How State and Local Agencies Can Better Protect Mobile Devices from Hackers

Any organization could be the target of cybercriminals, but government entities are particularly attractive. Both citizen and operational data is deemed valuable on the open market, and critical infrastructure systems have become prime targets for ransomware threats given their community-sustaining stature. In fact, cyberattacks against state and local agencies were up 50% in 2020, with many disrupting healthcare, transportation and utility services – and all impacting taxpayers. Between 2017-2020, the average U.S. municipality paid $125,697 per ransomware event, which is a fraction of what agencies spent to recover. Therefore, it’s critical to be proactive and disciplined with cybersecurity, even if it requires a greater upfront investment.

Regulating Access and Reducing Risk

Information system designs may not be consistent from one entity to the next. And each jurisdiction may use different technologies to manage public works, public safety and other citizen services. But cybersecurity best practices can be applied in a standardized way to keep connected devices from becoming easy points of entry. 

For example, a quarter of state and local government employees are authorized to use their smartphones and tablets to conduct official business. Yet, mobile devices are among the easiest ways for bad actors to gain intel and access systems given their public exposure and traditionally more relaxed use—a notable concern as more public employees have switched to remote and hybrid work arrangements during the pandemic. That is why every employee should be issued an agency-owned, enterprise-grade mobile computer or tablet if access to government email, information or operations systems is required outside a secure office setting. If employees telework or spend a lot of the time in the field around civilians, the agency that maintains full ownership and control over devices can take extra measures to minimize the risk of device theft and data breaches.

Be Deliberate and Consistent Management

Once employees are equipped with agency-owned devices, there are several best practices that can be adopted by IT teams and employees to further reduce device vulnerabilities and proactively mitigate attacks on connected networks:

• Control the user experience. Remove apps and turn off technology services that are not needed to conduct official business. Load communications apps that have been vetted, configured and secured for government use, such as Zoom Gov or Microsoft 365 Government.
• Be stricter with password policies. Compromised credentials are still one of the most common culprits of hacking-related breaches. So, activate user interface passwords for all government-connected technologies and require users to change them often. Require longer passwords with more complex character combinations.
• Track devices and activity. Enable activity logs and conduct frequent audits to detect bad behavior.

• Monitor for out-of-touch devices. Develop a method to continuously monitor for devices that have appeared offline or out of sight for a prolonged period. When you suspect a device has been compromised, withdraw its credentials until you can confirm its location and that the employee has maintained physical control. 
• Consider remote management. Leverage a secure remote management system to quickly update settings for all devices, especially when IT teams or workers are off site. The longer devices, solutions and systems use out-of-date settings, the easier targets they become.
• Keep the circle small. Limit the number of employees brought in the loop on your security strategy and tactics to reduce the risk of information leaks.

Plan for New Technology Solutions and Their Retirement 

Not every mobile computer or tablet has the same security capabilities, even if they run the same operating system OS (i.e., Android) or fall into the same device class (i.e., rugged enterprise). That’s why it’s important to understand what it will take to protect new technology solutions – and the other devices and networks to which they’ll connect – before a formal solicitation or requisition is issued. It will be easier to choose solutions that support encrypted and authenticated connections as well as continuous updates. 

Rugged enterprise-grade mobile devices tested and certified for government use will likely be in service for several years, and both wireless connectivity and security needs will evolve. Multiple network connections will need to be maintained. Frequent patches and OS updates will be required to keep devices defenses strong against external threats. And permissions may need to be changed on occasion to prevent file tampering. 

It’s also important to assess C.I.A. daily: confidentiality, integrity and availability. Security planning is not a one-time event. In fact, it’s never too early to plan for device retirement. 

Enterprise system settings will need to be removed and device user accounts/credentials deleted. Define that process early on in case devices are taken out of service sooner than expected. Just remember to disconnect everything. If existing systems are hardcoded to look for retired units, adversaries could inadvertently stumble upon unmonitored devices, one of the easiest ways to access information and infrastructure systems.