How to Ensure Mobile Security as Smartphone and Tablet Deployments Increase
By by Sam Lakhia
Mobile cybersecurity threats are real, and mobile device management tools can help agencies defend against them. Federal agencies have deployed mobile devices, including smartphones and tablets, at an astonishing clip over the past few years to surge in the mobile, usage, technologies and productivity which gives the modern workforce and federal missions the ability and flexibility to complete their work and enhance their agencies’ missions.
For example, the Defense Department grew its base of 30,000 mobile users to 120,000 between 2015 and 2018. NASA had more than 70,000 mobile users as of 2018, and the Department of Homeland Security currently has more than 90,000 devices in use. As those figures have grown, so have mobile security concerns. Mobile devices increase the attack surface for agencies and become threat vectors for everything from phishing attacks to ransomware and data exfiltration. Devices can also be used by employees to mount insider attacks.
To guard against such attacks, agency IT security leaders need to focus on their mobile strategy, policy and compliance, cybersecurity training, mobile data and application management, secure supply chain, testing of their mobile environment, encrypting data when it is in transit, and restricting access to data. “There’s a lack of appreciation of the risk of mobile devices,” says John Loveland, global head of cybersecurity strategy and marketing at Verizon. “The focus from an InfoSec perspective has been around proacting the network,” he notes. “But as the network edge starts to blur or disappear, you need to be thinking about your assets and the devices that connect in. You need education and awareness.”
What Are the Mobile Security Threats Feds Face?
Verizon recently released its “Mobile Security Index 2020” report, including an entire chapter on the public sector. The report is based on independent survey of 876 professionals — over 20 percent of whom were from public sector organizations —responsible for buying, managing and securing mobile and Internet of Things devices for their organizations. Overall, 39 percent of public sector organizations had suffered a compromise involving a mobile device, up from 33 percent in 2019. A mobile compromise involves the installation or infection of malware on a particular device. That can include the installation of malware via phishing to gain access to credentials or corporate resources. It can also include data exfiltration or ransomware attacks that encrypt an organization’s servers or data.
Agencies are at risk of “man in the middle” attacks if users are logged on to unsecured public Wi-Fi hotspots, according to Loveland, as well as phishing attacks. Users tend to click on links in emails at much higher rates on mobile devices than they do on desktop PCs, either because they are commuting or because they are going through emails more quickly, Loveland notes. The good news is that malware that does infect a mobile device is less likely to negatively affect an enterprise network than a PC, since mobile devices are not always connected to those networks. However, attackers can use credentials they get via mobile attacks to gain access to sensitive systems and data. Such attacks can succeed via text message-based attacks as well as mobile applications infected with malware, Loveland notes.
How Agencies Can Enhance Mobile Cybersecurity
According to the Verizon report, less than half (46 percent) of respondents said they change all default or vendor-supplied passwords. Only 51 percent said they encrypt sensitive data when it’s sent across public networks. Verizon notes that those are two of the most fundamental security measures, along with regular security testing and restricting access to data on a need-to-know basis. Yet just 11 percent of public sector respondents had all four of these basic precautions in place, according to the report. Why? Many organizations have unfortunately chosen to sacrifice security for expediency (54 percent) and convenience (50 percent). “This suggests that as well as budget constraints, decision makers are concerned about the impact security measures can have on productivity and efficiency,” the report says.
“Badly designed or implemented security policies can be bad for the employee experience and organizational performance,” according to the report. “Something as simple as a password policy could impede employees’ productivity, increase support costs (due to more resets) and potentially increase risk (by driving employees to circumvent the rules).” IT leaders may also think infected mobile devices will not have a large negative effect on the enterprise networks. “The fallacy in that thinking is that any device that is accessing your corporate network poses a risk,” Loveland says.
One way agencies can beef up security is to shift to corporate-owned devices and away from BYOD models. While BYOD may make sense in some cases, the risks often outweigh the benefits. Additionally, agencies need to use mobile device management services to restrict access to certain files or networks, encrypt data on devices and add additional layers of authentication. MDM solutions from companies such as Lookout, MobileIron and many others offer threat detection capabilities, but agencies need to ensure a holistic approach of ensuring people, process and policies are incorporated into identifying MDM solutions.
Agency IT leaders should look to procure MDM solutions that focus on threat prevention, detection and response and then automate actions between those functions. No agency can every secure every single endpoint all the time, but there are a lot of tools IT leaders can use to make sure they are as secure as they can be.