A Government Business Council report from September of this year found 63% of federal employees are fully remote, with many expecting to remain that way for at least the next six months. In this new reality, mobile devices have become a critical lifeline. But the mobile phones and tablets that keep us efficient and effective also open our organizations up to new risks against which existing security does not defend.
I’m encouraged by how proactive the U.S. government has been to provide resources on mobile security for agency leaders, IT teams and federal workers. Earlier this year, the Federal Mobility Group compiled a remote best practices resource for secure telework, and just this month CISA released a Telework Essentials Toolkit with guidance for secure remote work designed for executive leaders, IT professionals and teleworkers.
While these resources contain important considerations for mobile devices and are an excellent starting point, they don’t fully explore the risks mobile endpoints introduce. Without a comprehensive look at mobile endpoint security, the devices we rely on to stay connected are still a major threat. To fully secure a telework environment, agencies need to tackle two objectives – mobile threat awareness and a comprehensive mobile endpoint security strategy.
Awareness is key
Mobile phishing is a very real threat to government devices, especially as more of us work away from the office. Lookout found that the rate in which federal government employees encountered mobile phishing more than doubled between the last quarter of 2019 and the first quarter of 2020. While most of us can identify standard phishing attacks on a desktop or laptop, this task becomes much more difficult when the devices’ screens shrink in size and phishing links can be delivered via any app – not just email.
Cybercriminals see opportunities to deliver malicious links everywhere besides email – SMS texts, social media platforms and messaging apps for example. While the attacks may be harder to spot, the devices provide the same access to agency data. Users should be trained to recognize mobile phishing’s many forms and regularly be reminded how difficult it is to figure out whether the displayed names and URLs are actually what they claim to be.
Make user education the base of an agency’s mobile security strategy to limit the likelihood of federal employees inadvertently compromising sensitive agency information due to a mobile misstep.
Be strategic about mobile security
Regardless of the level of user education, some of us will still fall prey to cybercriminals’ creative phishing tactics and other malicious approaches. In order to protect devices against inadvertent human error, agencies should have a comprehensive mobile security strategy that can detect and defend against all mobile threats from malicious apps, phishing and smishing (SMS phishing), and even network risks.
One way to do this is a zero-trust model. Many agencies are adopting a framework that requires device validation, ensuring they’re updated and threat-free before they’re given access to data and networks. In addition, the risk level of these mobile endpoints is continuously assessed to enable a change in access privileges when risk increases above an acceptable level.
To guarantee the effectiveness of a zero-trust approach, it’s essential that agencies include mobile devices. A zero-trust solution should certify devices are free from vulnerabilities on operating systems, applications or the network. By only allowing devices access when they are free from compromise, agencies can be confident only healthy devices are connected.
While federal workers will likely return to the office at some point, the past few months have paved the way for a more robust mobile future. User education, awareness and a comprehensive mobile endpoint security strategy that supports Zero Trust approach should be standard practice for all agencies, whether their workers are in the office or sharing a makeshift desk at home.
To learn more about Lookout’s work with the government, visit lookout.com/government
Book a personalized, no-pressure demo today to learn:
- How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
- Real-world examples of phishing and app threats that have compromised organizations
- How an integrated endpoint-to-cloud security platform can detect threats and protect your organization