According to a report released Wednesday by the endpoint-to-cloud security company, nearly 50% of all phishing attacks targeted at government personnel in 2021 were taking away the credentials of federal, state and local government employees.

Phishing attacks on civil servants increased 30% from 2020 to 2021, with one out of every eight workers exposed to phishing threats during this period, a report prepared by Lookout and 200 million devices and 175 million apps Based on the analysis of unknown data from The company deals with federal, state and local government customers.

While malware delivery is dominated by mobile phishing attacks outside the public sector, credential theft is on the rise, a 47% increase in 2021 compared to the previous year, as malware delivery declined by 12% during the same period .

Compromised credentials provide an easy way for those threatened to get their hands on the valuable data that governments hold.

“The first thing that comes to mind is nation-state actors trying to establish a presence on government networks,” said Mike Fleck, senior director of sales engineering at cloud-based security provider Siren in McLean, Va.

“Fraudsters will also be interested in access – think fake unemployment claims and “cleaning up” of stolen vehicles,” he told TechNewsWorld.

“When it comes to government,” said Lookout Senior Manager for Security Solutions Steve Banda, “there is going to be some highly confidential information available that is going to be valuable to some party somewhere, either a malicious person or nation state.”

Expansion in BYOD Government

The report also noted that all levels of government are increasing their reliance on unmanaged mobile devices. The use of unmanaged devices in the federal government increased by about 5% from 2020 to 2021 – and closer to 14% for state and local governments during the same period.

“We’ve seen a lot of change in what organizations are starting to do with mobile devices,” Banda told TechNewsWorld. “There is a big shift toward unmanaged, especially as agencies become more comfortable adopting BYOD strategies.”

“Remote work has certainly accelerated BYOD,” he said.

While the increased use of unmanaged equipment suggests an expansion of remote working, it may also be a recognition of the benefits of BYOD for employees and agencies.

“I’ve had separate work and personal phones before, and it’s very easy to do everything on one device,” Fleck said.

“Covid forced remote work faster than any government procurement cycle,” he explained. “It is understandable that agencies were forced to adopt BYOD policy faster than their ability to purchase and deploy mobile device management platforms.”

Greater Phishing Exposure

Permitting the use of unmanaged equipment also indicates that agencies are finding that employees can work effectively remotely, maintained a safety awareness advocate at KnowBe4, a safety awareness training provider in Clearwater, Fla. .

“Modern software and tools allow for unprecedented collaboration capabilities, and the tools being used are more capable than ever,” he told TechNewsWorld.

“With the onset of Covid forcing many organizations that were resistant to working remotely to implement the strategy, a lot of organizations have seen benefits in allowing this to continue,” he said.

More than a third of state and local government employees are using personal devices for work in 2021, the report said, adding that these agencies are leading the adoption of BYOD.

While this offers employees more flexibility, it acknowledged that these unmanaged devices are more frequently exposed to phishing sites than managed devices, as unmanaged personal devices connect to a wider range of websites and more diverse types. use of apps.

“My experience shows that remote workers may be more vulnerable to phishing because they are working in an environment that blurs the line between job and home life than they are in the office. become more comfortable and less alert,” Krone said.

Ray Stein, CSO of Mainspring, a provider of IT-managed services in Frederick, MD, said remote workers are no more likely to fall for a phishing scam than other employees.

“But without the supervision or protection of an enterprise firewall, it’s easy to reach them through different channels,” he told TechNewsWorld. “This increases the number of phishing scams they are exposed to, leaving them more vulnerable than long-term office workers.”

old android version

The report had good and bad news about government employees running older versions of Android on their phones.

The bad news was that nearly 50% of state and local government employees are running the older Android operating system, exposing hundreds of device vulnerabilities to them.

The good news is that this is a marked improvement in 2021, when 99% of mobiles were running older versions of the operating system.

The report states that keeping the mobile operating system up to date is the best form of cyber security. However, government agencies or departments may choose to delay the update until their proprietary app is tested, it continued. This delay creates a vulnerability window during which a threat actor can use a mobile device to access an organization’s infrastructure and steal data.

“New releases or versions of the OS build on their previous releases, including all security enhancements and improvements,” said Stuart Jones, director of the CloudMark division at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“Without the latest version of the OS,” he told TechNewsWorld, “the benefits of these enhancements are not available on the device or for the user.”

Stein said that in 2021, Google’s Threat Analysis Group (TAG) discovered at least nine zero-days affecting its products, including Android devices.

“Patches for those vulnerabilities were included in Android updates, but users stuck on older OS versions may not benefit from them,” he said.

need for extreme caution

Banda said it can be challenging to keep pace with Android due to its fragmented environment.

“To update to a certain level, you must have the correct combination of mobile operator and device manufacturer’s firmware,” he explained. “There are a number of factors that determine whether you can take on release.”

Not only does this make it difficult for the user to keep their Android version running, but it also makes it difficult for employers to keep the devices secure. “A company needs to know who is running which version of Android,” Banda said. “They have to figure out how to get that visibility and create policies so everyone can get up to speed on the latest version available to them.”

After working in the federal space for most of his career, Sami Allini, a biometrics specialist at Contrast Security, a maker of self-protecting software solutions in Los Altos, Calif., said he’s tormented about how long adversaries will exploit and infiltrate government institutions.

“As an activist in this field, one must be vigilant about all interactions, including those with colleagues,” he told TechNewsWorld. “As this report shows, phishing, a form of social engineering, is on the rise, and for good reason. Social engineering is one of the most effective ways to gain access to information or property that someone has access to. Shouldn’t have passed.”

A C-level executive will be fired in 2023 for using employee monitoring by his firm. This is one of the security, privacy and risk predictions aired by Forrester on Monday.

In the coming year, lawmakers will pay more attention to workplace surveillance, and whistleblowers may also demand surveillance information to support complaints about labor law violations, according to predictions put together by 10 Forrester analysts .

Analysts advise companies to prioritize privacy rights and employee experience when implementing any monitoring technology, whether for productivity, return to office strategies, or insider risk management.

Joe Stanford, head of the C-Suite, said, “People in the C-Suite need to be aware of their surveillance and people’s privacy, and ideally they’ll have a third-party audit behind them to make sure they follow the applicable rules.” complying.” Global Security & Privacy for Platform.sh, a Global Platform as a Service Provider.

“We have a new generation of employees coming in that cares about privacy rights,” he told TechNewsWorld.

Timothy Twohey, a privacy attorney with Greenberg Glusker in Los Angeles, agreed that a breach of employee or customer privacy could bring down an executive in the future.

“In light of the FTC’s Drizzly decision, officials are very much in the crosshairs,” he told TechNewsWorld. “If there’s a case where there’s insufficient security, no protection plan, or there’s a prior violation that’s been overlooked, I can see someone from the C-suite being put on the chopping block.”

In the Drizly case, the Federal Trade Commission announced in October that it would impose a personal sanctions against the CEO of that alcohol delivery company for abuse of data privacy that allegedly resulted in the disclosure of the personal information of nearly 2.5 million customers.

security team burnt

Forrester also predicted that a Global 500 firm would be busted for burning its cybersecurity staff in 2023.

Analysts said security teams are already under-staffed. He cites a 2022 study that found that 66% of safety team members experience significant stress at work, and 64% reported the impact work stress had on their mental health.

He added that employees are expected to be available 24/7 through large events, to be on top of every risk, to deliver results in a limited time frame, and to face pushback when making budget requests.

“Today, every security team, including my own, has been burned,” Stanford said. “The reason we burn is because we don’t have enough money. Why don’t we have enough money? Because the protection is treated at the cost center.”

The rise in supply chain attacks and the need to monitor more third-party risk are also contributing to burnout, said Brad Hibbert, COO and CSO of Prevalent Networks, a third-party risk consulting company.

“Companies are trying to get more visibility into more third parties,” he told TechNewsWorld. “That means they have to do more third party assessments. To do that, the security teams need to do more work. We’re finding that the teams are hitting a wall. They can do their own thing without burning the security teams.” Cannot scale up programs effectively and efficiently.”

resetting expectations

Roger Grimes, a defense campaigner at KnowBe4, a security awareness training provider in Clearwater, Fla., observed that cybersecurity employee burnout is a real thing.

“I have been in the cyber security world for over 34 years now, and during that time I have had to mentor and mentor many people who were completely burned out in this area, mostly because they are working hard to prevent cybercrime. What they were doing was not working and is likely to never work,” he told TechNewsWorld.

He said, “I have left the cyber security field to work for artists, writers and even work that could be seen as ‘menial labour’, because they at least felt that their new Jobs are making a difference in people’s lives,” he said. ,

“I get it. Who wants to be at the high-speed hamster wheel and never move, never solve the problem you were hired to solve?” Grimes asked.

“I recommend cyber security professionals to get a police-like mindset for their work,” he continued. “Don’t think you’re ever going to be a complete problem solver. Be like a beat cop who knows his town is full of crime, most of it they can’t stop, and it’s all around them. And every cop keeps his head down, doing the best he can, and if they can do the best they can to the crime in front of him, they’ve done a great job.”

“If you don’t want to get burned out, reset your expectations, do the best you can within what you are able to control, and measure your success by what you can influence,” he advises.

ambitious prediction

Another Forrester prediction: More than 50% of chief risk officers will report directly to their organization’s CEO.

In 2022, risk became a major topic at security conferences such as Black Hat, analysts said. It has surpassed compliance as the primary driver for governance, risk and compliance technology investments as the level of risk for enterprises has increased.

He also noted that the risk preferences of firms are shifting from compliance to flexibility. Executives and boards are looking for a CRO to help identify new business opportunities.

ERM Initiative and AICPA’s 2022 The State of Risk Oversight study shows that 44% of firms have a CRO, of which 47% report to the CEO, he said. To ensure that ERMs receive the required level of executive visibility and support, more CROs will report to CEOs in 2023, he noted.

Jason Hicks, field CISO and executive advisor at Coalfire, a provider of cybersecurity advisory services in Westminster, Colo., found Forrester’s 50% prediction a bit ambitious.

“Safety and risk executives have been pushing for this change for years,” he told TechNewsWorld. “Internal company politics is a very significant constraint on this.”

“I expect to see more security executives reporting to the CEO, but not 50% next year,” he said. “I will expand the titles to include CISO and CSO, as the CRO title is most prevalent in financial services and may not exist in other verticals as a standalone role.”

Getting into MDR Business

Forrester also predicts that at least three cyber insurance underwriters will acquire a managed identification and response (MDR) provider in 2023.

While insurance providers began a more rigorous underwriting process in 2022, increased premiums and low coverage blind spots still exist, analysts explained.

They expect insurers to move aggressively into cybersecurity by acquiring MDR firms, many of which will be looking to exit a market that is too competitive.

Hicks agreed with Forrester’s forecasters. “This is a good way to add ARR . [Absolute Risk Reduction] in their revenue mix,” he said.

“We have already seen Aon and others buy out incident response firms, so this is another synergistic investment for insurers,” he continued. “It can also be a good way to manage staffing challenges, as many MDR firms also have incident response staff.”