Mobility demands diligence on security
The enthusiasm for mobile technology in government agencies continues to be tempered by concerns about the security ramifications, according to a survey conducted by the 1105 Government Information Group.
More than half of respondents (53 percent) said security concerns continued to hamper more widespread use of mobile solutions, the survey shows (see chart). And 62 percent agreed that security concerns are slowing the adoption of mobile technology, compared to 25 percent who were neutral and only 13 percent who disagreed.
The most pressing concern is the threat of malware, malicious code that users often download unknowingly when visiting commercial websites, downloading apps or opening email from unknown recipients. Other cyber threats include inadequate user authentication, malicious text or SMS messages, and device loss or theft (see chart).
The survey results echo concerns expressed by watchdog groups across government, including the Government Accountability Office, the federal CIO Council and the Defense Department’s inspector general.
By and large, experts say vulnerabilities in mobile solutions can be addressed by putting the proper security controls in place. Unfortunately, both agency IT staff and individual users are not always diligent about implementing and maintaining those controls.
That’s what auditors at GAO found when they examined the state of mobile security in the public and private sectors in 2012. Although many smart phones and other mobile devices come with security features, typically they must be turned on by the IT staff or by the user, GAO found.
To make matters worse, information about those features often was not readily available. In many cases, general cybersecurity instructions “were not directly accessible from either carriers or device manufacturers, although instructions for implementing controls could be found by searching the company’s website for information about individual models of smart phones,” the report states.
In theory, this should be less of a problem when dealing with government-furnished devices because the IT staff would have an opportunity to configure the devices correctly. However, that is not always the case. In a recent report, DOD’s inspector general found that Army officials were not providing adequate oversight of the more than 14,000 commercial mobile devices (CMDs) that the service had purchased.
The root problem was that Army officials had concluded that the devices were not connecting to Army networks or storing sensitive information and so the officials did not require the devices to comply with standard information assurance (IA) requirements. Additionally, they did not identify controls to mitigate some of the specific risks associated with mobile devices, such as Bluetooth or Wi-Fi connectivity.
“Without an effective cybersecurity program specific to CMDs, critical IA controls necessary to safeguard the devices were not applied, and the Army increased its risk of cybersecurity attacks and leakage of sensitive information,” the IG report states.
But even the best security programs will not be effective without the cooperation of individual users. With that in mind, most agencies have established “acceptable use” policies that spell out what users can and cannot do with their devices.
However, the 1105 Government Information Group survey suggests that such policies are often disregarded. Fifty-one percent of respondents indicated that their co-workers rarely or never abide by their agency’s policy, while another 21 percent occasionally do. Only 28 percent almost always comply (see chart).
The “Government Mobile and Wireless Security Baseline” document, issued by the CIO Council in May, emphasizes the importance of the human factor. The document identifies the most common mobile threats and recommends strategies for mitigating those threats. But it also reminds agency officials that technology alone is not a sufficient solution.
“In addition to the mitigations, management controls include security awareness training to address mobile device-specific threats and security policy defining rules of behavior and acceptable use of mobile devices,” the document states.
But the CIO Council also notes that mobile-related security policies are fraught with potential problems. The “Mobile Computing Decision Framework” document highlights a number of questions that agency officials should consider:
- To what extent will the organization require control over its employees’ mobile devices?
- Who owns the information residing on the devices?
- What information can be stored on the device? How will that policy be enforced?
- Can employees personalize their devices?
In deciding how to answer those questions, agencies need to strike a balance between sound policy and usability because overly strict or complex policies are likely to be ignored.
The council also encourages agencies to give their policies some teeth. “All policies should carry a deterrent that the organization can apply easily and fairly,” the document states. “Users seeking expedience will often ignore policies that have no consequences.”