What Are the Mobile Security Threats Feds Face?
Verizon recently released its “Mobile Security Index 2020” report, including an entire chapter on the public sector. The report is based on independent survey of 876 professionals — over 20 percent of whom were from public sector organizations —responsible for buying, managing and securing mobile and Internet of Things devices for their organizations.
Overall, 39 percent of public sector organizations had suffered a compromise involving a mobile device, up from 33 percent in 2019. A mobile compromise involves the installation or infection of malware on a particular device. That can include the installation of malware via phishing to gain access to credentials or corporate resources. It can also include data exfiltration or ransomware attacks that encrypt an organization’s servers or data.
Agencies are at risk of “man in the middle” attacks if users are logged on to unsecured public Wi-Fi hotspots, according to Loveland, as well as phishing attacks. Users tend to click on links in emails at much higher rates on mobile devices than they do on desktop PCs, either because they are commuting or because they are going through emails more quickly, Loveland notes.
The good news is that malware that does infect a mobile device is less likely to negatively affect an enterprise network than a PC, since mobile devices are not always connected to those networks. However, attackers can use credentials they get via mobile attacks to gain access to sensitive systems and data. Such attacks can succeed via text message-based attacks as well as mobile applications infected with malware, Loveland notes.
How Agencies Can Enhance Mobile Cybersecurity
According to the Verizon report, less than half (46 percent) of respondents said they change all default or vendor-supplied passwords. Only 51 percent said they encrypt sensitive data when it’s sent across public networks. Verizon notes that those are two of the most fundamental security measures, along with regular security testing and restricting access to data on a need-to-know basis.
Yet just 11 percent of public sector respondents had all four of these basic precautions in place, according to the report. Why? Many organizations have unfortunately chosen to sacrifice security for expediency (54 percent) and convenience (50 percent). “This suggests that as well as budget constraints, decision makers are concerned about the impact security measures can have on productivity and efficiency,” the report says.
“Badly designed or implemented security policies can be bad for the employee experience and organizational performance,” according to the report. “Something as simple as a password policy could impede employees’ productivity, increase support costs (due to more resets) and potentially increase risk (by driving employees to circumvent the rules).”
IT leaders may also think infected mobile devices will not have a large negative effect on the enterprise networks. “The fallacy in that thinking is that any device that is accessing your corporate network poses a risk,” Loveland says.
One way agencies can beef up security is to shift to corporate-owned devices and away from BYOD models. While BYOD may make sense in some cases, the risks often outweigh the benefits.
Additionally, agencies need to use mobile device management services to restrict access to certain files or networks, encrypt data on devices and add additional layers of authentication. MDM solutions from companies such as Lookout, MobileIron and many others offer threat detection capabilities, but agencies need to ensure a holistic approach of ensuring people, process and policies are incorporated into identifying MDM solutions.
Agency IT leaders should look to procure MDM solutions that focus on threat prevention, detection and response and then automate actions between those functions. No agency can every secure every single endpoint all the time, but there are a lot of tools IT leaders can use to make sure they are as secure as they can be.