Recent data commissioned by Lookout supports the fact that mobile phishing attacks are on the rise. We explore the findings in more detail, especially focusing on the impact this has on federal, state and local governments in the US. Steve Banda, Senior Manager, Security Solutions at Lookout, offers expert opinion and advice on what CISOs should include in their cyber strategy for the year ahead.
Lookout, an endpoint for cloud security companies, has released its 2022 Government Threat Report which examines the most prominent mobile threats affecting federal, state and local governments in the US.
Lookout data reveals mobile phishing and device vulnerability risks in US government agencies have increased since 2021. According to Lookout’s analysis of specific data for federal, state and local government agencies from the Lookout Security Graph, nearly 50% of phishing attacks are aimed at government personnel. in 2021 trying to steal credentials, up from 30% in 2020.
In addition to the increase in phishing attacks on government employees, the report’s findings include:
● Federal, state and local governments are increasing their reliance on unattended mobile devices at a rate of 55% from 2020 to 2021, indicating a move towards BYOD to support a larger remote workforce.
● One-in-eight government workers are exposed to phishing threats. With more than 2 million federal government employees alone, this represents a significant potential attack surface because it only takes one successful phishing attempt to compromise an entire agency.
● There is a steady increase in mobile phishing encounter rates for state and local governments across both managed and unmanaged devices, increasing in rates by 48% and 25% respectively from 2020 to 2021. This steady climb continues through the first half of 2022.
● Nearly 50% of state and local Android users run outdated operating systems, exposing them to hundreds of device vulnerabilities. This is an increase compared to 99% in 2020.
Government organizations store and transmit a variety of sensitive data, the security of which is critical to the well-being of hundreds of millions of people. In the case of government organizations, the potential fallout from breaches that lead to leaked data, stolen credentials or forced shutdowns due to ransomware can have a disproportionate impact compared to regular cybersecurity incidents.
Additionally, government workers use Android iOS and ChromeOS devices every day to stay productive and improve efficiency. This makes them a target for cyberattackers because their devices are treasure troves of data and gateways to government infrastructure. Only modern endpoint protection solutions can detect mobile threats across applications, device operating systems and network connections, while also protecting against credential harvesting and malware delivery attacks through phishing. Due to the private nature of smartphones, tablets and Chromebooks, endpoint security must protect users, devices and organizations while respecting user privacy.
“It is more important than ever for government agencies to keep pace with the evolution of the cyberthreat environment,” said Tony D’Angelo, Vice President, Americas Public Sector, Lookout. “Regardless of whether the device is managed, protecting these modern endpoints requires a different approach – one built from the ground up for mobile. Only a modern endpoint protection solution can detect mobile threats across applications, device operating systems and network connections while also protecting from phishing attacks that steal credentials and deliver malware.
Steve Banda, Senior Manager, Security Solutions at Lookout, provided some more insight into the findings and showed how governments can keep up with the evolution of the cyberthreat environment.
How damaging are these types of attacks on government organizations compared to typical cyber attacks and how can they be avoided?
Mobile devices are a threat vector, among others, for cybercriminals to exploit the environment. Attacks on mobile devices are unique because they are designed to take advantage of how users interact with their devices and they seek to exploit specific device and application vulnerabilities. However, it makes no sense to categorize cyber attacks as ‘typical’ as attackers generally use whatever tools are available to them. Mobile devices are another way for attackers to carry out broader attacks.
Consider ransomware for example, these attacks often begin with phishing end users on any device – whether mobile or fixed – to steal credentials and then use those credentials to gain access to the corporate environment. Mobile phishing, whether via SMS, email, or messaging apps is a major vendor that attackers can use to gain credentials, bypass MFA controls and enter environments.
Do you think mobile phishing and device vulnerability risks have increased in US government agencies since 2021?
Remote work is here to stay, and with it, so is employee reliance on personal mobile devices. These devices are difficult to monitor and keep up to date, presenting unique security challenges for US local, state and federal government organizations.
BYOD strategy provides government employees with increased flexibility and productivity. This is likely one of the reasons the use of unmanaged devices increased by an average of 55% in federal, state and local governments between 2020–2021 according to Lookout data. But that same data found that nearly 50% of phishing attacks aimed at government personnel in 2021 sought to steal credentials. The combination of unmanaged devices and phishing attacks means that agencies and government departments are vulnerable as they continue to allow telework and BYOD use.
How would you recommend people best secure their mobile devices to ensure they are protected from phishing attacks?
Attackers primarily target individuals through mobile channels because of the number of ways they can reach individuals. SMS, iMessage, email, social media, third-party messaging apps, games and dating apps all have messaging functionality that attackers use to engineer social targets in the context of the app they’re using.
In order to protect themselves and their users, state and local governments must implement mobile phishing protection that takes a Zero Trust approach across all of their user bases. It is important to extend this protection to both company-owned and personal devices. By proactively and automatically monitoring for threats on these often neglected mobile devices, this solution can improve visibility.
How can government agencies keep pace with the evolving cyberthreat environment?
The use of personal mobile devices for work is not going away, so government entities must develop strategies that allow them to embrace unattended devices while remaining secure and respectful of their employees’ privacy.
One thing organizations can do is ask employees to only use personal devices from an approved list. But to truly mitigate threats against phishing, credential harvesting and OS vulnerabilities, you need a dedicated mobile security solution that takes a Zero Trust approach. As President Biden and the Office of Management and Budget (OMB) provide guidance on Zero Trust, all government organizations must ensure that they consider all mobile endpoint risks as part of a Zero Trust architecture.
What should CISOs include in their cyber strategy for the year ahead, given the rise in mobile attacks?
Protecting against mobile phishing is a critical part of a modern security posture as this is the most common threat vector for credential compromise, which actors use to launch more advanced attacks such as ransomware.
Changes in the way we work have widened the risk landscape for every organization as employees use a mix of personal or unmanaged devices and networks to access sensitive data.
Without the right solutions, organizations leave their employees exposed to sophisticated threats that take advantage of employees’ lack of protection on personal devices and networks.
Context-based data access is the best way for organizations to establish Zero Trust in hybrid work environments. Understanding clues such as location, device type and user risk attitudes can be crucial when trying to identify compromised accounts leveraged by threat actors.
Click below to share this article