Security starts with users understanding what types of attacks they will encounter and how to manage them.
With the massive adoption of smartphones, tablets and cloud-based productivity tools, the workforce has been shifting away from the traditional office space for a number of years now. The recent shelter-in-place orders caused digital transformation to rapidly accelerate, but many agencies are exploring continued telework options even as offices reopen. As a result, government agencies find themselves in a new reality where most of their employees are outside the protection of their office perimeter security controls while using mobile devices to stay productive.
As government agencies look to protect their data in this telework environment, they need to tackle two areas—workforce education and mobile security. Agencies need to make sure their workers understand how to recognize mobile-specific threats and have the right mobile security solution in place.
Create a Mobile-Savvy Workforce
Security starts with users understanding what types of attacks they will encounter and how to manage them. With the adoption of mobile devices and collaboration applications, there are new security challenges that workers won’t be familiar with, especially if they come from a traditional desktop-centric environment.
For example, phishing scams targeted at mobile devices are much more difficult to spot. Not only are there many more ways to deliver malicious links on mobile than just email—such as SMS texts, social media platforms and messaging apps—but the smaller form factor makes it hard to figure out whether the displayed names and urls are actually what they claim to be. One way to train workers to recognize mobile phishing scams is to send out test messages. This will help you understand how prepared your workforce is when faced with a real threat. However, it should be understood that we are all human. All the training in the world won’t make us perfectly effective at identifying phishing attempts—some of them are just too good. Having phishing protection solutions in place that address more than just email is an important safety net.
The other issue workers need to be aware of is related to the collaboration tools that are making their teleworking easier, such as video conferencing software and internet-based messaging platforms. The National Security Agency recently released a guide to help agencies figure out how to manage collaboration services and it came with sound advice.
First, users need to make sure security features, such as single sign-on and multifactor authentication are enabled. In addition to updating authentication controls, they also need to not overshare details, have passwords in place, and implement waiting rooms for video conferencing to prevent uninvited individuals from eavesdropping.
Implement Robust Mobile Security
While user education is important, it cannot be the only line of defense for government agencies. They need to make sure the agency has security solutions in place that can protect its data even when users make mistakes and when their workers are outside the office perimeter security controls accessing data from their mobile devices.
Many agencies use mobile device management, or MDM, but it’s not enough. While MDM can push certain updates to mobile devices, it has no insight into app characteristics and cannot provide enough detection or protection against the full spectrum of cyber threats and user behaviors.
Agencies need to ensure that their mobile security aligns with a zero-trust model, in which any device seeking to access data must continuously be validated that it is free from threats and has the latest software.
The current teleworking environment was driven by an unexpected crisis. But in actuality, the modern workforce had already moved outside the traditional office perimeter. With the adoption of cloud services and mobile devices to increase productivity, it’s critical that agencies educate their employees to stay vigilant while also implementing robust mobile security solutions.
Tim LeMaster is director of systems engineering for Lookout.