Today’s digital world makes it nearly impossible to avoid mobile devices. Government employees in their personal lives use a plethora of smartphones, tablets and other hand-held technology to read news, shop, and follow the latest doings of family and friends.
But when the pandemic took hold and in-office work suddenly became remote, those devices often became a mode of professional communication as well. Employees could access, with the benefit of cloud-based applications, the same information they could in the office.
Convenience, though, comes at a cost. The traditional security solutions that protect in-office computers do not protect the operating systems used by mobile devices — and that leaves the door wide open for phishing or ransomware attacks. Intruders from foreign nations or darkened basements alike can wander electronically through any category of an agency’s data.
Federal, state and local government employees generally use older versions of Android and iOS operating systems — often because swift implementation of those updates is delayed by government rules that require testing of proprietary apps — and that exposes mobile devices to hundreds of vulnerabilities.
According to Lookout, a mobile security firm, an astounding 99 percent of U.S. government Android users in 2020 were exposed to hundreds of vulnerabilities due to out-of-date operating systems. The situation isn’t getting better either. Lookout data reveals that the rate at which devices are exposed to mobile phishing, app threats and device and network threats is increasing.
So how do cyber criminals target mobile devices?
Hackers use mobile “spear phishing” to steal employee login credentials or deliver malware to their devices (think, Trojan horses). The attacks are based on social engineering — that is, they convince people to visit a web page or click on a link that silently downloads malware.
There are two modes of attack, and they both can seem remarkably aboveboard:
- Credential harvesting gives employee login information to hackers, who then use it to move through an agency’s electronic infrastructure to find and steal the data they want. Lookout found that three-quarters of phishing attacks in 2020 tried to steal people’s credentials.
- Malware delivery tricks employees into installing malicious apps, allowing hackers to locate and steal sensitive information, such as financial data and contact lists.
Lines of Defense
Perhaps the simplest bulwark against mobile phishing is training employees to recognize phishing attempts. A Lookout app, for example, notifies a mobile employee and offers security tips each time the individual is exposed to phishing sites. The good news is that while phishing attacks have become more sophisticated, those hacks tend to reuse the same techniques, so educating employees should help them, over time, recognize most phishing.
Government agencies can adopt bring-your-own-device (BYOD) strategies to counter “shadow IT,” in which employees use personal mobile devices without getting IT department approval first. BYOD policies give agencies more visibility into what devices their workers are using and can help IT teams protect those devices with modern endpoint security solutions, but BYOD still leaves agencies exposed.
A bring-your-own-approved-device (BYOAD) approach, however, goes further by requiring employees to use only devices included on an agency-approved list.
Some Things Should Stay Private
Whatever an agency does to secure the mobile devices accessing its computer systems, Lookout says one thing should never be sacrificed: data privacy. After all, should employers have a window into your personal life?
Government can protect its IT systems from the cyber hazards of personal-use mobile devices and can repel the hackers who prey on them. Really, it has no choice.