Mobile technology is rapidly evolving and has slowly become a part of our DNA. Earlier phones were a requirement, but today thanks to COVID-19 mobile devices have turned into a necessity. We use our mobiles to attend meetings, read and send emails and work on mobile applications. Our day to day activities revolve around mobiles, tablets or laptops, but the safety of using these devices is still debatable.
The global pandemic has even forced government officials to work from the comfort of their homes using their devices and internet connections. The security perimeter of these officials or employees has wholly vanished as most sensitive communication is conducted on public telecommunication lines and personal hardware and software devices. This sudden shift has created a need for all government bodies to include remote and mobile network applications under the cybersecurity banner.
Very few government organisations or government bodies have set guidelines for cybersecurity when it comes to mobile devices. No rule includes checks or software installations to detect mobile threats. According to Mobile Security Index 2020¹, about 45% of the public sector don’t have an acceptable-use policy for mobile devices. It is high time that government offices started creating a baseline security requirement for all personal and government-issued mobile devices.
The lack of proper security measures can be harmful, primarily if they deal with confidential information. We have not yet fully registered or understood the high risk of weak mobile security. Let’s first understand what the possible threats are and how can we counter them.
Mobile Security Threats
The central point to remember is that once a government employee’s mobile device is compromised, intruders can use the information accessed to compromise their work devices. It makes it imperative to have endpoint security installed. It will help stop the cyber attackers from exploiting the user entry points.
Data privacy is a concern for not just governments but also private organisations. If an intruder enters your mobile phone, they can use it to collect sensitive and confidential information. These black hats can crack using idle apps, cloud services and freemium apps to access the data. Affected individuals can deal with it by removing unused apps and limiting app permissions to mandatory ones. These simple steps can ensure the security of any mobile device.
If you are using outdated software and have not installed the recent security updates, the device is more prone to cyberattacks. These updates are not only essential to improving device performance but are also essential to preventing known threats. The device will fix the bugs and potential vulnerabilities, securing sensitive and private data with updated security measures.
Mobile Malware is the most popular type of security threat as this infects the device through downloaded apps. It doesn’t just get into a machine via third-party or non-official websites. One might have downloaded these same through official app stores, making it very difficult to counter. To fight this, every organisation can have policies that specify what types of software can be downloaded, especially from third-party websites.
Phishing attacks are something that everyone very commonly experiences. Intruders breached government emails in Norway through phishing. Hackers also use social engineering attacks to send emails that look very familiar to organisation mails or emails by co-workers to access your credentials and banking details. According to Lookout², over 70% of phishing attacks on US government organisations focused on stealing login credentials, making it a massive concern as this would directly impact government confidentiality.
Now that you have understood a few of the threats your mobile devices may encounter let’s discuss how the governments plan to fight these threats.
With the ever-evolving technologies, even the governments have realised that they need to evolve their policies and take proper precautions. Keeping this in mind, the Federal Mobility Group (FMG), chartered by the Federal CIO Council, recently released the mobile management ecosystem that includes four strategic pillars³. The four strategic pillars are:
Unified Endpoint Management (UED): It will help enforce standard security configuration and policies, report non-compliant devices and configure approved WiFi and VPN settings. It can also remotely wipe out data in case of stolen or lost mobile devices.
Mobile Threat Defense (MTD): It provides nearly real-time monitoring of the device’s state and shares this information with UEM and Security Information and Event Management (SIEM) for solutions and awareness of threat posture. It also detects mobile phishing attacks, network-based attacks, malicious apps and other known vulnerabilities.
Native Mobile OS Security Functionality: It focuses on the security features already present in the Android or iOS operating system. They include privacy protection capabilities, one-time app permissions, fraudulent website warnings and more.
Mobile App Vetting (MAV) detects software configuration flaws that create vulnerabilities and existing malicious functionalities. It also allows code review or code vetting.
Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) launched Mobile Cybersecurity Shared Services⁴. This initiative, expected to launch in 2022, is still in the pilot stage. It will be piloting three capabilities, namely:
Vetting Mobile Application Security: It’s a MAV service that will evaluate the security of applications created by the government.
Verifying Mobile Device Security: It is focused on mobile device security and detects modification in software, hardware and firmware between two points in time.
Mobile Network Security Service: It includes a DNS service for mobile devices.
Meanwhile, the NYC Cyber Command has already launched an application called ‘NYC Secure App⁵’ that is free for everyone to use. It helps identify unsecured networks, send notifications for invisible threats and identify and solve cyber threats.
These are some of the preventive measures taken by the US government to avoid or crush as many threats as possible. The Australian government is creating awareness regarding mobile security measures on the Australian Cyber Security Website⁶. Similarly, the UK government offers guidance for device protection against cyberattacks on their National CyberSecurity Center⁷ website.
Governments across the globe are using multiple ways to create awareness of the threats for mobile users. They are also trying to come up with policies or guidelines that will help protect their data. It is limited to a few countries and organisations. While the threat of data leaks is genuine, when will the government organisations take a stern step towards these threats?