No one is going to dispute the fact that last year changed everything when it came to technology and digital transformation. As workers from both the public and private sector headed home to work to avoid the worst impacts of the pandemic, they relied heavily on mobile technologies not only to work and learn, but also to buy groceries and keep in touch with family and friends. And beyond adding apps with varying security standards, they also often connected their mobile devices – and by default their work environments to unsecured home networks and public Wi-Fi in order to continue to deliver on the mission in a world turned upside down.
While the benefits of mobile technologies are easy to recognize, cell phones, tablets, and laptops have also become major vector’s for security threats. The fourth edition of Verizon’s Mobile Security Index (MSI), which was released in last month, found that 48 percent of public sector organizations had experienced a mobile-related compromise that had major repercussions for their organization and that nearly two-thirds of these organizations said the consequences of the attack had a lasting impact on their organization.
With many agencies extending remote work indefinitely public sector organizations have begun to evaluate their security postures in order to enhance security for mobile users. Interestingly, while using public Wi-Fi has been identified as a significant access point for malware and other attacks, fewer than 10 percent of public sector organizations have blocked it’s use. And while 22 percent of public sector organizations have banned its use, nearly half of those organizations are aware that employees still use public Wi-Fi.
Despite turning a blind eye to policy violations to support productivity and convenience, public sector organizations are well aware that the consequences of a mobile-vector attack are serious – if not life-threatening. For public sector organizations, particularly state and local governments, the consequences of an attack go far beyond the exposure of emails or personally identifiable information (PII) and affect the ability of first responders to deliver critical or emergency services to the communities they serve. According to the MSI 70 percent of organizations surveyed acknowledged that a security compromise could put citizens’ lives at risk by impacting critical or emergency services.
With hurricane and wild fire season just about to begin – and with expectations of yet another year of severe events – the consequences of a ransomware attack directed towards public safety officials and first responders could be particularly damaging. In the MSI report Jerome Hauer, Ph.D., Former Commissioner, New York State Division of Homeland Security shared that one of the greatest concerns of public safety officials is to have “[a]ll of the planning and preparation that goes into being ready to respond to events … be thwarted by cyberattacks that bring you to your knees.”
“Verizon’s commitment to providing innovative, end-to-end solutions for our public sector customers is rooted in helping them also achieve optimal network security,” said Jennifer Chronis, Senior Vice President of Public Sector at Verizon. “Within our partner ecosystem, we provide a set of tools and services to help them achieve a zero trust model. Verizon’s threat reduction tools provide further enhancement to this Zero Trust framework.” To avoid the costly consequences – both financial and reputational – of an attack on first responders, the team at Verizon have developed a set of best practices that public sector organizations can use as they prepare their critical and emergency services. It focuses on four areas: users, apps, devices and things, and networks.
Let’s take a look at the recommendations:
- Users
- Establish a formal acceptable use policy (AUP) that specifies responsibilities for bring-your-own-device (BYOD) users, what networks can be used and what apps users can install.
- Adopt a security-first focus, give all employees regular training, and make sure they know to report anything suspicious.
- Set and communicate a password policy covering strength, re-use, and two-factor authentication.
- Apps
- Restrict access to data on a need-to-know basis
- Limit employees to installing apps from vetted sources and block those downloaded from the Internet.
- Ensure that all patches are installed properly.
- Devices and Things
- Change all default and vendor-supplied passwords and avoid reusing the same ones.
- Implement policies to lock down and isolate vulnerable, infected, and lost or stolen devices.
- Use an MDM solution to simplify patch management and enforce your AUP, including authentication policies.
- Deploy mobile threat…
To read the remainder of the recommendations from the Mobile Security Index report click here.