Mobile devices are extremely prevalent in federal agencies, even within those that purport to have policies prohibiting the use of them. Lookout analyzed 20 federal agencies and found 14,622 Lookout-enabled devices associated with those agencies’ networks. Those devices encountered 1,781 app-based threats.
Their latest report, which is based on a survey of more than 1,000 U.S. federal employees, finds that not only are federal employees using personal devices to access potentially sensitive government data, a significant number of them engage in behaviors that could put the device and, in turn, the data it contains or accesses at risk. This includes behaviors such as rooting, jailbreaking, and sideloading applications, which involves installing applications from places other than official app stores, such as websites or links in email.
“The cybersecurity practices, or lack thereof, of the federal government are under the microscope in the wake of the OPM hack. Yet, hardly anyone is scrutinizing the unsanctioned use of mobile devices that could be putting government data at risk,” said Bob Stevens, Vice President of Federal Systems at Lookout.
“As we saw earlier this year when it was reported that Secretary Clinton used her personal email for State Department work, federal employees are using personal technology for work purposes whether BYOD is approved or not. As we evaluate the federal government’s cybersecurity practices, we must also take into account the increasing role mobile plays in today’s workplace and assess how to better protect the sensitive data accessed by federal employees’ devices. This report shows that rules, policies and employee education alone are insufficient in stopping risky or threatening events before they cause damage,” Stevens added.
A quarter (24 percent) of federal employees send work documents to personal email accounts. This is just one sign that a significant amount of sharing between work and personal devices and accounts happens daily. Additionally, 50 percent use their personal devices for work email and 17 percent store work-related documents on personal file sharing apps.
Federal employees are jailbreaking or rooting the devices they bring to or use at work. While only seven percent of federal employees surveyed report having done so, what is most alarming is that 57 percent of employees who have rooted or jailbroken their device have access to work documents on that device and 65 percent of them have access to work email. Jailbroken and rooted devices introduce security risks by creating new OS vulnerabilities that attackers can exploit, putting the device and its data at risk of compromise.
Federal employees aren’t getting their apps just from the official app stores. A quarter (24 percent) of federal employees have sideloaded apps to their mobile devices from places other than official app stores. Lookout found there isn’t much difference between iOS and Android users: 21 percent of federal iPhone users have sideloaded apps compared to 25 percent of Android users.
Eighteen percent of federal employees with smartphones (personal or government-issued) report encountering malicious software. Of those, 19 percent were Android users and 14 percent iPhone users. These percentages are surprisingly higher than the 7 percent average Android malware encounter rate Lookout reported for 2014.
Restrictive, locked down mobile policies don’t work. Nearly 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior.
Nearly 40 percent of employees are willing to sacrifice government security to use a personal mobile device at work despite being aware of cybersecurity concerns. Clearly, employee education is not enough. Fifty-eight percent of employees are aware of cybersecurity concerns or consequences that arise with using their personal mobile phones for work, yet 85 percent admit to using their personal device(s) for potentially risky activities like downloading or reading work-related documents or email, sending work documents to personal accounts, and storing work data on personal file sharing apps.
Federal employees are not securing their mobile devices. Nearly half (49 percent) of federal employees have no security app or solution installed on the mobile devices they use at or bring to work. Thirteen percent of them use these unsecured devices for reading or downloading work-related documents.