Are you paranoid enough about your staff's technology?
GCHQ advice to blue-chip bosses warns of business security risks posed by workers’ phones, music players and USB sticks
“Just because you’re paranoid,” the old adage goes, “doesn’t mean they’re not out to get you.” Typically, that saying has been the preserve of anxious employees who are concerned that their bosses are about to put them on the chopping block. But now it has emerged that the sentiment should be very much the other way round – with revelations that British intelligence agency GCHQ has been advising bosses at some of the UK’s biggest firms that their most significant security threats stem from gadgets brought in by their own staff.
According to a report today from the Telegraph, the agency’s Communications-Electronics Security Group (CESG) has circulated a document entitled 10 Steps to Cyber Security, outlining the types of device over which managers should exercise particular vigilance.
“Assess business requirements for user access to input/output devices and removable media (this could include MP3 players and smartphones),” says the publication, implying that bosses should carefully consider whether or not such objects must come into the workplace at all.
At the heart of the matter, the agency stressed, is managing the problem of intent: sharp changes in a worker’s lifestyle or employment conditions that could spur rogue activities carried out in the wake of blackmail, or fuelled by other forms of malice or mischief. “A significant change in an employee’s personal situation,” the document said, “could make them vulnerable to coercion, and they may release personal or sensitive commercial information to others.”
It added: “Dissatisfied users may try to abuse their system-level privileges, or coerce other users to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources.”
With all that in mind, the agency advised, senior executives should “monitor all user activity”, and ensure staff understand that “any abuse of the organisation’s security policies will result in disciplinary action”.
Clearly some important points to ponder for bosses who currently operate “bring your own device” (BYOD) policies. Unless, of course, they’re just being paranoid.
UPDATE – 15:00
Phil Beckett – partner at forensic data investigation experts Proven Legal Technologies – has said in reaction to the Telegraph's GCHQ revelations:
“Cyber attacks are not limited to large organisations and critical infrastructure companies – they actually pose a ‘clear and present danger’ to organisations of any shape or size. It is therefore crucial that companies tighten up their data security across the board, leaving no area of the business vulnerable to data loss.
“The proliferation of BYOD policies has resulted in potential risks to all businesses, as the segregation between business and personal data becomes more and more hazy. As such, by inviting personal devices into the office – and then allowing them to leave again, often containing confidential information – firms may actually be compromising their intellectual property as well as their security.
“It’s worth noting that this problem extends beyond smartphones to computers and other removable devices as well. Data can be very promiscuous, in that it tends to associate itself with different devices in different formats. In order to protect IP and minimise fraud, businesses will need to implement rigorous policies on BYOD and managing corporate data, and carefully monitor all company devices and staff access to confidential information. Likewise, when a team member decides to move on, businesses must ensure that it is only the employee leaving, and that no private data is following in their wake.”
For further thoughts on technology in the workplace, sign up to this forthcoming CMI seminar.