Mar 24 2020

The Top Mobile Security Threats for Government in 2020

Insider threats and IoT vulnerabilities present key risks for agencies.

With vast numbers of federal workers working remotely due to the coronavirus pandemic, mobile security has become even more important than it was before. 

Mobile security has become a prominent part of agencies’ cybersecurity programs, but there are still gaps in security. What are they, and how can agency IT leadership help close them? 

Verizon recently released its “Mobile Security Index 2020” report, including an entire chapter on the public sector. The report is based on an independent survey of 876 professionals — over 20 percent of whom were from public sector organizations —responsible for buying, managing and securing mobile and Internet of Things devices for their organizations. 

The report revealed that insider threats, unapproved applications and vulnerabilities in Internet of Things devices are among the chief concerns. The report notes that remediation for these threats varies but includes education and enforcing policies, as well as data encryption and enhanced authentication. 

Key Mobile Security Issues for Feds

One of the biggest issues facing government agencies when it comes to mobile security is insider threats, or threats coming from users themselves. 

According to the Verizon Mobile Security Index, 71 percent of public sector organizations think their employees are their greatest risk when it comes to mobile devices. Further, 46 percent of compromises were attributed to employee mistakes or errors. 

“Employee actions, even if inadvertent, can expose organizations to greater risks,” says Eric Soper, co-author of the 2020 Verizon Mobile Security Index. “Risks range from installing unapproved apps to connecting to nonsecure public Wi-Fi hotspots. Nearly two-thirds — 64 percent — of public sector respondents said they personally used public Wi-Fi for work tasks, even though doing so was explicitly prohibited by organizational policy for 39 percent of them.”

The remediation tactics agencies need to employ include both cyberhygiene education and improved security policies. For example, 54 percent said a better understanding of threats would most improve their posture. 

46%

The percentage of mobile security compromises attributed to employee mistakes or errors

Source: Verizon's “Mobile Security Index 2020” report

Additionally, implementing and enforcing acceptable-use policies targeted at mobile can help improve security. Fully 45 percent of public sector organizations interviewed do not have an acceptable-use policy, and many that do lack breadth and depth. For example, 59 percent do not discuss how to treat unapproved networks such as public Wi-Fi.

Despite the fact that mobile devices increase the threat surface for agencies, many public sector organizations are failing to take basic precautions. Less than half (46 percent) said they change all default or vendor-supplied passwords and only 51 percent said they encrypt sensitive data when it’s sent across public networks. 

Those are two of the most fundamental mobile security measures, along with regular security testing and restricting access to data on a need-to-know basis. However, according to the Verizon report, only 11 percent had all four of these basic precautions in place.

Why is there a disconnect between the concern about cybersecurity and the precautions, or lack thereof, agencies are taking? “From the study, we learned that 36 percent of public sector respondents said they consciously sacrificed mobile security,” Soper says. “The top reasons respondents gave for sacrificing security were expediency (54 percent) and convenience (50 percent). This suggests that decision-makers are concerned about the impact security measures can have on productivity and efficiency, along with budget constraints.”

READ MORE: Find out how agencies can boost endpoint security via commercial solutions.

How to Guard Against IoT Security Threats

The Internet of Things also represents another huge threat vector for agencies. Public sector respondents said they’re using IoT to monitor equipment and efficiency (60 percent); the physical security of buildings (47 percent); and the movement of people, vehicles and assets (40 percent). 

Despite the usefulness of IoT, 83 percent of them said their organization is at risk from attacks targeting IoT devices, rating the threat moderate to significant. Additionally, 23 percent said they had already suffered a compromise involving an IoT device.

Agency IT leaders need to review IoT security before they procure IoT devices, the Verizon report recommends. “Whether you are buying off-the-shelf solutions or components to build your own IoT devices, ask potential vendors to supply details of the security measures they take and review them for robustness,” the report says. “Pay particular attention to their authentication, encryption and patching policies.” 

The report notes that 76 percent of respondents said they had IoT devices in remote or difficult-to-access locations. Agencies need to use over-the-air updates to help keep these devices secure.

IT leaders need to harden all devices before attaching them to their network. First, they should make sure that the device itself is tamper-resistant and tamper-evident. Then, they should make sure they change all default or vendor-supplied passwords. Also, security can be enhanced by shutting down anything that is not needed — if users are not using a port or protocol, block it.

IoT data needs to be encrypted in transit and at rest. Fully 83 percent of respondents said that they are collecting personally identifiable information, and 25 percent of those weren’t encrypting it. “Encrypting data can make it useless to hackers and help you mitigate the risk of a reputation-destroying data breach,” the report says. 

Agencies should also invest in an IoT platform that allows IT leaders to monitor and manage all of their connected devices easily. This can help them reduce vulnerabilities by implementing digital certificates and other security features, according to Verizon.

Sitthiphong/Getty Images