User education, awareness and a mobile security strategy that extends to zero trust architecture will secure an agency’s infrastructure and data.
When the U.S. government rapidly transitioned to telework earlier this year, mobile devices and BYOD policies played a significant role in easing that transition. The very same devices that made productivity easier away from the office, however, introduced new cybersecurity risks.
Government cybersecurity authorities recognize the challenges telework poses and have offered recommendations and tips to support the shift. In October, the Cybersecurity and Infrastructure Security Agency (CISA) released its Telework Essentials Toolkit that detailed best practices for executive leaders, IT professionals and teleworkers to stay secure while working from home.
As agencies extend teleworking, they must think about the devices their workers use the most -- tablets and smartphones. These tools enhance employees’ ability to stay productive, but they also become potential entryways for cyberattackers to compromise an agency’s infrastructure. To ensure the agency is secure, IT leaders must make sure workers understand mobile devices' unique risks. Additionally, they should also extend zero-trust architecture to include a modern endpoint security solution.
Educate the workforce because phishing has evolved
Unlike the email phishing scams that targeted desktop devices, phishing has become much harder to detect on mobile devices. Employees rely on smartphones, tablets and Chromebooks for remote work, and the frequency of attacks is rising. Earlier this year, Lookout found that mobile phishing attacks encountered by federal employees more than doubled between the last quarter of 2019 and the first quarter of 2020.
The first step in combatting mobile phishing is user education. Most federal workers are familiar with how to spot an email phishing attack on a desktop computer, but mobile phishing is different. It is important users understand that phishing on mobile is not limited to email. There are numerous entry points for a malicious link to be delivered, including SMS text, social media platforms, messaging platforms and even dating apps. It's also much harder to identify a phishing attack on a mobile device due to the smaller form factor and simplified user experience, which obfuscates many of the telltale signs of a scam.
User education and awareness are critical. Government agencies can combat mobile phishing by using the National Institute of Standards and Technology’s Phish Scale, which observes employee behavior and tailors education to best serve the agency.
Deploy modern security that can protect mobile devices
While user education is essential, anyone can fall prey to increasingly sophisticated phishing tactics and other mobile attacks, such as app, device and network threats. Agencies need a well-rounded mobile security strategy that can defend against all these threats even when their workers aren't protected by the office perimeter.
Government agencies often have robust security for traditional endpoints, such as laptops and desktop computers, but not for mobile -- even though mobile devices now have just as much access to agency infrastructure as any other endpoints. While something like a mobile device management solution is a step in the right direction, it is not active security. MDM gives agencies control over which apps employees use, but it doesn't provide real-time monitoring or protection for devices.
Rather than relying on MDM exclusively, agencies should deploy a modern endpoint security solution to actively detect and respond to threats at the mobile endpoint. A comprehensive solution should also provide robust research and threat hunting tools to counter sophisticated attacks and prevent breaches.
Design security strategy around zero trust
Teleworkers each represent a remote office, making it difficult to rely on perimeter-based security tethered to office spaces. There's no guarantee who or what devices can be trusted, which is why a zero trust model is a critical part of a comprehensive and successful security strategy.
A zero trust policy requires continual device validation, ensuring devices are up to date and threat-free before they are given access to data and networks. Many agencies are adopting this framework following NIST's guidance earlier this year, but it is necessary to include mobile in any zero trust strategy. This validation must take place on all endpoints, including laptops, tablets and mobile phones.
As telework continues and mobile devices become a primary tool for productivity, mobile must be part of any agency's cybersecurity strategy. User education, awareness and a mobile security strategy that extends to zero trust architecture will secure an agency’s infrastructure and data.