GCHQ: Government Should Be Very Careful With BYOD

The UK government should be wary of jumping into allowing workers to use their own smartphones and tablets, as the bring your own device (BYOD) trend spreads, the information assurance arm of GCHQ, CESG, has said.

Ownership of devices makes life simpler from a security perspective, but it is not a prerequisite, the body said in its guidance on end user devices.

Managing BYOD in government

“What is necessary is that the device is placed under the management authority of the enterprise for the complete duration it is permitted to access official information,” CESG wrote.

“Hence, a BYOD [bring your own device] model is possible – although not recommended for a variety of technical and non-technical reasons.

“Limitations of current technology mean that a ‘health check’ or ‘device status’ check is not sufficient to verify ‘known good’ – malware can easily subvert such a check.

“The device must be returned to an understood state such as via a firmware reinstall or wipe to factory state and any existing configuration on it replaced. It is only by taking over the enterprise management of the device that an organisation is able to ensure that information security policies are being applied.”

The GCHQ body also urged government departments to carry out pilots before full rollouts. It listed a number of operating systems in its advice, including Android 4.2, Windows Phone 8, iOS 6 and BlackBerry 10.1, hinting they are most likely to be used across government bodies.

There are numerous problems with BYOD, even if it appears to be inevitable across organisations. A recent report from Network Instruments said BYOD was the most difficult emerging trend to monitor.

There are also serious concerns about managing the extra bandwidth that employee smartphones and tablets bring.

Are you a security pro? Try our quiz!