For a number of years, Federal IT managers have been helping agencies capitalize on the productivity benefits of mobile applications. The benefits can be significant: Frost & Sullivan found that smartphones are freeing up an average of 58 minutes of work time each day, for a productivity boost of 34 percent.
But mobility also comes with new security concerns that can keep IT leaders up at night. Mobile malware attacks rose last year to 42.7 million incidents, up from 40 million in 2016. The risks are especially high for the public sector. The security website DarkReading reports that government ranks second for the highest number of mobile malware attacks, behind only the financial services industry.
Protecting untethered devices is more costly and complicated than ever, as government data flows between everything from laptops, smartphones and tablets to newer endpoints like wearables and IoT sensors on tanks, aircraft and other operations equipment. More types of devices operating outside the protection of agency firewalls means increased attack surface area for security staffs to defend. It’s no wonder that IT officials name securing endpoints and improving breach recovery times the top mobile security priorities for the next 12-18 months, according to a recent study by FedScoop.
So even if new IT modernization funds materialize thanks to the Modernizing Government Technology Act, agencies must closely manage cybersecurity spending — both when evaluating legacy infrastructure and deploying new technologies.
How can you judge whether an endpoint solution is a wise investment? Start by answering these four critical questions.
Q1: Alignment. Does your mobile security approach align with your agency’s overall cybersecurity strategy?
Answer: Follow a standards-based approach. Look for mobile platforms that adhere to government-wide security standards, such as the Federal Information Processing Standards (FIPS), as published by the National Institute of Standards and Technology (NIST). They certify credentialing, key management and crypto-management capabilities. Platforms should also comply with the National Information Assurance Partnership (NIAP), which oversees evaluations of commercial IT products for use in national security systems.
Q2: Integration. Does your endpoint security solution seamlessly integrate with your overall cybersecurity environment?
Answer: Choose endpoint platforms that come with thousands of APIs for out-of-the-box “hooks” into existing security systems, such as mobile data management applications. This is essential for overcoming integration headaches and expenses associated with embedding mobile security within the larger cyber-defense foundation. Also look for platforms that let IT administrators efficiently set controls for virtual private networks and smart card frameworks, as well as one that provides single sign-on integration with Active Directory.
Q3: Productivity. How can you maximize mobile productivity without sacrificing security?
Answer: IT managers must find the right balance between cyber risk and letting people do their jobs. Fortunately, that’s becoming easier than ever. The best endpoint platforms offer containerization for creating secure zones within mobile devices that clearly separate government and personal data and applications. This enables IT staff to encrypt and closely manage sensitive government assets, without impacting usability.
Passwords are one of the biggest productivity drains, causing users to constantly fumble for the right codes before connecting to government networks. However, workers can more easily stay productive when platforms provide biometric authentication, such as fingerprint reading and iris scanning, and sophisticated tools for continuous multifactor authentication and derived credentialing.
Q4: Culture. How can we get everyone to take security seriously?
Answer: Cultivate a culture of security. That’s not easy, as people understandably focus on their main responsibilities and see security as the IT department’s job. But this creates security gaps that hackers are ready to exploit. Infected email attachments opened by end users account for 66 percent of the malware installed at enterprises, according to Verizon’s 2017 Data Breach Investigations report. The report adds that stolen or weak passwords, often obtained by fooling end users into revealing them to bad actors, represent 81% of hacking-related breaches.
Regular end-user training can help close this gap by reinforcing agency security policies and keeping people updated about the latest exploits. The latest technology can also take some of the onus off of end users. For example, Samsung Knox can authenticate at the transaction level by verifying not only the person performing the transaction, but also the permission to perform it at that exact time and location. So if someone logs in from California at midday, and an hour later the same device is signing on from New York, security managers can see and respond to the threat before it causes harm.
As end-points proliferate in the years ahead, hackers will likely focus more of their attention to finding and exploiting their vulnerabilities. Government security staff and federal IT administrators can address these threats — and sleep soundly — with the latest end-point protection platforms.
Learn how Samsung government solutions can help your agency update your mobile environment to make it more secure — today and tomorrow.