Does GCHQ really believe enterprises should take smartphones and memory sticks away from even some employees?

According to a report in The Daily Telegraph apparently it does as part of recent advice handed out with the Communications-Electronics Security Group (CESG) ‘10 Steps to Cyber Security’  that suggests getting rid of them for some parts of the workforce.

Security internet computer keyboard

Originally issued in 2012 and updated in January of this year, I could find no reference to such draconian advice in any of its many recommendations although standard mention is made of the risks associated with mobile devices, third-party Wi-Fi networks and staff running amok or being blackmailed by criminals.

This is either new advice that is so secret it is no officially giving it out on its own website or a reinterpretation of old advice that is frankly pretty pointless.  It’s undoubtedly true that most employees don’t need USB sticks but suggesting even a partial banishment of mobile devices is both impractical and unlikely. You might as well tell them to stop using email, refrain from visiting the web or ask them to turn off their PCs altogether.

Several security firms ventured to comment on this story and all were agreed that reducing the use of mobile devices such as smartphones was far-fetched.

“We don’t agree that businesses need to strip staff of access or mobile devices and therefore lose out on the huge benefits that the latest mobile technologies can bring in terms of productivity, collaboration, and flexibility,” commented Martin Sugden of Boldon James in one circulated comment.

The point about advice is it always sounds better when it’s highly prescriptive and rigid. This makes it a simple yes or no with no grey zone to worry about in between. Unfortunately, security doesn’t work like that because there always have to be numerous exceptions for even the simplest organisation.

We have no confirmation of what the CESG actually suggested but nuking smartphones or USB sticks would make only a marginal difference to the cyber security risk of the average employee because almost all the real-world danger comes from malware directed through PCs.  Perhaps they were thinking about data security and the worry about losing it on unsecured devices but there are plenty of ways of fixing that hole using old-fashioned encryption.