If it takes just one teenager, and what’s being reported as “off-the-shelf” malware to take down Target, one of the largest retailers in the world, is there any hope for data security elsewhere?
In fact, according to a recent report from the Government Accountability Office (GAO), 2012 was a record year for Federal data breaches. In December 2013, Trustwave found a file that identified two million stolen passwords from some of the most popular email providers and social networks.
Certainly some of this threats (like that at Target) come from thieves/hackers that are far ahead of the current security infrastructure, but when it comes to passwords, stolen devices and security policies (or lack thereof), user/employee behavior – especially careless habits around mobile—can be effected to help minimize threats to any organization.
The Secure Mobilometer, created by the Mobile Work Exchange, a public-private partnership focused on demonstrating the value of mobility and telework, is a self-assessment tool to better understand mobile security and pressure points. Putting the tool to use in research commissioned by Cisco, “The 2014 Mobilometer Tracker: Mobility, Security, and the Pressure In Between,” highlights critical results in both the government and private sector.
Ninety percent of government employee respondents use at least one mobile device – laptop, smartphone, and/or tablet – for work purposes, and the report revealed that 41% of the government employees who used the assessment tool are putting themselves and their agencies at risk with existing mobile device habits.
Basic security actions seem to be covered, with 86% locking their computers when away from their desk and 86% having a safe and alternative workplace; 78% say they always store files in a secure location.
Despite these actions for laptops, government employees are not showing the same caution for mobile devices. They are practicing potentially dangerous behaviors, according to the report, including the use of public Wi-Fi (31%), a lack of multifactor authentication or data encryption (52%), and failure to use passwords on mobile devices for work (25%). Even when employees do use a password, nearly one in three admits to using an “easy” password and 6% of those admit to having it written down.
Fifty-seven percent of respondents who took the assessment from an agency/enterprise-wide perspective are failing to secure agency data, with gaps in mobile policies and security systems. Despite the Federal Digital Government Strategy, more than one in four government employees have not received mobile security training from their agencies.
In fact, only 50% of respondents noted that their agencies even have formal, employee-focused mobile device programs. Half of the agencies that took the assessment are missing fundamental mobile security steps, like utilizing a remote wipe function, or adding multifactor authentication or data encryption on mobile devices.
“In the near future, the number of mobile devices will exceed the world’s population, and by 2017, we expect more than 10 billion connected mobile devices,” said Larry Payne, Cisco vice president, U.S. Federal, in a statement. “With the proliferation of devices, security continues to be a major concern. The 2014 Mobilometer Tracker study shows that 6% of government employees who use a mobile device for work say they have lost or misplaced their phone. In the average Federal agency, that’s more than 3,500 chances for a security breach. Organizations need to take the necessary steps to protect their data and minimize the risk of data loss.”
Lessons for the Enterprise
What’s scarier than these results? Despite shortfalls, government respondents scored considerably safer on the Secure Mobilometer than their private-sector counterparts. So what can the private-sector learn here?
“While the government is significantly safer than its counterparts, there is still much work to be done,” said Cindy Auten, general manager of Mobile Work Exchange in a release. “Ensuring policies are being enforced is the best way to secure critical data. Closing the gap equips employees with the knowledge to thwart potential security breaches.”
Know your workforce: 97% of government respondents who telework say they have a formal telework agreement in place versus just 56% of private-sector respondents
Know your devices: 53% of government agencies require employees to register mobile devices with the IT department versus just 21% of private-sector organizations
Require training: 53% of government agencies require all employees to take regular security training related to mobile devices versus just 13% of private-sector organizations
Minimize risks: In a world where IT leaders must support users' private devices, security becomes paramount, and 15% of government respondents have downloaded a non-work-related app onto the mobile device they use for work versus 60% of private-sector respondents.