With mobile devices continuing to drive productivity and mission-focused efforts for government, the need to protect government data on mobile devices has never been greater.
Much like the enterprise arena, critical data needed for government employees to be productive has moved to the cloud, and needs to be accessible from any device, wherever employees are located.
There no longer is any “there” anymore when it comes to where government data lives, and it is now more fluid, moving and accessible. As a result, rather than stashing endpoints behind traditional perimeter security, security itself must move to the endpoint.
With this in mind, as the federal government continues to issue new technology and cyber mandates — which is critically important — mobile needs to be more strongly considered as a key element.
Among the most prominent mandates where mobility needs to be front-and-center are the Department of Health and Human Services’ (HHS) Health Industry Cybersecurity Practices and the Department of Homeland Security’s continuous diagnostic and mitigation (CDM) program.
Collectively, these mandates are advancing IT in the federal arena, which is incredibly positive. However, by focusing more on critical mobile security elements, it will further bring the vision of IT helping to drive government mission success to life.
Why mobile device protection is different for government
According to a 2018 Lookout survey of 200 government IT and cybersecurity specialists, 60.5% of government agencies reported they had experienced a security incident involving a mobile device.
In the face of these rising mobile security events, agencies have the opportunity to become even more equipped to deal with the ever-expanding threat landscape. A top concern is the rise of mobile phishing, which highlight security shortcomings and expose sensitive government data at an alarming rate.
In addition, mobile has made identifying and blocking phishing attacks considerably more difficult for government employees and existing security technologies. With mobile devices being connected outside traditional firewalls, they typically lack endpoint security solutions and access a wide-range of new messaging platforms not used on desktops.
Unlike desktops, a hacker can steal a mobile user’s two-factor authentication and log-in credentials to turn device speakers and cameras on and off, or listen to conversations, which points to the need for advanced mobile threat detection solutions.
Enabling mobility and the ability to access data seamlessly is a great development for accomplishing the mission, but it also causes a serious challenge to agency security teams who rely on perimeter provisions such as firewalls and secure web gateways.
By strengthening these mandates and viewing cybersecurity in today’s post-perimeter world, government employees can be more productive by accessing data anywhere and at anytime.
HHS Health Industry Cybersecurity practices
The HHS Health Industry Cybersecurity Practices is a set of voluntary cybersecurity guidelines for the private sector that leverages the National Institute of Standards and Technology’s Cybersecurity Framework. The goal of this guidance is to address cybersecurity issues across healthcare organizations of all sizes.
It also offers best practices for small, medium and large healthcare organizations, and highlights key threats, including phishing, ransomware, insider threats and attacks against connected devices.
While the guidance does reference the issue of mobile security, and overall the agency sees mobile devices as an endpoint, there’s much more that needs to be done to put mobile threat protection front-and-center. These solutions can detect phishing attempts from any source on mobile devices, including email (government or personal), SMS, chat apps, social media and more, and allows administrators to set policies to protect against phishing threats.
They also allow administrators to block connections on mobile devices to known malicious URLs hosted on risky websites that may attempt to phish for credentials, as well as warn users of dicey websites before they proceed.
Advanced mobile protection needs to be part of the DEFEND contract
With government entering the post-perimeter, cloud-first, mobile-first world, agencies are being forced to move key security functions to the endpoint and establish a zero-trust access model.
Along these lines, DHS has integrated mobile protection into the CDM program. They are portraying the DEFEND acquisition process and its request for services processes as an easy way for agencies to achieve “CDM parity” for their mobile devices, as compared to other CDM protected endpoints.
However, there’s still work to be done when it comes to making progress through the early CDM phases.
A December 2018 GAO report on Information Security found only eight agencies had fully implemented CDM Phase 1, and 15 were still in the “partial implementation” categories. With regards to Phase 2, 17 agencies fell into the partial implementation category, and four that had not implemented at all. Four agencies had partially implemented Phase 3 and 19 had not implemented it all.
In addition, because mobile is considered an emerging technology, agencies cannot currently use DEFEND contract dollars to pay for mobile threat protection – potentially leaving agency networks and data vulnerable to mobile threats.
This also points to the need for agency cyber and IT leaders to be encouraged to seek out mobile threat defense solutions under this contract, which will augment the current mobile device management (MDM) offerings.
By updating these cyber mandates, agencies will have the opportunity to fully embrace the new architecture behind post-perimeter security, which is comprised of endpoint protection, access to the cloud, and identity. This would also help to counter the challenge of having many agencies overlooking mobile as a critical endpoint, and provide more visibility into everything happening on their mobile devices.
As the threat landscape continues to expand beyond the traditional desktop arena, government leaders should consider new ways of thinking when it comes to tying in mobility in today’s post-perimeter word.
By revisiting these new cyber mandates, it is possible to provide the guidance that agencies need to ensure that innovation continues to safely and effectively be the backbone for mission success.
Bob Stevens is vice president of the Americas at Lookout.