woman using tablet and smartphone (TippaPatt/Shutterstock.com)

INDUSTRY INSIGHT

Best practices for securing teleworkers

When the U.S. government rapidly transitioned to telework earlier this year, mobile devices and BYOD policies played a significant role in easing that transition. The very same devices that made productivity easier away from the office, however, introduced new cybersecurity risks.

Government cybersecurity authorities recognize the challenges telework poses and have offered recommendations and tips to support the shift. In October, the Cybersecurity and Infrastructure Security Agency (CISA) released its Telework Essentials Toolkit that detailed best practices for executive leaders, IT professionals and teleworkers to stay secure while working from home.

As agencies extend teleworking, they must think about the devices their workers use the most -- tablets and smartphones. These tools enhance employees’ ability to stay productive, but they also become potential entryways for cyberattackers to compromise an agency’s infrastructure. To ensure the agency is secure, IT leaders must make sure workers understand mobile devices' unique risks. Additionally, they should also extend zero-trust architecture to include a modern endpoint security solution.

Educate the workforce because phishing has evolved

Unlike the email phishing scams that targeted desktop devices, phishing has become much harder to detect on mobile devices. Employees rely on smartphones, tablets and Chromebooks for remote work, and the frequency of attacks is rising. Earlier this year, Lookout found that mobile phishing attacks encountered by federal employees more than doubled between the last quarter of 2019 and the first quarter of 2020.

The first step in combatting mobile phishing is user education. Most federal workers are familiar with how to spot an email phishing attack on a desktop computer, but mobile phishing is different. It is important users understand that phishing on mobile is not limited to email. There are numerous entry points for a malicious link to be delivered, including SMS text, social media platforms, messaging platforms and even dating apps. It's also much harder to identify a phishing attack on a mobile device due to the smaller form factor and simplified user experience, which obfuscates many of the telltale signs of a scam.

User education and awareness are critical. Government agencies can combat mobile phishing by using the National Institute of Standards and Technology’s Phish Scale, which observes employee behavior and tailors education to best serve the agency.

Deploy modern security that can protect mobile devices

While user education is essential, anyone can fall prey to increasingly sophisticated phishing tactics and other mobile attacks, such as app, device and network threats. Agencies need a well-rounded mobile security strategy that can defend against all these threats even when their workers aren't protected by the office perimeter.

Government agencies often have robust security for traditional endpoints, such as laptops and desktop computers, but not for mobile -- even though mobile devices now have just as much access to agency infrastructure as any other endpoints. While something like a mobile device management solution is a step in the right direction, it is not active security. MDM gives agencies control over which apps employees use, but it doesn't provide real-time monitoring or protection for devices.

Rather than relying on MDM exclusively, agencies should deploy a modern endpoint security solution to actively detect and respond to threats at the mobile endpoint. A comprehensive solution should also provide robust research and threat hunting tools to counter sophisticated attacks and prevent breaches.

Design security strategy around zero trust

Teleworkers each represent a remote office, making it difficult to rely on perimeter-based security tethered to office spaces. There's no guarantee who or what devices can be trusted, which is why a zero trust model is a critical part of a comprehensive and successful security strategy. 

A zero trust policy requires continual device validation, ensuring devices are up to date and threat-free before they are given access to data and networks. Many agencies are adopting this framework following NIST's guidance earlier this year, but it is necessary to include mobile in any zero trust strategy. This validation must take place on all endpoints, including laptops, tablets and mobile phones. 

As telework continues and mobile devices become a primary tool for productivity, mobile must be part of any agency's cybersecurity strategy. User education, awareness and a mobile security strategy that extends to zero trust architecture will secure an agency’s infrastructure and data.

About the Author

Bob Stevens is vice president of the Americas at Lookout.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected