The Department of Homeland Security recently released a reported entitled, "Study on Mobile Device Security" signaling a significant shift: the federal government is prioritizing mobile security.
Government agencies are not immune to the potential for data compromise via mobile devices. This becomes an especially acute pain point when government employees bring their own devices (BYOD) into agencies that ban them.
Bob Stevens, VP of Federal, explains the shift in thinking in the following Q&A:
Do you believe the federal government understands the potential impact of data compromise on mobile?
Federal organizations are wisening up, but work here isn't done. On one hand, we see from the DHS report that the government has a growing awareness of data compromise through mobile devices. On the other hand, agencies are still operating insufficient security strategies if they do not consider the full Spectrum of Mobile Risk. This is the concept that data can be compromised on mobile devices through a number of different risks, some of which may be unexpected. For example, only 43% of iOS users had updated to latest version, 10.3.1, as of April 2017 . This should be a top concern for government security leaders given that 10.3.1 patched a code execution flaw that could be exploited via Wi-Fi. Understanding the full Spectrum of Mobile Risk is critical to a successful security program.
What have federal agencies been doing to mitigate mobile risks so far?
In a way, the government has actually been ahead of the curve in terms of the Spectrum of Mobile Risk. Many private sector enterprises are focused on protecting themselves from malicious attacks, but the government agencies I've spoken to are committed to understanding mobile OS and app vulnerabilities. That said, protection can't stop at plugging holes. The Mobile Risk Matrix is a key tool agencies can use to evaluate their own mobile risk. The Matrix represents the components and vectors that make up the Spectrum of Mobile Risk and can help security leaders identify their mobile blindspots.
What new trends are developing around mobile security in the federal government?
We're seeing mobile security as a line item in agency budgeting cycles. This is because in the last two years government agencies have realized that they have been given some misinformation. The technologies they currently use are not security technologies. Mobile device management and enterprise mobility management solutions don't provide security analytics on the device, which agencies now understand they need. A comprehensive solution includes security technology that can protect an organization from malicious attacks on mobile devices as well as the risky behaviors and configurations that can expose data. It will also require a close-knit relationship with management solutions, as well as app reputation technologies.
Agencies I have spoken with also are starting to realize that mobile devices themselves are not secure devices. Mobile devices are just like any other endpoint that needs security. In fact, they are becoming more deeply integrated into the fabric of our nation's critical infrastructure. This is a position the DHS supports.
"What do first responders use to communicate when they are sent out to care for our citizens? Mobile devices. TSA agents use mobile devices to communicate while they ensure the safety of our skies. Customs agents use them in the process of securing our borders. All of these functions are part of U.S. critical infrastructure and involve mobile devices as part of an employee’s day-to-day."
Bob Stevens, VP of Federal
Why would an organization like the DHS see mobile devices as critical infrastructure?
Consider who they're looking after: our emergency services, our law enforcement, government employees. What do first responders use to communicate when they are sent out to care for our citizens? Mobile devices. TSA agents use mobile devices to communicate while they ensure the safety of our skies. Customs agents use them in the process of securing our borders. All of these functions are part of U.S. critical infrastructure and involve mobile devices as part of an employee's day-to-day.
How will federal agencies be committing budget towards mobile security for the next 12 months?
We're going to see real budget put behind true mobile security technologies, such as mobile endpoint security. When I talk to security leaders in the DoD for example, it's clear that there needs to be something done today. I've referenced the research we have that states, "40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior." Their reaction is generally, "Oh, it's only 40 percent?" It's clear that employees are demanding to use mobile in their everyday working lives, helping them to get their jobs done faster. The government is going to want to act quickly to protect these devices and capitalize on that productivity potential.
Interested in learning more? Check out our government solutions page.