Additionally, implementing and enforcing acceptable-use policies targeted at mobile can help improve security. Fully 45 percent of public sector organizations interviewed do not have an acceptable-use policy, and many that do lack breadth and depth. For example, 59 percent do not discuss how to treat unapproved networks such as public Wi-Fi.
Despite the fact that mobile devices increase the threat surface for agencies, many public sector organizations are failing to take basic precautions. Less than half (46 percent) said they change all default or vendor-supplied passwords and only 51 percent said they encrypt sensitive data when it’s sent across public networks.
Those are two of the most fundamental mobile security measures, along with regular security testing and restricting access to data on a need-to-know basis. However, according to the Verizon report, only 11 percent had all four of these basic precautions in place.
Why is there a disconnect between the concern about cybersecurity and the precautions, or lack thereof, agencies are taking? “From the study, we learned that 36 percent of public sector respondents said they consciously sacrificed mobile security,” Soper says. “The top reasons respondents gave for sacrificing security were expediency (54 percent) and convenience (50 percent). This suggests that decision-makers are concerned about the impact security measures can have on productivity and efficiency, along with budget constraints.”
READ MORE: Find out how agencies can boost endpoint security via commercial solutions.
How to Guard Against IoT Security Threats
The Internet of Things also represents another huge threat vector for agencies. Public sector respondents said they’re using IoT to monitor equipment and efficiency (60 percent); the physical security of buildings (47 percent); and the movement of people, vehicles and assets (40 percent).
Despite the usefulness of IoT, 83 percent of them said their organization is at risk from attacks targeting IoT devices, rating the threat moderate to significant. Additionally, 23 percent said they had already suffered a compromise involving an IoT device.
Agency IT leaders need to review IoT security before they procure IoT devices, the Verizon report recommends. “Whether you are buying off-the-shelf solutions or components to build your own IoT devices, ask potential vendors to supply details of the security measures they take and review them for robustness,” the report says. “Pay particular attention to their authentication, encryption and patching policies.”
The report notes that 76 percent of respondents said they had IoT devices in remote or difficult-to-access locations. Agencies need to use over-the-air updates to help keep these devices secure.
IT leaders need to harden all devices before attaching them to their network. First, they should make sure that the device itself is tamper-resistant and tamper-evident. Then, they should make sure they change all default or vendor-supplied passwords. Also, security can be enhanced by shutting down anything that is not needed — if users are not using a port or protocol, block it.
IoT data needs to be encrypted in transit and at rest. Fully 83 percent of respondents said that they are collecting personally identifiable information, and 25 percent of those weren’t encrypting it. “Encrypting data can make it useless to hackers and help you mitigate the risk of a reputation-destroying data breach,” the report says.
Agencies should also invest in an IoT platform that allows IT leaders to monitor and manage all of their connected devices easily. This can help them reduce vulnerabilities by implementing digital certificates and other security features, according to Verizon.