CESG Issues Updated Guidance For Government BYOD Deployments

The Communications and Electronic Security Group (CESG) has issued updated guidance for public sector organisations wanting to implement a Bring Your Own Device (BYOD) strategy.

The guidance says that although BYOD can bring many benefits to an organisation, a number of management, legal and security issues must be considered to minimise the potential risk of employees bringing personal devices into the workplace.

“With the rapid increase in the use of mobile devices and the growth of remote and flexible working staff now expect to use their own laptops, phones and tablets to conduct business,” says the CESG.

“This guidance is for organisations considering a ‘Bring Your Own Device’ (BYOD) approach, and describes the key security aspects to consider in order to maximise the business benefits of BYOD whilst minimising the risks.”

Security measures

One of the main concerns is that personally owned devices could lead to sensitive information being leaked.

The CESG recommends the use of Mobile Device Management (MDM) or container software to control the flow of information, so only authorised devices can access corporate data and services and ensures that lost devices can be remotely wiped or access revoked if an employee leaves the company.

The guidance warns that overly-restrictive policies that reduce the functionality of a corporately-owned device could encourage employees to find workarounds that increase the security risk, something that can be helped by the use of MDM and containers which separate work and personal data and apps.

Organisations should carry out regular audits of what information is stored on what device with the recommendation being that as little data as possible is stored locally. In any case, there should be regular rehearsals for security incidents so administrators are well-versed in the protocols for mitigating the impact of a lost device or malware.

Educating Whitehall

But technical solutions only form part of the CESG’s recommendations, with the group stressing that employees should be trained and educated about BYOD.

People are more likely to lend their personal device to a family member or provide credentials to a third party, such as a repair shop, for their mobile device – something which would be unfathomable for their work laptop or PC – increasing the risk. Additionally, personal devices are more likely to be infected by malware and have automatic cloud backups enabled, further increasing the likelihood of a breach.

Public sector organisations are also warned of their obligations for protecting personal information and the guidance suggests data controllers are familiar with the Information Commissioner’s Office (ICO) BYOD guidance, the data protection act and the employment practices code, which guarantees employees a degree of privacy in the workplace.

The CESG has previously been fairly unenthusiastic about the prospect of government workers using their own devices stating that although BYOD is technically possible it is not recommended. However the group has approved a number of MDM solutions suitable for the public sector, including Samsung Knox.

Are you a security pro? Try our quiz!