With mobile devices continuing to drive productivity and mission-focused efforts for government, the need to protect government data on mobile devices has never been greater.
Much like the enterprise arena, critical data needed for government employees to be productive has moved to the cloud, and needs to be accessible from any device, wherever employees are located.
There no longer is any “there” anymore when it comes to where government data lives, and it is now more fluid, moving and accessible. As a result, rather than stashing endpoints behind traditional perimeter security, security itself must move to the endpoint.
With this in mind, as the federal government continues to issue new technology and cyber mandates — which is critically important — mobile needs to be more strongly considered as a key element.
Insight by Galvanize: During this webinar Marianne Roth, the chief risk officer of the Consumer Financial Protection Bureau, will provide a deep dive into enterprise risk management at CFPB. Additionally, Dan Zitting, the CEO of Galvanize, will discuss how making better use of data and technology can help federal agencies more rapidly allow decision makers address and mitigate risks.
Among the most prominent mandates where mobility needs to be front-and-center are the Department of Health and Human Services’ (HHS) Health Industry Cybersecurity Practices and the Department of Homeland Security’s continuous diagnostic and mitigation (CDM) program.
Collectively, these mandates are advancing IT in the federal arena, which is incredibly positive. However, by focusing more on critical mobile security elements, it will further bring the vision of IT helping to drive government mission success to life.
According to a 2018 Lookout survey of 200 government IT and cybersecurity specialists, 60.5% of government agencies reported they had experienced a security incident involving a mobile device.
In the face of these rising mobile security events, agencies have the opportunity to become even more equipped to deal with the ever-expanding threat landscape. A top concern is the rise of mobile phishing, which highlight security shortcomings and expose sensitive government data at an alarming rate.
Unlike desktops, a hacker can steal a mobile user’s two-factor authentication and log-in credentials to turn device speakers and cameras on and off, or listen to conversations, which points to the need for advanced mobile threat detection solutions.
Enabling mobility and the ability to access data seamlessly is a great development for accomplishing the mission, but it also causes a serious challenge to agency security teams who rely on perimeter provisions such as firewalls and secure web gateways.
By strengthening these mandates and viewing cybersecurity in today’s post-perimeter world, government employees can be more productive by accessing data anywhere and at anytime.
The HHS Health Industry Cybersecurity Practices is a set of voluntary cybersecurity guidelines for the private sector that leverages the National Institute of Standards and Technology’s Cybersecurity Framework. The goal of this guidance is to address cybersecurity issues across healthcare organizations of all sizes.
It also offers best practices for small, medium and large healthcare organizations, and highlights key threats, including phishing, ransomware, insider threats and attacks against connected devices.
While the guidance does reference the issue of mobile security, and overall the agency sees mobile devices as an endpoint, there’s much more that needs to be done to put mobile threat protection front-and-center. These solutions can detect phishing attempts from any source on mobile devices, including email (government or personal), SMS, chat apps, social media and more, and allows administrators to set policies to protect against phishing threats.
With government entering the post-perimeter, cloud-first, mobile-first world, agencies are being forced to move key security functions to the endpoint and establish a zero-trust access model.
Along these lines, DHS has integrated mobile protection into the CDM program. They are portraying the DEFEND acquisition process and its request for services processes as an easy way for agencies to achieve “CDM parity” for their mobile devices, as compared to other CDM protected endpoints.
However, there’s still work to be done when it comes to making progress through the early CDM phases.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
A December 2018 GAO report on Information Security found only eight agencies had fully implemented CDM Phase 1, and 15 were still in the “partial implementation” categories. With regards to Phase 2, 17 agencies fell into the partial implementation category, and four that had not implemented at all. Four agencies had partially implemented Phase 3 and 19 had not implemented it all.
In addition, because mobile is considered an emerging technology, agencies cannot currently use DEFEND contract dollars to pay for mobile threat protection – potentially leaving agency networks and data vulnerable to mobile threats.
This also points to the need for agency cyber and IT leaders to be encouraged to seek out mobile threat defense solutions under this contract, which will augment the current mobile device management (MDM) offerings.
By updating these cyber mandates, agencies will have the opportunity to fully embrace the new architecture behind post-perimeter security, which is comprised of endpoint protection, access to the cloud, and identity. This would also help to counter the challenge of having many agencies overlooking mobile as a critical endpoint, and provide more visibility into everything happening on their mobile devices.
As the threat landscape continues to expand beyond the traditional desktop arena, government leaders should consider new ways of thinking when it comes to tying in mobility in today’s post-perimeter word.
By revisiting these new cyber mandates, it is possible to provide the guidance that agencies need to ensure that innovation continues to safely and effectively be the backbone for mission success.
Bob Stevens is vice president of the Americas at Lookout.