In recent years, the public sector has fallen in line with the rest of society, taking a sharp turn toward mobility. In today’s connected environment, this trend is playing a significant role in shaping the U.S. government’s mission to better serve and protect our nation’s citizens.
Mobile devices provide users with an added level of productivity, which has allowed government employees to perform their assigned duties more efficiently. However, the flexibility provided by mobility has also dramatically expanded the landscape for cyber attacks.
At the federal level, we have seen an upsurge in overall awareness of mobile security threats. Recent incidents, like White House Chief of Staff General John Kelly’s personal smartphone compromise, are timely reminders of just how severe mobile risks are.
When it comes to securing mobile devices across private and public sectors, the challenge is not unlike other cybersecurity concerns; we are operating in an increasingly interdependent threat environment. Every unsecured access point that connects our devices and networks is more than likely to become vulnerable to compromise at some point.
Security will never be “100 percent”
Gartner has estimated that in less than two short years the number of connected devices will skyrocket to more than 20 billion. In other words, there will be roughly three devices for every human on the planet.
The widespread adoption of mobile devices and the onset of the Internet of Things have created one of the most pressing cybersecurity issues in the past decade: every connected device has an increased surface area for hackers to exploit. This growing attack surface, combined with the massive data collection and lack of security on most mobile devices, means that complete cybersecurity will always be something we will chase.
It is essential for companies, vendors and agencies to avoid making absolute assertions about the security of their devices, applications and networks. Any one device may be “secured”, but due to the number of interdependences and access points associated with it, it is still very easy for it to become vulnerable.
This awareness is critical because individuals are already hesitant to follow best practices regarding their cyber hygiene – especially if those processes interfere with convenience. As long as security relies upon individuals following cyber policies, there will always be vulnerabilities – and we can’t give people false senses of security by asserting absolute capabilities that are impossible to achieve.
As the public sector continues to embrace mobility, it will be crucial for agencies to educate their employees about the risks and security limitations associated with mobile devices to prevent rising threats.
Failure to address mobile security will have consequences
The public and private sectors are both moving toward an expanded work environment. In this new reality, defined by a broader ecosystem, agencies will confront obstacles in securing the mobile platform.
Simply put, if agencies are unable to trust a platform, then they are not ready to move their assets to it. Unfortunately, the world is moving faster than we could ever have imagined and the mobile platform is no longer defined solely by phones. Mobile devices are now the primary computing device for personal and professional use.
For example, protocols that prohibit the use of personal devices are only a temporary solution. Employees are more likely to circumvent “banning” policies and engage in behavior that is even less secure than if they were able to access their devices in the first place. A recent Lookout survey found that 60.5 percent of federal employees have experienced a security incident on a mobile device, despite claiming to have mobile security protocols in place.
Even when employees are in the office, they are often connecting to agency resources via someone else’s network. Therefore, an agency’s firewall, network intrusion detection, and web gateway are weak and often useless.
The convergence of the physical and cyber worlds means that the security perimeter is no longer in our control, but determined by an individual and his/her mobile device’s location. Therefore, the failure to properly secure mobile devices will result in data loss, increased national security threats, and privacy infringements.
The time is now to protect the public sector from growing mobile threats
We know that absolute security is something we will all continue to strive for, but in the meantime, it’s essential for the public sector to begin taking the necessary steps to secure the endpoint that has gained the most attention from dangerous adversaries: the mobile device.
Unlike traditional desktop systems, attacks on mobile devices are much harder to identify. For example, agencies can prevent phishing on desktop systems by deploying software on email servers to stop phishing messages. On a mobile device, however, it is almost impossible to catch phishing messages because they are sent through various apps.
And these types of mobile attacks are only increasing. Lookout recently found that mobile phishing URL click rates have increased 85 percent year over year since 2011.
While phishing is the most common way for attackers to compromise a device, there are numerous elusive mobile- and network-based threats that should concern both private and public sector entities. Unsecured mobile endpoints are susceptible to infected applications, man-in-the-middle attacks and more.
The public sector must continue to be diligent in mitigating mobile security risks across agencies. The federal government should leverage innovative mobile endpoint security solutions from the private sector. By turning to industry professionals who are focusing on the solutions to these broad-reaching threats, the government can achieve improved mobile security that will lead to more comprehensive cybersecurity for its agencies.
Kiersten Todt is President and Managing Partner of Liberty Group Ventures, LLC, and Lookout Federal Advisor. She also served as the Executive Director of the Presidential Commission on Enhancing National Cybersecurity.