Mobile interactions with the government are on the rise, and for good reason. Users can easily apply for benefits, pay fees, and renew permits and licenses with a few taps on their smartphone. For agency personnel, mobility can bring data to the point of need, whether that’s on a flight line maintaining aircraft or in the field monitoring groundwater quality. In fact, according to the just-released Verizon Mobile Security Index 2020, 75 percent of public sector organizations surveyed say that mobile devices are “critical to the smooth running of their operations.”
But there’s another, more disquieting statistic to consider. Public sector organizations are 2.2 times more likely to be compromised if they sacrifice security. Thirty-nine percent (39%) of those organizations admit to having been compromised via a mobile device over the past year. Breaches occurred at every level of government as well as educational institutions. For government agencies, which have a unique responsibility to protect citizens’ data, the threat to national security is accompanied by the risk of a loss of trust by the public.
The risks go beyond data theft, as seen in the rise of ransomware attacks across the country, costing hundreds of millions of dollars, disrupting day-to-day operations and putting lives at risk. According to Verizon’s research, bad actors aren’t necessarily looking to steal the data from mobile devices; they want to use them as entry points to core systems.
“5G standards have created strong encryption between every link,” said Michael Sowers, Managing Partner, Connected Solutions with Verizon. “Picking the right vendor has been critical to security. Verizon has consciously made the decision to purchase equipment from a small group of vendors and we don’t use any Huawei or ZTE equipment in any of our core wireline or wireless networks, including our new 5G network.”
Improved Operations, But Greater Risks
While mobile devices may be helping to streamline processes and help control costs, more than one-third of the organizations surveyed admitted to cutting corners on security to “get the job done.” As a result, those organizations were hit with 2.2 times the number of compromises as compared to those that secured their systems.
However, the largest threat vector is one that is all-too-familiar, as seen in numerous studies over the past five years: internal users. 71 percent of public sector respondents say that their employees pose the biggest security risk within local government agencies. Worse, 64 percent said they have used public Wi-Fi for government-related purposes, even though doing so was explicitly prohibited by many of their agencies.
In too many cases, the basics of security are being ignored. Respondents say that only 46% of their organizations change all default passwords on systems, and just over half said that data is encrypted when transmitted over public networks. With agencies moving systems to the cloud to meet regulatory requirements, the risks will quickly multiply, as 71 percent of respondents said that mobile devices will be their primary means of accessing cloud services within five years. Yet, cloud security measures aren’t necessarily being taken, 20 percent of public sector organizations do not encrypt their cloud-based services, and only 40 percent limit access to cloud apps that don’t have a proven security rating.
The reasons for ignoring security include expedience, cost, and convenience. If not implemented properly, policy and/or security could slow down the workflow for an agency’s staff and the public constituents that they serve. “Employees will find workarounds to get their jobs done and citizens will avoid using systems that aren’t user-friendly,” explained Sowers. “But security doesn’t have to be a huge burden on the users or the IT department that maintains and manages it.”
Security at Speed
Specifically, Zero Trust, Identity and Access Management (IAM) and authentication strategies, and secure mobile gateways can help limit the risks to critical data. New automated techniques for authentication—some driven by AI and machine learning—including biometrics, geolocation and behavioral analysis, can confirm user identities without slowing down transactions. Of course, basic cyber hygiene—strong passwords, device hardening, encryption, patching, etc.—should be a given.
Sowers shared that “it starts with a vision: what do users need to do, what are the priorities, and how can the organization put security first? The internet of things and internet of people are changing how we work. By forming work groups, organizations can focus on critical job function in the office or in the field.”
To read the public sector highlights from Verizon’s Mobile Security Index 2020, click here.