As mobile devices continue to drive productivity and mission-focused efforts for government, the need to protect mobile data has never been greater.
Recent high-profile breaches, including the compromise of White House Chief of Staff John Kelly’s personal smartphone, have intensified the mobile security focus within state and federal agencies. It’s obvious that malicious actors are highly capable of penetrating the highest levels of government.
Using a targeted surveillanceware attack, hackers can easily control the microphone to listen to private conversations; turn on the camera to take pictures of the surrounding area; or steal the personal and work information flowing through the device. The recently exposed Dark Caracal mAPT actor and the much-reported Pegasus surveillanceware are two examples of such serious mobile spying threats.
Mobile devices are the ‘soft underbelly’
The dramatic rise of these sophisticated attacks — compounded with mobile security often being overlooked — points to mobile devices being the “soft underbelly” of the government’s cybersecurity defenses. And unfortunately, the John Kelly breach is not a standalone incident.
According to Lookout’s recent survey of 200 government IT and cybersecurity specialists, 60.5 percent of government agencies reported they had experienced a security incident involving a mobile device. Despite this alarming number of mobile security events, many agencies are still not equipped to handle these incidents.
Based on the analysis of this study, I believe that while security policies, coupled with Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) solutions, are sound starting points, they are not enough to address today’s threat landscape and keep government data secure.
Outdated, faulty assumptions about mobile security
Many agencies are living with outdated assumptions about what’s “good enough” protection. This includes everything from employee compliance issues to a lack of full understanding about the risks facing today’s government agencies.
This is creating challenges that could threaten national security.
For example, the previously mentioned survey found that 96 percent of respondents said their agency had a mobile security strategy, and 94.5 percent are using some sort of management tool, either EMM or MDM.
While these solutions are important for managing mobile devices within an agency, they cannot detect, analyze and respond to an attack.
According to the same study, the top three mobile concerns are risky applications, employee behaviors with regards to compliance, and malicious apps. EMM solutions do not have the data or detection capabilities to keep up with new risky apps employees encounter, potentially harmful employee behaviors, and the constantly evolving threat landscape.
Further reinforcing the need to move past these false assumptions is the simple fact that mobile is a core part of government employees’ personal and professional lives.
Personal mobile devices are here to stay
As we have seen, employing EMM solutions and difficult to enforce mobile policies does not work on its own. The reality is that government employees continually use their personal mobile devices in the workplace, as seen with the John Kelly breach. A knee-jerk reaction of banning them simply does not solve the problem.
Personal devices are a key part of employees’ lives and any security strategy needs to work with — not against — this fundamental premise. Indeed, the rules prohibiting personal smartphone use at work have little to no impact on employee behavior, according to a separate study Lookout conducted in 2015.
In addition, requiring employees to leave work in order to tend to personal business could have a serious impact on the mission — a counterproductive solution when mobile devices are designed to help improve workplace productivity.
Embrace mobile with comprehensive security
With incidents like John Kelly’s hacked phone, and the growing mobile threat landscape, it’s evident that a mandate for mobile security is coming soon. In time, recommendations from the DHS Study on Mobile Security will likely become requirements, and best practices for securing the full spectrum of mobile risk may soon become compulsory. In the meantime, here are some viable solutions that don’t encroach on personal privacy and are unlikely to negatively impact employee productivity or morale:
Ensure that only government issued devices, with security software installed, are able to access government email to prevent employees from accessing their email — and thus sensitive government data — from potentially insecure personal devices.
Allow employees to bring their personal devices to work, but require privacy-conscious mobile security to be installed before allowing those devices access to the government Wi-Fi network. Make sure this is a separate guest network that cannot access government resources.
Continue existing precautions, such as requiring employees to leave smartphones outside of meeting rooms where sensitive or classified information is discussed.
Educate employees to understand the severity of mobile threats and how ignoring security warnings could put the mission and even national security at risk.
Bob Stevens heads up Lookout’s public sector team, the focus of which is to provide mobile threat visibility and protection to federal agencies, across military, civilian and intelligence sectors, as well as state and local governments.