Telework has become a mainstay, and with it, so has employee reliance on personal mobile devices. These devices are difficult to monitor and keep up to date, presenting a unique security challenge for U.S. local, state, and federal government organizations.
On the one hand, bring-your-own-device (BYOD) strategies provide government workers increased flexibility and productivity. This is likely one of the reasons the use of unmanaged devices increased an average of 55% across federal, state, and local governments between 2020 to 2021 according to Lookout data. But that same data found that almost 50% of phishing attacks aimed at government personnel in 2021 sought to steal credentials. The combination of unmanaged devices and phishing attacks means that government agencies and departments are vulnerable as they continue to allow telework and the use of BYOD.
Lookout recently released our 2022 U.S. Government Threat Report, which includes data collected throughout 2021 and the first half of 2022, and I’ve picked out the main takeaways about the top threats currently facing U.S. government organizations.
Personal devices are an appealing target
According to our latest data, around 13% of devices used at the federal level are unmanaged, and a whopping 38% of devices at the state and local level are unmanaged.
These unmanaged personal devices, which include tablets, smartphones, and Chromebooks, are particularly appealing targets for bad actors because security teams don’t have direct visibility into what’s happening on them, turning them into a new frontier for shadow IT. Security teams, many not even know which devices are connecting to their corporate network, and any app that is loaded onto an unmanaged device is another piece of shadow IT that they can’t manage.
Unmanaged devices are also more frequently exposed to phishing attacks than managed devices. To mitigate the risks that come alongside these endpoints, governments need to implement a security strategy that can detect potential threats without inspecting the actual contents of the device to respect employee privacy.
Credential harvesting is on the rise
Phishing continues to be a pervasive threat, but one trend we identified is that the end goal of phishing scams has shifted. Malware delivery used to be the main event, but when it comes to targeting federal, state, and local governments, nearly half of all phishing attacks sought to steal credentials in 2021.
Credential threat happens when attackers trick people into giving up their login information. That information can then be used by attackers to move laterally around the organization’s infrastructure to find additional vulnerabilities, compromise sensitive information, launch ransomware attacks, and even take over SaaS accounts.
Some phishing attacks now want to accomplish both malware delivery and credential harvesting in one go, which was the case for the Alien banking trojan that was identified in 2021.
Ongoing phishing and cybersecurity education is one tactic government entities can take to help employees spot social engineering, but it’s not enough. They also need endpoint detection and response that proactively hunts for phishing threats and can respond accordingly.
Out-of-date OSs create opportunities for attackers
Our data found that nearly 50% of government Android users are using old versions of Android operating systems. The older an operating system is, the more vulnerabilities it is exposed to.
Because government entities often delay OS updates to test their proprietary apps, it creates a window for attackers to exploit those vulnerabilities. Some of the potential effects include remote code execution, UI spoofing, and user activity tracking. So any delays in OS updates puts governments at a greater risk of cyberattack.
Security teams need to develop mobile vulnerability and patch management strategies so they know where their weak points are and when devices need to be updated.
Effective security that respects personal privacy
The use of personal mobile devices for work is not going away, so government entities need to develop a strategy that allows them to embrace unmanaged devices while staying secure and respecting the privacy of their employees.
One thing organizations can do is ask employees to only use personal devices from an approved list. But to truly mitigate threats against phishing, credential harvesting, and OS vulnerabilities, you need a dedicated mobile security solution that takes a zero-trust approach. As President Biden as well as the Office of Management and Budget (OMB) provides guidance on zero trust, all government organizations need to ensure that they take into account all mobile endpoint risks as part of their zero-trust architecture.
Lookout Mobile Endpoint Security uses zero-trust principles to protect smartphones, tablets, and Chromebooks by detecting threats in apps, OSs, and network connections, and it protects against phishing attacks, all while maintaining user privacy on personal devices.
Lookout is collaborating with the National Institute of Standards and Technology to help develop zero-trust architecture adoption guidelines, and has authorization from FedRAMP JAP, StateRAMP, and TX-RAMP, meaning we’re ready to be deployed in state and federal government settings.
To learn more about the cyber threats that are facing federal, state, and local governments, read the full 2022 U.S. Government Threat Report.
2022 U.S. Government Threat Report
This report examines the how iOS, Android and ChromeOS devices used by government employees are being targeted in increasingly sophisticated ways.