The single biggest misconception in government security today: federal agencies aren’t being attacked on mobile
Government agencies are being actively attacked on mobile, according to a new Lookout survey of 200 security and IT professionals. Today, 60.5% of government agencies have experienced a security incident on a mobile device*.
While many government agencies appear to believe that mobile attacks are a thing of the future, federal employees are increasingly using their mobile devices for work, introducing new risk into the workplace as we speak. In light of this new digital transformation, the main problem government agencies face is a misalignment between the security policies they set, and what they say their employees are actually doing.
Agencies proactively set mobile policies, but employees don't always follow them
As part of the survey, Lookout asked government IT and security leaders - specifically those involved with setting or implementing mobile policies - what policies they have enacted and what they believe their employees are actually doing. The results showed that while government agencies are actively thinking about how to protect mobile devices by setting up policies, they do not have a way to enforce them. They also often report that employees engage in behaviors contrary to their agency's policies.
Why is this a problem today?
The Federal government, like any organization, faces the Spectrum of Mobile Risk. Employees are enjoying the benefits of mobile work, including new productivity and flexibility, but it also opens agencies up to new vectors through which attackers could gain access to government systems.
The Spectrum of Mobile Risk outlines these vectors including:
- App Risks: Malware, data leakage, and vulnerabilities
- Device risks: Pegasus spyware, jailbroken/rooted mobile devices
- Network risks: Man-in-the-middle attacks
- Web & Content risks: Phishing and malicious URLs via email, SMS, and messaging apps
Check out the Mobile Risk Matrix to get a visual look into Spectrum of Mobile Risk.
What protection really looks like
Mobile policies, and management solutions like EMM/MDM, are not enough to protect mobile devices. Employees will not always follow the rules, leaving open significant holes.
Government agencies need a mobile threat defense solution that will ensure that government data is remains secure even when employees fail to follow policies or mistakenly encounter a malicious website, app, or network.
Capabilities should include:
- Detection and remediation of app, network, and web & content threats
- Detection and remediation of app, network, device, and web & content risks
- Ability to set custom policies based on an agency's specific risk tolerance
Ease of integration with EMM/MDM
With incidents such as John Kelly's mobile compromise, and the subsequent ban, it's clear that the government is thinking about how to handle mobile. A mandate is coming. Good preparation will both protect agencies from the mobile attacks that are actively happening to peer agencies and prevent the inevitable scramble when the mandate arrives.
*Methodology: The survey was conducted on the behalf of Lookout by Market Cube between October 20, 2017 and November 8,2017 among 200 United States federal IT and security employees.