In the wake of concerns that White House Chief of Staff John Kelly's personal smartphone was breached, I'm not surprised to hear reports that the White House is considering an outright ban on personal smartphones in the workplace. This recognition that mobile devices are insecure is a step in the right direction, but I have to wonder, is a ban the answer?
It is encouraging to see government leaders recognize the threats mobile devices pose to government security. Microphones, cameras, and the sheer volume of personal and work data accessible on our phones have made mobile devices the ideal weapon for cyber espionage. Using a targeted surveillanceware attack, a malicious actor can control the microphone to listen to private conversations; turn on the camera to take pictures of the surrounding area; or steal information flowing through the device. As Lookout has reported, mobile attacks are real, and high value individuals, such as those that work in the White House, are prime targets. That said, bans are not effective at reducing risk.
Employees will do what they want anyway
In a 2015 study of federal employees, Lookout found that 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the guidelines have little to no impact on their behavior. Roughly the same amount (37 percent) were willing to sacrifice government security to use a personal mobile device at work.
Morale and productivity will be seriously hindered
Staying connected with friends and family while at work is critical for employee morale in this day and age, and limiting employees to government issued devices may not be sufficient. Government issued mobile devices are often configured so that they are unable to send text messages. Most government computer networks block employees from accessing personal accounts, such as Gmail and Facebook. Furthermore, requiring employees to leave work in order to tend to personal business could have a serious impact on productivity -- a counter productive solution when mobile devices are designed to help improve workplace productivity.
Employee personal privacy is at risk
Plus, there are serious personal privacy concerns when an agency requires employees to use their government devices for personal calls. Records of calls placed to and from a government mobile phone would be archived and eventually made public as per government record keeping requirements.
"Technology exists so that government agencies do not need to implement morale and productivity-crushing bans on personal devices in the workplace."
Protecting classified government data without a ban
There must be another way - and indeed there is. Technology exists so that government agencies do not need to implement morale and productivity-crushing bans on personal devices in the workplace. I recommend the White House, and any other agency considering this extreme of a measure, to instead implement the following:
- Ensure that only government issued devices are able to access government email to prevent employees from accessing their email -- and thus sensitive government data -- from potentially insecure personal devices. Agencies should require not just mobile device management, but also mobile threat defense on government issued devices in order for employees to access government email. Where mobile device management allows for broad oversight of devices and policy enforcement, it does not protect against the attacks likely to target a government agency, such as spyware. By establishing true security requirements in order to access email, you can reduce the risk of employees using personal devices for government business.
- Allow employees to bring their personal devices to work, but require privacy-conscious mobile security to be installed before allowing those devices to access the government Wi-Fi network. Make sure this is a separate guest network that cannot access government resources.
- Continue existing precautions, such as requiring employees to leave smartphones outside of meeting rooms where sensitive or classified information is discussed.
- Educate employees so they understand the severity of mobile threats and how ignoring security warnings could put the mission and even national security at risk.
I commend government officials for recognizing the importance of securing mobile devices, but I implore government IT leaders to question if an outright ban of personal devices is the right choice. Bans can negatively impact employee morale and productivity, both of which are critical to the success of the mission. Visibility and control can still be achieved without bans that ultimately may be circumvented, opening the door for undetected security breaches.
Want to learn more about how Lookout can protect agencies from sensitive data breach via mobile? Contact us today.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
