Risky mobile behaviors are prevalent in the government
Interest article to read from Net-Security.org website regarding federal agencies mobile users.
Excerpt from Net-Security.org site. “Mobile devices are extremely prevalent in federal agencies, even within those that purport to have policies prohibiting the use of them. Lookout analyzed 20 federal agencies and found 14,622 Lookout-enabled devices associated with those agencies’ networks. Those devices encountered 1,781 app-based threats.
Their latest report, which is based on a survey of more than 1,000 U.S. federal employees, finds that not only are federal employees using personal devices to access potentially sensitive government data, a significant number of them engage in behaviors that could put the device and, in turn, the data it contains or accesses at risk. This includes behaviors such as rooting, jailbreaking, and sideloading applications, which involves installing applications from places other than official app stores, such as websites or links in email.
“The cyber security practices, or lack thereof, of the federal government are under the microscope in the wake of the OPM hack. Yet, hardly anyone is scrutinizing the unsanctioned use of mobile devices that could be putting government data at risk,” said Bob Stevens, Vice President of Federal Systems at Lookout.” (2015 Aug 25, Net-Security.org)
The Mobile Malware 18% of federal employees with smartphones report encountering malicious software or malware. And it will continue to grow till we can separate the business and personal access within federal agencies network. Easy to say yeah!
I currently work as Information Technology Manager/Information System Security Manager with the help of industry standard framework for managing and continually improving the company’s policies, procedures and processes. I was able to implement these documents in our organization and still we are making mistakes securing the flow of information. Though it will be minimal (or acceptable risk). This is why we have two audit every year e.g. internal audit and registry audit.
The internal audit is to identify any short coming or needed improvement, missing or incomplete documentation and come up with the corrective action to be ready for registrar audit.
The registrar audit (company) is the one providing your certificate, making sure you are doing what you suppose to do (due care, dure diligence), checking all policies, procedures and processes, checking your statement of applicability, risk management and other information security related documents that serve your company’s infosec foundation.
To make the story short, company produce all these policies and processes to secure their information assets, then technology will simply jump over security to provide user accessibility and ease of use.
Always remember, “Security is a process NOT a product“.