The National Institute of Standards and Technology (NIST) first released its enterprise mobile device security guidelines Special Publication (SP) 800-124 in 2013. But over the course of nearly a decade, the workplace has undergone a major transformation.
Seven years ago, mobile device management (MDM) was the only tool agencies had to combat mobile threats, and phishing links were primarily delivered by email, which users accessed on desktop computers. Now, mobile devices and cloud solutions are everyday tools for government agencies and telework has rapidly increased, particularly in the past few months.
NIST’s draft revisions to its mobile guidelines, a first since the document’s inception, are great starts to help address security concerns in this new reality. As federal agencies recognize the importance of mobile security, NIST’s ongoing guidance updates are imperative.
Below are some of the new NIST guideline additions that all organizations should incorporate:
Phishing is now the biggest threat vector for mobile devices so it’s good to see NIST acknowledge it in the drafted updates. With the rise in telework and increased use of mobile devices, agencies need to ensure they have the proper security solutions in place to combat mobile phishing, and educate their employees to spot mobile phishing attacks.
Mobile devices are particularly vulnerable because they often bypass traditional, perimeter-based security controls when employees connect to LTE networks, hot spots on-the-go or at home. There are also many more ways to deliver phishing attacks besides email. These can include channels such as SMS, messaging apps and social media platforms. It also doesn’t help that mobile devices have a smaller form factor and simplified user interface, which makes it harder for users to inspect URLs and the sender’s email address to identify phishing threats as they might on a desktop computer.
Organizations need to educate users to leave behind their desktop-centric phishing training where the focus is on email. Instead, train users to identify phishing and social engineering threats across all mobile communication channels. Ultimately, though, we’re all human and sometimes we will click that link, so having comprehensive mobile security solutions in place to protect agency data is an important safety net.
Mobile Threat Defense
Mobile Threat Defense (MTD) didn’t exist in 2013, but it’s critical today and an important addition to the NIST SP 800-124. Agencies need to take advantage of MTD solutions to have real-time protection against device, app and network threats in addition to phishing threats.
MTD solutions provide visibility into app characteristics and protect against threats stemming from risky user behaviors, such as visiting malicious websites or clicking links loaded with malware. Tools like MDM, while useful in managing devices, do not provide this functionality.
In a telework environment, office-based security measures are no longer in play. That’s why agencies need to have a comprehensive MTD solution that aligns with a zero-trust model.
There are a number of ways for mobile security to get compromised – by vulnerabilities in operating systems, in app or in networks. A zero-trust solution will continuously monitor devices’ health and will only allow access when they are free from compromises.
NIST’s updates are an excellent start in a world that is constantly evolving, recognizing the wide range of solutions that are available. As NIST and the federal government as a whole continue to evolve their approach to mobile security, it will be important to ensure MTD is a key component of all telework programs.