In 2020, one in 15 government employees was exposed to a phishing attempt, a report by cybersecurity firm Lookout found.
Phishing is the attempt to fraudulently access an organization’s infrastructure in order to exploit it. And while email may be the primary channel that comes to mind, security experts at GovLoop’s online training Wednesday all affirmed that it certainly isn’t the only one. Users can be exposed to phishing threats through all kinds of mobile channels, particularly as the remote workforce increased suddenly in 2020.
“We are entering this new stage in the workforce, especially last year, where most of our workforce is mobile. All their devices are mobile – their laptops, cellphones, tablets, et cetera,” said Branko Bokan, Cybersecurity Specialist at the Cybersecurity and Infrastructure Security Agency (CISA).
These mobile devices can become targets of phishing attacks through text messages, messaging platforms, applications and more, said Steve Banda, Senior Manager of Security Solutions at Lookout.
A primary challenge that IT enterprises face in securing a mobile workforce is delays in hardware and software updates. Out-of-date systems are “number one targets for adversaries,” Bokan said.
The Lookout report found that all government employees who use devices with Android and iOS operating systems are exposed to vulnerabilities when their systems are not up to date. That goes up to 99% of Android users in government who are exposed to threats.
Pushing updates to endpoints has always been a challenge, even when everyone and everything was within a certain security perimeter. But now, agencies have run into the same challenge in a different, dispersed environment.
To help overcome this challenge, CISA assembled a group of experts to come up with best practices for telework security, such as remote patching and vulnerability tests. You can check out cisa.gov/telework for resources, regardless of how big or small your organization is.
Additionally, agencies should approach mobile security from a lifecycle management perspective. “Think about how many new phones come out in a year,” said Vincent Sritapan, Section Chief of the Cybersecurity Quality Service Management Office at CISA. Organizations have to consider the shelf life of devices and applications and ensure they no longer run applications at the end of their life. These can become ripe targets for adversaries.
User training and education also remain one of the best ways to minimize phishing attacks. But Bokan said even this will not completely rid phishing entirely.
“Unfortunately, we will never be able to eliminate phishing. End users will get phished. So we need to be ready to detect those attempts and detect when they’re successful, and also be ready to respond and recover. Good cyber practitioners always have to work on preventing those things, but at the same time we have to be equally ready to invest equal resources into detection capabilities, because sooner or later they will happen,” Bokan said.
This online training was brought to you by: