good to see that acknowledged, as organisations often focus too much on protecting their perimeters from hostile threat, whilst ignoring the security risks presented by their own staff."
Sugden did, however, part company with the implied advice from CESG that businesses ought to reconsider schemes to extend access to information technology to mobile workers, such as salespeople or engineers.
"We don’t agree that businesses need to strip staff of access or mobile devices and therefore lose out on the huge benefits that the latest mobile technologies can bring in terms of productivity, collaboration, and flexibility," he said.
"As long as security travels with your data, you can control who has access to what, on which device and in what location," he said.
"Properly applied, data classification and data loss prevention tools will prevent sensitive data being available on mobile devices, or accessible from inappropriate insecure locations, and can prevent malicious misuse of data. Securing the sensitive data wherever it travels solves the issue," Sugden concluded.
A GCHQ spokesman told The Register: "It is not true to suggest the guidance advocates "stripping staff of company phones". On the contrary, CESG (and the guidance) have helped many government departments modernise their ways of working with mobility solutions."
"Regarding the guidance on mobile working," he continued, "it acknowledges the fact that mobile working offers great business benefit and so gives some practical advice on how to manage the risks when extending the corporate security boundary. It in no way advocates removing technology or devices from those who need it.
"For those who are serious about using technology securely, Ten Steps to Cyber Security is available on GOV.UK."
The spokesman added that configuration guidance for the use of a wide range of mobile platforms for remote working at OFFICIAL is also available on GOV.UK, here. ®