MOBILITY
DHS STUDY HIGHLIGHTS MOBILE RISKS
Growing threat requires agencies to craft mobile-specific solutions.
SPONSORED CONTENT
BOB STEVENS
VICE PRESIDENT OF FEDERAL SYSTEMS, LOOKOUT
THE DHS STUDY on Mobile Device Security details risks to the federal government’s use of mobile devices—and, crucially, recommends best practices that departments and agencies can adopt for secure mobility. The study was developed by the Department of Homeland Security’s Science and Technology Directorate in consultation with the National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence (NCCoE). Published in April 2017, it is the most comprehensive study yet done on mobile security in government.
The key finding is that risks to federal government data from the use of mobile devices— smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem. Mobile threats, vulnerabilities, and other risks to data comprise
a Spectrum of Mobile Risk that government technology leaders must be aware of to secure federal mobility.
Lookout is honored to have contributed to
the study, using our unique visibility into mobile risks from the over 100 million mobile devices protected by Lookout. Since the DHS study was released, Lookout has published additional data
on the prevalence of mobile risk. For example, during the fourth quarter of 2016 and first quarter of 2017, 47 in 1,000 Android enterprise devices protected by Lookout encountered malware. That includes 1 in 100 Android devices that encountered a rooting Trojan, a type of malware able to cause catastrophic data loss and surveillance because attackers can obtain higher levels of permission than ordinarily granted to apps.
Extrapolating this prevalence data to the federal workforce points toward a conclusion that government data is at risk from malware on employee devices. However, malware is an app-based threat, which is just one element of the spectrum of mobile risk that also includes threats across devices, network, web and
content vectors, as well as vulnerabilities and data leaking behaviors.
While it’s true that there is currently no enforceable government-wide mandate to protect mobile devices, that is a temporary condition. Mobile is part of every agency’s infrastructure, and mobile devices are endpoints that need to
be treated with the same priority as any other potential attack surface. Additionally, while many government departments and agencies do not have a formal BYOD policy allowing employees to use personal devices for government work, it’s happening every day.
The bottom line is that mobility has introduced a new generation of risk—and simply extending current PC security controls to your mobile fleet is ineffective. Government risk management needs to evolve to address mobile risks, and security professionals must architect mobile- specific security.
The next steps for extending federal security to mobile start with thinking through each element of the Mobile Risk Matrix and developing a strategy to manage that risk in the context of your security environment. Most security organizations will
find that they have very limited visibility into most mobile risks and are similarly limited in how they can control these risks with existing solutions.
The DHS Study on Mobile Device Security contains best practices, extensive guidance and additional reference materials for mobility and mobile security from NIST, NCCoE, and the National Security Agency, as well as Gartner and other industry groups, putting federal departments and agencies on a path to securing mobility. Waiting for headlines about the breach of a government agency via mobile is obviously not the right strategy. It’s the duty of government security and technology leaders to take steps now to implement this guidance.
Bob Stevens is Vice President of Federal Systems at Lookout.
S-20