Security for Telework, BYOD and Beyond
The Defense Department experienced unprecedented changes to its work environment this past year. Officials scrambled to implement policies and procedures for a secure transition after adding over 900,000 user accounts to its commercial virtual remote environment in a two-week timeframe.
But what started as a temporary solution for the department is here to stay. With telework benefits ranging from increased productivity, flexibility, and more, the department is pushing to hire more remote workers to stay ahead of the digital transformation.
In response, the defense community needs a comprehensive security strategy that doesn’t rely on perimeter-based security, which tethers employees to physical office locations.
Now more than ever, it’s time to take a prescriptive approach that fully addresses an overlooked element of cybersecurity: mobile. Devices like smartphones and tablets are convenient and ubiquitous, but they simultaneously offer access to government employees’ — and the nation’s — most sensitive data.
Preparing for bring your own device (BYOD) is a significant part of an agency’s cybersecurity strategy. Federal employees increasingly use personal mobile devices to check email and engage in work-related communication, even if they’re not authorized to do so. Many agencies are getting ahead of this by revisiting BYOD and implementing an official policy to control, manage and better ensure compliance across devices.
The Air Force is taking the lead. In the summer of 2020, it introduced a bring your own “approved” device (BYOAD) policy to allow employees access to information from anywhere, create streamlined communication channels, and improve end-user experience. A transformative program, BYOAD will likely become a tangible example for other agencies.
With such policies, mobile consumption and telework becoming commonplace, it’s time for agencies to rethink their cybersecurity strategy.
They need to ensure mobile is part of all security training plans and policies. Additionally, to properly implement Zero Trust and investigate threat incidents, that means they need to include the devices their workers use the most.
User awareness is crucial for those working on Defense Department-issued mobile devices, participating in a BYOD program, or sneaking tasks in on unauthorized personal devices. While most individuals are familiar with security basics, like regularly updating passwords and not clicking on suspicious links on a desktop, mobile attacks can slip under the radar.
Education is essential, but it’s not a silver bullet. A survey by cloud security company Lookout found that the rate at which federal government employees encountered mobile phishing more than doubled between the last quarter of 2019 and the first quarter of 2020.
Users should know how to identify mobile phishing’s many forms, including text, social media and messaging apps. Education should also reiterate how mobile devices’ smaller form factor makes it harder to identify malicious phishing links.
As threats become more sophisticated and prevalent, training and awareness programs are necessary steps to achieve a unified workforce and, ultimately, a successful security strategy.
Even with proper education, users alone cannot be a single line of defense. Agencies should assume a Zero Trust mentality, trusting no user or device without continuous verification.
Indeed, the government is taking strides to ensure implementation across agencies. Noting BYOD as a driver for the approach, the National Institute of Standards and Technology’s Zero Trust guidance lays out recommendations for agencies to encourage and support its adoption.
At a basic level, Zero Trust requires device validation before providing access to data and networks, which is especially critical as a broader set of devices enters the network. But Zero Trust policies must include all potential entry points, especially since mobile devices are efficient and easy for cybercriminals to infiltrate. As such, agencies need to dynamically monitor the health of smartphones, tablets and all mobile devices, restricting access immediately when a risk profile changes.
While many agencies assume that they’ve covered mobile security with methods like mobile device management, this does not offer the protection or the telemetry data needed to implement Zero Trust or investigate security incidents.
A well-rounded mobile security strategy starts by detecting and defending against all cyber risks, including app-based threats, network vulnerabilities and mobile phishing attempts. Once identified, users should receive remediation instructions so they know the precise actions to take next.
At the same time, threats are continually evolving and increasing in sophistication. Mobile security must also include endpoint detection and response (EDR) that can quickly detect, hunt for and respond to threats, investigate incidents and contain them at the endpoint.
What can this prevent? For example, complex social engineering can target a specific individual and create a mobile application designed to lure them in and convince them to sideload an app. If the app turns out to be malware, it can access sensitive information stored on a user’s phone or even gain control of their phone camera and microphone. Mobile EDR investigates the origins of the attack — since incidents are rarely isolated — and addresses it before the threat impacts the entire agency.
Because so many threats originate on mobile, it is critical that endpoint detection and response approaches can examine and operate effectively on all endpoints. Machine learning analysis creates an approach sensitive to the constrained resources on mobile platforms and end-user privacy while supporting the threat detection and response process.
Bob Stevens is vice president of Americas for Lookout.