We need to tighten the rules regarding public work phones

The recent TikTok debate shows that the Danish government must set clear and uniform rules for the use of work phones in the public sector.

Public authorities should have a far more critical and consistent approach to which apps employees may have on their work phones. But that requires a clear position on the part of the Danish government, including rules for the use of TikTok and other invasive apps that harvest users' data on a large scale and can be used for hostile purposes.

That's what Jørn Guldberg, an expert in IT security for IDA, says. He sees the latest security assessments from the Centre for Cyber ​​Security (CFCS) as a clear warning that public workplaces should generally tighten the rules on what employees can use their work phones for. 

"It's a signal to all the public authorities to tighten up. But I’m missing a clear political standpoint. It creates uncertainty when, for now, only the Prime Minister's Ministry, the Ministry of Defense and the Folketing and a number of municipalities issue actual bans on certain apps, while other ministries only advise against them. That uncertainty should be cleared out of the way, and that requires political action", says Jørn Guldberg.

Recommends ban

He states that, from a pure IT security perspective, public authorities should completely prohibit employees from using work phones for other than purely work-related purposes.

"A work phone is a practical tool for both employees and employers, but it was never intended that the phone should simultaneously function as a private toy that could potentially deliver confidential information to foreign powers or companies", says Jørn Guldberg.

"If a public authority wants to use social media such as TikTok and Facebook, it should be done from special devices that are completely disconnected from the workplace network. This will significantly reduce the risk of espionage and data leaks. We have to get used to the fact that it all becomes a little more difficult if we want to increase IT security", he says.

In the CFCS handbook on security for mobile devices, which DR has gained insight into, only a few selected apps such as TikTok, Dropbox, Snapchat and Strava are not allowed to be used by high-ranking officials and advisers in the ministries. But CFCS has really only scratched the surface, and the problem is far more extensive, emphasizes Jørn Guldberg.

"If CFCS had scrutinized every single one of the thousands of apps that are available on the market, it would probably be well over half that do not pass the security test, because they give access to quite massive data collection from users", says Jørn Guldberg.