Cyber war is a term the U.S. government is intimately familiar with, but woefully unprepared for when it comes to mobile.
Government employee mobile devices are a relatively new attack surface, and a particularly valuable one for espionage missions and other criminal intent. Mobile devices access confidential, classified, and other protected data classes. At this point, that’s just a fact. Both CSIS and the Presidential Cyber Commision acknowledge that mobile is no longer a fringe technology, but a central instrument that allows employees to get their jobs done.
Protecting data on mobile is non-negotiable and the responsibility of federal technology and security leaders across the entire government.
There are five principles any federal agency or organization must use to build a mobile security strategy. To forego such a strategy directly puts sensitive government data at risk.
Defense in depth is a necessary standard in protecting mobile
Agencies should look for mobile security solutions that defend data beyond the surface. Wrapping a mobile device in a management solution may let an IT manager set blacklists or whitelists, but it is not a solution that provides actionable data regarding apps on the device, network threats, exploits of known vulnerabilities, or employee actions that may cause data leakage. A security solution should be holistic.
Don’t fool yourself into thinking mobile security is a “one-and-done”
“Checkbox mentality,” or the belief that deploying a solution relieves a technology or security leader of the burden of protecting data, is a pitfall that should be avoided. Instead, this requires leaders to take inventory of their technology status asking themselves the following questions:
- What kind of data are we handling?
- What types of data would be crippling to my organization if they were leaked?
- How many devices access data? What types of devices?
- Which employees need to access what kinds of data?
- What kinds of threats to this data exist out there?
- Who in my organization could be targeted?
Then, the technology or security department can properly vet solutions the appropriate solutions and choose one to engage.
Treat “hygiene” as a four-letter word
The term “hygiene” needs to be deleted from the security dictionary. It’s not about cleaning up issues every once in a while; it’s about having an always-on strategy and technology solution that provides continuous and automated operations, maintenance, and security.
“Hygiene” makes you think about brushing your teeth three times a day to stay safe from cavities. You don’t set your alarm three times at night to alert you to burglars. Instead, you rely on the alarm to stay on, working in the background.
Security technology should not hinge on the lowest bidder
Agencies must treat IT infrastructure, which includes mobile devices, as a critical component of the agency, seeking out the best technology to support security aims. In cases like these, settling for the lowest bidder is not the best strategy.
Keep it simple
Make your strategy short, concise, and achievable.
Agencies have specific needs, but these principles transcend even those nuances
Today, the U.S. government is divided into three very different communities that have very different aims:
- Civilian agencies that have citizen-facing functions, such as the IRS, Department of Education, and the Department of Commerce.
- Homeland defense agencies that focus on the protection of our country at home, including law enforcement, DHS, FBI, and the Secret Service.
- National security organizations, that protect us from adversaries abroad, such as the Department of Defense, and the Intelligence community.
Each of these agencies and organizations require different standards as it comes to securing data, but they all have two things in common: they must regulate who can access what and they must protect sensitive data from unauthorized consumption.
According to the Presidential Commission on Enhancing National Cybersecurity, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms.”
While each agency might have specific security needs, it’s critical that all prioritize mobile security and act to protect data now.
You’re up against more than you think
We’ve known for years that cyber war is real, but the risk extends to mobile devices as well.
Threats like Pegasus, one of the largest threat discoveries in mobile security to date, are highly sophisticated and targeted. Pegasus specifically was capable of accessing messages, calls, emails, logs, and more from apps. This could be extremely damaging to a government agency.
No federal organization or agency is exempt. Yet employee mobile devices are flying under the radar when 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior.
Take control of mobile infrastructure now lest your agency or employees become the entry point for an OPM-size (or bigger) breach.