Tom Davison, Technical Director International at Lookout, discusses the issue of mobile phishing within the government sector and how it can protect employees inside and outside of the workplace
The similarities between the government and any large modern corporation are myriad: they’re bureaucratic, departmentalised and they depend on the flexibility and accessibility of the cloud and mobile devices to enable their workforces to communicate and operate effectively. These shared “qualities” however, which are essential to any large organisation’s capacity to function, also make them more vulnerability to phishing attacks. The more employees, devices, interactions and exchanges of information, the greater the number of inconsistencies and points of vulnerability there are for attackers to target and exploit.
The severity of the issue cannot be underestimated. A recent poll from the Government Business Council found as many as 47% of government employees encountered a phishing attack while conducting work via a mobile device. To prevent this figure from rising, we need to understand why government employees are being targeted en masse.
Demand for being mobile is a double-edged sword
Driven by necessity, advancements in working culture and employee habits, the government has embraced the cloud-first, mobile-first world. By making data accessible anywhere from any device, employees can work flexibly, remotely and, ultimately, more productively. However, the activities and protocol of decentralised workers is far harder to monitor and secure than a workforce operating on a singular internal network, particularly if half of the workforce is accessing work-related data while connected to an external network as a recent poll from the Government Business Council found.
These findings are both emblematic of the necessary change in how we work, as data has moved to the cloud, and employees can access information from a myriad of devices seamlessly from any location. As a result, security teams are battling to defend us in this increasingly disparate and vulnerable environment.
For government departments, the main problem they face is the misalignment between the security policies they set, and what their employees are actually doing to uphold them. If employees are working outside of the network, it can be nigh impossible to monitor and manage their activity without impinging upon their privacy or mollycoddling them. However, the inability to do so can prove detrimental.
For instance, if an employee is working from home and receives a SMiShing text, or phishing email, containing a malicious link, they might not be in a sufficiently vigilant state of mind and click on it. In fact, users are three time more likely to fall for a phishing link when on a small screen than when using a desktop. Equally, they might sign into an unsecure public WiFi hotspot while working at a café, and expose their device, and the sensitive corporate information it contains, to the advances of nearby attackers.
What protection looks like
So, what can the government do to protect remote employees if they aren’t going to follow the rules?
The answer, in theory, is a straightforward one: the government needs to implement a mobile threat defence solution that ensures all data remains secure even when employees fail to follow policies or mistakenly encounter a malicious website, app, or network. This means moving security to the endpoint and adopting a post-perimeter security solution that protects against phishing attacks that target employees in any form, whether through SMS, messaging apps, email or social media.
Tantamount to this, the security solution needs to be unobtrusive and non-intrusive, so that employees can continue to work outside the office with confidence, privacy, flexibility and. By continuously monitoring the health of devices that are accessing sensitive information in this way, the public sector can secure itself from phishing attacks while reaping the benefits of the mobile-first, cloud-first and perimeter-less world.