December 5, 2016
Presidential Commission on Enhancing National Cybersecurity
The Presidential Commission on Enhancing National Cybersecurity released its report on securing and growing the digital economy in which one message is clear: de-prioritizing mobile security is no longer an option.
New priorities for a new mobile workplace
“The days of employees working only at an office using an organization-issued desktop computer fully managed by the organization are largely over. Market forces and employee demands have made “bring your own device” the de facto option in many workplaces. … Organizations no longer have the control over people, locations, networks, and devices on which they once relied to secure their data. Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms. In short, the classic concept of the security perimeter is largely obsolete.”
- Excerpt from the Commission on Enhancing National Cybersecurity report
Employees in the public sector are using mobile devices every day to get their jobs done, whether government agencies know about it or not. Today, having a secured mobile workforce — which includes protection against risky applications, network attacks, and malicious intrusions — is a necessary element of an agency’s overall security architecture.
Mobile devices should be secured like any other endpoint
Simply put, securing thousands of individuals running multiple endpoint-types, across different operating systems is an extremely complex undertaking. The commission acknowledges this, saying in the report:
“Complexity today is affected by the continuously changing and interdependent environment, the increased number of mobile clients, and the compressed time available from when a product is first conceptualized to when it goes to market.”
Mobile devices are just another endpoint in this complex environment, but they are a real endpoint that exists in federal employees’ daily working lives. In fact, 64 percent of IT security leaders say it is very likely that sensitive data is present on their employees’ mobile devices, according to a survey from analyst firm ESG and Lookout.
Mobile’s key role in two-factor authentication
The cybersecurity commission's report provides the following recommendation:
“Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.”
This should raise flags for agencies, especially those without proper mobile protections in place. Mobile phones and tablets are increasingly being used as the “thing you have” in critical two-factor authentication setups. This puts the mobile device squarely in attackers’ crosshairs, as they must now breach the device in order to gain access into a targeted system. The report states:
“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry-standard public key cryptography.”
What visibility into mobile risks looks like
IT and security organizations within Federal agencies will do a much better job at keeping sensitive data safe when they have visibility into these endpoints. This is no different than any of today’s security measures: typical SEIM technology gives security professionals the information they need to take action when a security event arises. Mobile visibility, however, is dangerously missing from today’s solutions.
Mobile security technology should have the following capabilities:
- Detection & remediation of mobile malware
- Detection & remediation of compromised operating systems (i.e., jailbroken or rooted devices)
- Detection & remediation of sideloaded apps (i.e., apps downloaded from third-party marketplaces)
- Detection & remediation of network attacks
- Detection & remediation of risky applications (i.e., non-malicious applications that may still put sensitive government information at risk)
Agencies need to quickly see activity regarding any of the above risks and threats in order to properly address security events on a mobile endpoint.
Action is needed today
“Malicious actors continue to benefit from organizations’ and individuals’ reluctance to prioritize basic cybersecurity activities and their indifference to cybersecurity practices. These failures to mitigate risk can and do allow malicious actors of any skill level to exploit some systems at will.”
The Cybersecurity Commission’s warning is apparent: Mobile security needs to be a priority today.
Government organizations cannot wait for a public, noisy data breach to begin securing mobile devices, lest they become the headline they want to avoid.
Interested in learning more about how you can secure your agency? Contact us today.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.