Surveys Reveal Lax Mobile Security Among Federal Workers

The use of mobile devices provides significant benefits in convenience and workplace productivity. However, two recent reports indicate that, in the enthusiasm for using mobile technologies, U.S. government workers too often ignore security protocols associated with mobile IT.

The Office of Personnel Management hack revealed earlier this year, which affected more than 20 million people, drove an immediate effort to address federal IT security. That effort largely has focused on IT systems and bypassed mobile device security.

“The cybersecurity practices, or lack thereof, of the federal government are under the microscope in the wake of the OPM hack. Yet hardly anyone is scrutinizing the unsanctioned use of mobile devices that could be putting government data at risk,” said Bob Stevens, vice president of federal systems atLookout.

Nearly 40 percent of federal employees are willing to sacrifice government security to use a personal mobile device at work, despite being aware of cybersecurity concerns, according to a survey of government workers conducted by Lookout, which provides mobile security services.

Other findings from the survey included the following:

• Fifty-eight percent of federal employees are aware of cybersecurity concerns that arise with using personal mobile phones for work, yet 85 percent admit to risky activities like downloading or reading work-related documents or email, sending work documents to personal accounts, and storing work on personal file-sharing apps.
• Federal employees are not securing their mobile devices as 49 percent of workers have no security app or solution installed on the mobile devices they use at or bring to work. Thirteen percent of these employees use these unsecured devices to handle work-related documents.
• Many federal workers obtain apps from places other than officially approved stores. Almost 25 percent of federal employees have side-loaded apps to their mobile devices from unofficial stores, with little difference between Android and iOS users.

“The results of the survey were largely negative regarding security, but the good news, at least, was that federal workers are really interested in enhancing their workplace productivity by utilizing the advantages of mobile technology,” Stevens told the E-Commerce Times.

“The negative is that despite education and awareness, there is not enough follow-up on security for mobile technology. The desire for improving productivity plus the fact that there hasn’t yet been a major mobile device breach on the scale of the OPM case we think has contributed to complacency,” he said.

Education Plus Technology

More and better education of federal employees regarding security issues is a major factor in shoring up mobile connection protection, but technology also will play a critical role, Stevens noted.

“This report shows that rules, policies and employee education alone are insufficient in stopping risky or threatening events before they cause damage,” he said.

Key elements for mobile security involve a mobile device management plan, a containment element to inhibit the spread of malware, utilizing protection in flight of electronic transmission through virtual private network technology, and predictive capabilities.

Part of Lookout’s technology approach is the use of predictive analytics, which involves capturing a vast array of mobile code, including more than 11 million apps. The process enables the detection of risks before intrusions display malicious behavior and helps protect mobile endpoints and infrastructure from app and device-based threats, the company said.

In exploring federal mobile security issues, Lookout obtained data from more than 14,600 federal employee devices that use its technology — ultimately revealing 1,781 app-based threats.

The findings of the Lookout report, issued in August, were reinforced by a separate survey of federal agency endpoint security, conducted byMeriTalk, a public-private forum on federal IT.

The MeriTalk survey, released in November, was broader in scope, covering a wide range of mobile endpoints such as smartphones and tablets and also the potential harm from other sources such as connected medical devices and even ATMs.

BYOD Opens Security Doors

Sixty-one percent of federal agencies do not apply their network security policies to mobile devices, and bring-your-own-device situations are especially vulnerable, the MeriTalk survey showed.

Forty-five percent of federal employees who use personal devices for work purposes either haven’t reviewed their agency’s BYOD policy or don’t believe one exists, according to the MeriTalk survey, which was underwritten byPalo Alto Networks.

Fifty-two percent of agencies do not enroll devices with the IT department, and 50 percent of federal agencies do not prohibit the use of public WiFi by employees, the findings showed.

In addition, more than half of federal employees admit to risky behavior with personal mobile devices used for work. For example, 39 percent transmit work documents to their personal email accounts or upload them to a cloud application. Twenty-four percent say they log on to their agency’s network using public WiFi at least weekly.

Endpoint Chain Reactions

While BYOD security stood out as a vulnerable area, the MeriTalk study revealed weakness in other areas as well, including chain-reaction scenarios that occur when an intrusion at one entry point can affect network security.

“Endpoints are an increasingly important vector to secure in the cyberattack life cycle. Unfortunately, these study results indicate that trust and visibility are much too often absent on this frontier,” said Pamela Warren, director of government and industry initiatives at Palo Alto Networks.

“We are looking at what is changing on networks today in the form of endpoints and trying to raise the level of awareness of the oft-forgotten endpoints such as ATM devices and medical devices, which also connect to the network,” she told the E-Commerce Times.

“BYOD, ATM and medical devices are typically different topics but should be included in the endpoint security discussion. Oftentimes an attacker will compromise the end-user device such as a BYOD laptop, and then move laterally to a rarely patched device like a network-attached printer, ATM or medical device,” Warren said.

For example, 80 percent of IT managers in federal agencies don’t segment endpoints — a way of creating different levels within networks to discriminate between sensitive and nonsensitive purposes, or to prioritize access among users, the survey revealed.

Only 28 percent of survey respondents reported they had identified dubious files from endpoints, and half said their agency had not taken key steps to validate users and apps.

“This is all about risk reduction to the network and the endpoints,” Warren said.

“To appropriately prevent successful attacks to networks, IT teams should be aware of all applications, content and users on their networks. From that knowledge, they can then establish appropriate security policies for their networks to enable the applications needed by their employees, while limiting those that they do not. This immediately reduces risk,” she added.

Endpoint security, however, is not solely a government issue. The Ponemon Institute and Lumension earlier this year jointly reported that private sector organizations are experiencing similar endpoint protection problems, largely involving careless IT practices by employees.