Mobile technology is essential for working in the fast-moving, high pressure environment of government. The threat of cyber attack is real, but you still need to do business quickly and efficiently, both in the office and on the move. This guidance aims to make you aware of some of the sensible precautions you can take to stay secure.
Modern smartphones and tablets have the same capabilities as office PCs and therefore face many of the same security threats. As mobile devices are portable, and often connected to non-government wireless networks, they also introduce further security issues in relation to the information they hold, and the methods that attackers could use to access this information.
- Voice calls are not secure and can be intercepted. This is especially the case when overseas. Only use mobile devices above OFFICIAL if you have been given a device which has been approved for this purpose.
- Even when turned off, mobile devices are never truly off. It is possible for attackers to remotely turn on the microphone and record conversations. Consider not taking your device into buildings or rooms where sensitive discussions are being held.
- Most voicemail ‘hacking’ over the years has been as a result of attackers obtaining access to mailboxes using default PINs. Ensure that you change your PINs and passwords from the default.
- Be wary of unsolicited emails, even if they look relevant to you. Do not open attachments or click on any links within emails if you are unsure of, or have doubts about the source.
- Where your device has external ports (e.g. USB), only ever connect a device that has been approved for this purpose. Never plug anything unknown into your device: this is a common path for malicious software.
Controlling access to your device
- Your mobile device should be kept on your person or left in a secure location at all times. If you find that your device has been lost or stolen, you should inform the police and your IT Help Desk as soon as possible.
- Follow your department’s security guidance on the use of passwords and lockout periods for your device. These provide an essential level of protection against unauthorised access to your device should it be lost or stolen. Only store information on the device for as long as necessary.
What your device can reveal about you
- Remember that mobile devices usually have features that identify your location, and that it is difficult to ensure that all of these features are fully turned off. It is possible to retrieve real-time location data from a device in your control, as well as considerable location history.
- Public Wi-Fi hotspots are not secure and other users on that network might be able to read any unencrypted data that you send or receive.
- Do not use shared or public PCs (e.g. at a conference) to do any official business or log on to any personal services. You will not know how that computer has been configured or whether any malicious software has been installed.
Keeping devices updated
- Ensure that all software/app updates are installed as soon as available; they often contain critical security fixes.
- Only download software and apps from trusted sources (e.g. App Store). Applications from other sources have not been assessed for malware by the device manufacturer and are more likely to be malicious.
- When using devices outside secure locations, be aware that you can be easily overheard. Avoid discussing sensitive matters in public places.
- Similarly, be aware that screens on tablets and other devices can be observed by those around you. You should take care to avoid being overlooked when working in public areas and, if necessary, wait until you are in a more private location before undertaking sensitive work. Remember the potential for passwords to be observed when you are entering them.
Foreign intelligence services (FIS) have significantly greater resources and control over the operating environment in their own country. For example, it is easier for FIS operating in their own countries to intercept communications, conduct agent operations, gain covert access to your accommodation, and gain covert physical or technical access to your IT.
- When overseas, be aware that local authorities and police are likely to have access to hotel rooms and safes within them. These should not be considered as secure places to store IT devices.
- All forms of communication are potentially vulnerable to a highly capable FIS. If an electronic device (e.g. mobile or laptop) is compromised by a FIS, it could potentially be used as a covert eavesdropping device. Mobile telephone communications might also be exploited to assist the FIS to locate the user.
- We recommend that when travelling overseas, you only use devices that have been approved for this purpose by your Departmental Security Officer (DSO).
- Where possible, you should use secure communications in Overseas Missions to access or communicate sensitive information.
- In high threat countries, we recommend ‘single use’ mobiles for personal use to contact family whilst you’re overseas. These should not be used to contact associates or colleagues, or be used for personal communication in the UK. These mobiles will not be any less vulnerable to intercept, but will not contain stored personal or business information (address books, photographs, online account details etc.) which might be exploited by a FIS.
- Do not take personal laptops or tablets to high threat countries.
- Wi-Fi and Bluetooth should be disabled and not used in accommodation potentially known to a FIS (e.g. your hotel).
Prior to travelling overseas on personal or official business we recommend that you read the FCO Travel Advice.
Before travelling to high-threat espionage countries on personal or official business, we recommend that you seek DSO (or equivalent) guidance prior to booking travel and completing visa forms. DSOs should liaise with Advisors at CPNI and/or CESG for further bespoke guidance.
They may also be able to arrange country-specific briefings from their relevant teams.
You should report any suspected incidents or suspicious activity to your DSO on return to the UK, or to the in-country Post Security Officer in accordance with agreed procedures (such incidents should not be reported to locally engaged staff). This includes any unusual activity on any of your devices as well as on those of your family or colleagues.