The Bring Your Own Device (BYOD) revolution in IT is sweeping through organizations of all kinds, including government agencies.
Like their peers in the private sector, government employees are buying their own smartphones and tablets and bringing them to work. They are using these devices to store and transmit a mind-boggling mix of content.
Personal files, such as vacation photos and games, are sharing space with sensitive or confidential content, such as internal reports, budgets and security documents. Living up to their name, these mobile devices go everywhere the employees go: to home and the office, and also to restaurants, parks, hotels and airports.
The benefits are compelling — computing has never been so convenient and collaboration so effortless. But the security risks are substantial. Government agencies need to understand these risks and then adopt best practices for keeping data safe in the age of BYOD.
New challenges for IT
BYOD’s blurring of personal and business computing creates special challenges for government agencies. These include:
- Security as an Afterthought. Consumer devices — iPads for example — were not designed with rigorous data security in mind. Most mobile devices either lack advanced security features or have them disabled by default. Even basic features, such as screen locks, are turned off, and most users leave them that way.
- Data Contamination. Today, an employee’s vacation photos are likely to reside on the smartphone or tablet that an employee brings to work. Along with agency data, that device might also contain videos, songs and games. Aside from the risk of personal content ending up on agency file servers, agencies are facing the threat of thousands of malware-infected files or devices attacking government resources.
- Mobile Malware. Speaking of malware, malware targeting mobile devices is on the rise. IBM predicts that mobile malware will grow 15 percent annually for the next few years. Hackers and criminal syndicates realize that most mobile devices are less secure than more traditional devices like laptops and they are targeting mobile devices for everything from mischievous pranks to stealthy data breaches.
- Phishing Attacks that Slip Past Network Defenses. Many employees now catch up on email and work in the evening and on weekends, and mobile devices are the prime choice for conducting this after-hours work. Unfortunately, this type of remote access means that email-borne attacks can avoid network perimeter security measures such as email gateways. Malware that would have been caught in the office implants itself on the employee’s mobile device. Once installed, keyloggers and other malware can feed attackers valuable information for launching more damaging attacks against internal agency assets.
- Lost Devices. On average, a cell phone is lost in the US every 3.5 seconds. Even if a lost smartphone or tablet does contain confidential data, it still might include apps or cached credentials that make it easier for criminals to hack into a government agency’s network or servers.
- Risky File Sharing. According to a recent survey by iPass, the average mobile worker is now carrying 3.5 devices. Of course, these devices are only useful if they are carrying the files that employees need, so employees often take it upon themselves to find a fast, convenient way of sharing files across devices, such as free but risky public-cloud file sharing services. Unfortunately, these services are not secure. For example, Dropbox accidentally disabled all password protection on all its customers’ accounts for four hours last year. In addition, these services typically lack the centralized control and monitoring features that government agencies need. These services are fine for sharing vacation photos, but wholly inadequate for protecting and tracking confidential files like those that government agencies work with every day.
Six best practices for protecting agency data on mobile devices
Fortunately, agencies can deploy solutions to make employees’ mobile devices secure. The key is to focus on what is really important to secure: content. Devices will continue to proliferate, and new models of mobile devices will continue to be introduced month after month. By focusing on content, agencies can focus their security investments on protecting what matters most, even while the IT infrastructure continues to change and expand.
Mobile Content Management (MCM) is a new class of mobile security solution that provides secure software “containers” for mobile devices. These secure containers shield confidential data from unauthorized access and malware infection that can affect other files on the device. IT departments can configure and control these secure containers remotely, so if a device is lost or stolen, administrators can quickly disable access rights for all files in that container on the device.
Leveraging a secure file sharing solution, here are the top six ways to protect confidential data on mobile devices:
- Choose a Solution that Protects All Confidential Files on All Devices. Agencies should select an MCM solution that works with whatever common mobile devices employees are carrying, so that no device is unprotected, no matter what OS it’s running.
- Centralize Control and Monitoring. Centralized monitoring also allows IT administrators and security officers to monitor the distribution of files and to detect anomalous behavior before it leads to data breaches.
- Connect to SharePoint and Other Important Agency Services. Most government agencies have invested in ECM systems like SharePoint. Agencies should select an MCM solution that provides secure mobile access to content stored in these existing systems, so that secure file sharing from mobile devices becomes a natural part of the workflow, and workers in remote locations always have access to the critical files they need.
- Increase Trust and Control with Private Clouds. Agencies should deploy MCM solutions on private clouds, so their own IT organizations have complete control over the location and availability of data. Private cloud solutions offer the elastic performance and renowned cost-effectiveness of cloud computing without exposing agencies to the security and availability risks of public clouds.
- Block Risky Services – Nudge Users to Safety. Even with an MCM solution in place, employees may be tempted to try the free services that their friends are using. By blocking these services, agencies can ensure that employees will not jeopardize the confidentiality and integrity of the agency data.
- Choose Solutions that Meet Federal Security Requirements. Agencies should select an MCM solution that has been certified to meet FIPS 140-2 requirements.
By following these six best practices, government agencies can enjoy the benefits of improved collaboration and productivity made possible by BYOD, while avoiding the concomitant risks of data breaches.
Hormazd Romer is Senior Director of Product Marketing at Accellion.