Recent data commissioned by Lookout supports the fact that mobile phishing attacks are on the rise. We explore the findings in further detail, particularly focusing on the impact this is having on federal, state and local governments in the US. Steve Banda, Senior Manager, Security Solutions at Lookout, offers his expert opinion and advice on what CISOs should include in their cyber strategies for the year ahead.
Lookout, an endpoint to cloud security company, has released its 2022 Government Threat Report which examines the most prominent mobile threats affecting federal, state and local governments in the US.
Lookout data reveals mobile phishing and device vulnerability risk within US government agencies has increased since 2021. According to a Lookout analysis of data specific to federal, state and local government entities from the Lookout Security Graph, almost 50% of phishing attacks aimed at government personnel in 2021 sought to steal credentials, up from 30% in 2020.
In addition to the increase in phishing attacks for government employees, the report findings include:
● Federal, state and local governments increased their reliance on unmanaged mobile devices at a rate of 55% from 2020 to 2021, indicating a move towards BYOD to support a larger remote workforce.
● One-in-eight government employees were exposed to phishing threats. With more than 2 million federal government employees alone, this represents a significant potential attack surface as it only takes one successful phishing attempt to compromise an entire agency.
● There was a steady rise in mobile phishing encounter rates for state and local governments across both managed and unmanaged devices, increasing at rates of 48% and 25% respectively from 2020 to 2021. This steady climb continued through the first half of 2022.
● Nearly 50% of state and local government Android users are running outdated operating systems, exposing them to hundreds of device vulnerabilities. This is an improvement versus 99% in 2020.
Government organisations store and transmit a variety of sensitive data, the security of which is essential to the well-being of hundreds of millions of people. In the case of government organisations, the potential fallout from a breach that results in leaked data, stolen credentials or a forced halt to operations due to ransomware can have a disproportionate impact compared to a typical cybersecurity incident.
Additionally, government employees use iOS android and ChromeOS devices every day to stay productive and increase efficiency. This makes them targets for cyberattackers as their devices are a treasure trove of data and a gateway to government infrastructure. Only a modern endpoint protection solution can detect mobile threats in apps, device operating systems and network connections, while also protecting against credential harvesting and malware delivery attacks through phishing. Due to the personal nature of smartphones, tablets and Chromebooks, endpoint security must protect the user, the device and the organisation while respecting user privacy.
“It’s more important than ever for government agencies to keep pace with the evolution of the cyberthreat environment,” said Tony D’Angelo, Vice President, Americas Public Sector, Lookout. “Regardless of whether devices are managed, protecting these modern endpoints requires a different approach – one that is built from the ground up for mobile. Only a modern endpoint protection solution can detect mobile threats in apps, device operating systems and network connections while also protecting against phishing attacks that steal credentials and deliver malware.”
Steve Banda, Senior Manager, Security Solutions at Lookout, provides some further insight into the findings and suggests how governments can keep pace with the evolution of the cyberthreat environment.
How damaging are these types of attacks to a government organisation compared to a typical cyberattack and how can they be avoided?
Mobile devices are a threat vector, among others, for cybercriminals to exploit an environment. Attacks on mobile devices are unique in that they are designed to take advantage of how users interact with their devices and they seek to exploit specific device and app vulnerabilities. However, it doesn’t make any sense to categorise any cyberattack as ‘typical’ since attackers generally use any tools available to them. Mobile devices are just another way for attackers to then conduct a broader attack.
Consider ransomware for example, these attacks often start with phishing end-users on any device – whether mobile or fixed device – to steal credentials and then use those credentials to gain access to a corporate environment. Mobile phishing, whether via SMS, email, or messaging apps is a primary vendor an attacker can use to obtain credentials, bypass MFA controls and enter an environment.
Why do you think mobile phishing and device vulnerability risk has increased within US government agencies since 2021?
Remote work is here to stay, and with it, so has employee reliance on personal mobile devices. These devices are difficult to monitor and keep up to date, presenting a unique security challenge for US local, state and federal government organisations.
BYOD strategies provide government workers increased flexibility and productivity. This is likely one of the reasons the use of unmanaged devices increased an average of 55% across federal, state and local governments between 2020–2021 according to Lookout data. But that same data found that almost 50% of phishing attacks aimed at government personnel in 2021 sought to steal credentials. The combination of unmanaged devices and phishing attacks means that government agencies and departments are vulnerable as they continue to allow telework and the use of BYOD.
How would you suggest people best secure their mobile devices to ensure they protect against phishing attacks?
Attackers are primarily targeting individuals through mobile channels because of the number of ways they can get to an individual. SMS, iMessage, email, social media, third-party messaging apps, gaming and even dating apps all have messaging functionality that attackers use to socially engineer targets in the context of the app they’re using.
In order to protect themselves and their users, state and local governments need to implement mobile phishing protection that takes a Zero Trust approach across their entire user base. It’s critically important to extend these protections to both corporate-owned and personal devices. By proactively and automatically monitoring for threats on these often overlooked mobile devices, these solutions can provide increased visibility.
How can government agencies best keep pace with the evolution of the cyberthreat environment?
The use of personal mobile devices for work is not going away, so government entities need to develop a strategy that allows them to embrace unmanaged devices while staying secure and respecting the privacy of their employees.
One thing organisations can do is ask employees to only use personal devices from an approved list. But to truly mitigate threats against phishing, credential harvesting and OS vulnerabilities, you need a dedicated mobile security solution that takes a Zero Trust approach. As President Biden as well as the Office of Management and Budget (OMB) provides guidance on Zero Trust, all government organisations need to ensure that they take into account all mobile endpoint risks as part of their Zero Trust architecture.
What should CISOs be including in their cyber strategies for the year ahead, considering the increase in mobile attacks?
Protecting against mobile phishing is a critical part of any modern security posture as this is the most common threat vector for credential compromise, which actors use to kick off more advanced attacks like ransomware.
The changes in how we work have expanded the risk landscape for every organisation as employees use a mix of personal or unmanaged devices and networks to access sensitive data.
Without the right solutions in place, organisations are leaving their employees exposed to advanced threats that take advantage of the lack of protection employees have on personal devices and networks.
Context-based data access is the best way for organisations to institute Zero Trust in the hybrid work environment. Understanding clues such as location, device type and user risk posture can be crucial when trying to identify compromised accounts being leveraged by threat actors.