A full 41% of the government employees in a Cisco-sponsored assessment survey from Mobile Work Exchange were found to be putting themselves and their agencies at risk with existing mobile device habits. They are practicing potentially dangerous behaviors, including the use of public Wi-Fi (31%), a lack of multifactor authentication or data encryption (52%) and failure to use passwords on mobile devices for work (25%). Even when employees do use a password, nearly one in three admits to using an “easy” password and 6% of those admit to having it written down.
“When you consider the sensitive nature of information government employees have access to, it is worrying to see that employees are still opening themselves up to such high levels of risk,” said Matt Bancroft, CEO for mobile security specialist Mobile Helix, in an email to Infosecurity. “Using public networks, having weak passwords (or no password at all!), downloading personal app and losing devices all expose ways in which data can fall into the wrong hands.”
He added, “This report shows that even in highly regulated areas, where employees are working within a framework of tight policies and procedures in relation to security, users will always find a way to bypass security if it makes life easier for them.”
This is a particular issue considering the scale of mobile use: report noted that 90% of government employee respondents use at least one mobile device – laptop, smartphone, and/or tablet – for work purposes.
Ironically, many government respondents are taking basic steps to secure agency data for fixed endpoints. A majority (86%) lock their computer when away from their desk; additionally, 86% have a safe and alternative workplace compatible for work, and 78% always store files in a secure location.
Despite these secure actions, government employees are not showing the same caution for mobile devices.
There’s also a lack of a top-down security approach. When the appropriate security policies and procedures are in place and enforced, a mobile workforce can be a tremendous asset to a government agency. However, 57% of respondents who took the assessment from an agency/enterprise-wide perspective are failing to secure agency data, with gaps in mobile policies and security systems. Despite the Federal Digital Government Strategy, more than one in four government employees have not received mobile security training from their agencies.
Additionally, just 50% of respondents noted that their agencies have formal, employee-focused mobile device programs. Half of the agencies that took the assessment are missing fundamental mobile security steps, like utilizing a remote wipe function, or adding multifactor authentication or data encryption on mobile devices.
“In the near future, the number of mobile devices will exceed the world’s population, and by 2017, we expect more than 10 billion connected mobile devices,” said Larry Payne, Cisco vice president, U.S. Federal. “With the proliferation of devices, security continues to be a major concern. The 2014 Mobilometer Tracker study shows that 6% of government employees who use a mobile device for work say they have lost or misplaced their phone. In the average federal agency, that’s more than 3,500 chances for a security breach. Organizations need to take the necessary steps to protect their data and minimize the risk of data loss.”
Interestingly, the US federal government is not alone, as this is a common problem across public and private sector. And in many ways, the government performs better. About half (53%) of government agencies require employees to register mobile devices with the IT department, versus just 21% of private-sector organizations. And, only 15% of government respondents have downloaded a non-work-related app onto the mobile device they use for work, versus 60% of private-sector respondents.
“While the government is significantly safer than its counterparts, there is still much work to be done,” said Cindy Auten, general manager of Mobile Work Exchange. “Ensuring policies are being enforced is the best way to secure critical government data. Closing this gap equips government employees with the knowledge to thwart potential security breaches.”