Connecting state and local government leaders
A cybersecurity report found that 25% of state and local government employees use personal digital devices to telework while only 9% of federal employees do so.
Nearly a quarter of state and local government employees use personal phones and tablets for work, putting them at higher risk for phishing attacks and other cyber intrusions, according to a new cybersecurity report.
Local governments have battled an onslaught of ransomware attacks and cybersecurity threats in recent years, including this month’s breach of a water treatment plant in Florida. But as government employees shifted to work from home during the coronavirus pandemic, the report from mobile security firm Lookout highlights one way that telework can put agencies at greater risk.
Using personal devices can provide employees greater flexibility to work from home, but “these unmanaged personal devices are more frequently exposed to phishing sites than managed devices,” the Lookout report found. “This is because personal unmanaged devices connect to a broader range of websites and use a greater variety of apps.”
By comparison, only about 9% of federal government employees use personal devices for work.
The report also provides insights on a shift in the type of cyberattacks targeting state and local government workers.
In 2019, 56% of phishing attacks on state and local governments attempted to capture administrative or log in credentials and 70% attempted to install malware, according to Lookout. But last year, 70% of attacks focused on capturing credentials that could be used to access government systems and 31% of the attacks attempted to install malware.
“That tells me that there is a serious driver to get inside, to stay inside, and to try to exfiltrate information over time,” said Steve Banda, a security solutions expert at Lookout. “That’s pretty alarming and that was both across federal and state and local.”
Lookout, which develops cloud-based security software for mobile devices, analyzed data from customers that use its products on iOS and Android devices to determine the type of threats posed to state and local government entities.
It remains to be seen to what degree telework will continue among state and local governments as the pandemic subsides. As of October, about 16% of state and local government employees worked remote full time, according to a survey from the Center for State and Local Government Excellence.
While the increase in telework has exposed new cybersecurity vulnerabilities, local government employees shouldn’t have to forego the use of personal devices for work, Banda said. To provide an adequate level of protection, government IT departments should first start with a list of devices that meet security thresholds and are approved to be used for work purposes. They should also employ endpoint detection and response technology that can monitor the devices connected to a network and flag suspicious activity.
That, in combination with regular software updates and training on cybersecurity best practices, can help reduce the security vulnerabilities tied to personal devices, Banda said.
“With the proper protection in place, I think it’s perfectly acceptable for government employees to use personal devices,” he added.
Andrea Noble is a staff correspondent with Route Fifty.