As vice president of Americas at data security firm Lookout, Bob Stevens leverages three decades of IT and cybersecurity experience to provide mobile threat visibility and protection to enterprise and government entities.
Prior to Lookout, Stevens was in charge of the Symantec federal team, helping agencies secure their data. Before that, he led the Juniper Network federal team and has held leadership positions at Network Equipment Technologies, Bivio Networks and Brocade Communications.
Before entering the private sector, Stevens served in the U.S. Air Force as a computer specialist at the White House Communications Agency. He is an avid golfer and loves cycling, running, boating and camping.
Here, he sheds light on nuanced security problems posed by increased use of mobile devices, the limitations of mobile device management, cybersecurity challenges amid the COVID-19 era and options to bolster security.
What should agencies know about mobile security for telework many federal IT leaders don’t realize?
Agencies need to understand that security for mobile devices cannot be treated like security for desktop computers, especially in this new age of telework. Mobile devices are inherently personal and trusted because we bring them with us everywhere. Unlike an agency employee’s work computer, they will use their mobile device for personal matters. We also react quicker to messages on mobile devices and believe they’re more secure, which means we are more susceptible to social engineering attacks.
Mobile also opens an organization up to a larger number of attack vectors. Communication channels like messaging apps, social media and SMS texting are hosted on the same device with corporate apps and email providing more ways to deliver malicious phishing links. In addition, mobile devices are outside of the office network all the time. As a result, they are often not under the protection of network-based security solutions.
Many agencies have a mobile device management solution in place — is mobile security fully addressed by MDM? What’s missing?
It’s a misconception that MDM is mobile security. MDM solutions are great at managing devices and applying policies, but they have limited threat defense capabilities. That’s where a mobile threat defense solution comes in. MTD can detect threats, notify of incidents and block access to agency resources. You need both to properly manage and defend against mobile threats.
Has COVID-19’s impact influenced mobile security?
It’s another crisis for bad actors to leverage. In just the first quarter of 2020, Lookout found two COVID-19-themed surveillanceware campaigns — one out of Libya and the other with ties to a Syrian state-sponsored hacking group. Further complicating matters is the fact that we are all working from home right now and using our mobile devices more, which makes it increasingly lucrative for bad actors to send out mobile-specific phishing attacks.
This is where education becomes important. Agencies need to make sure that their employees understand that phishing on mobile is different from traditional email campaigns. For one, there are many more delivery methods — such as SMS messaging, social media and messaging apps. It’s also harder to spot phishing messages. The mobile user experience and smaller screen makes it difficult to check whether the sender’s address or the link are legitimate.
As more federal employees and contractors telework, how do mobile security needs change? What can IT leaders do to keep their organization secure?
Agencies and contractors will have to be aware of two main factors. One is that employees will use their personal mobile devices more to keep up with work. And as a result, they will likely encounter more phishing threats. The other aspect is that office-based security solutions are no longer applicable for telework because everyone is using their home internet.
So in a telework environment, agencies and contractors need to make sure that their security solutions are aligned with a zero-trust model. Employees’ mobile devices should be continuously validated to be up-to-date and free of vulnerabilities before being allowed to access agency data.
What do contractors specifically need to know about mobile security and how do initiatives like the Cybersecurity Maturity Model Certification relate?
Contractors face the same mobile threats as federal agencies and are often targeted to gain access to sensitive government information systems. They also should realize that MDM is not enough to keep them safe nor does it help them fully comply with the CMMC.
Mobile security is a major component in CMMC and a lot of the requirements can’t be fulfilled with MDM. For example, CMMC requires contractors to be able to detect and report cybersecurity events as well as identify and evaluate risks. These functions are only found in MTD.
Lookout recently received its Federal Risk and Authorization Management Program Joint Authorization Board Provisional Authority to Operate. What does that mean for the market?
First of all, this authorization means a lot to us. FedRAMP Joint Advisory Board P-ATO is one of the most comprehensive risk assessments of a cloud service offering (and Lookout is now the only mobile endpoint security solution to earn the authorization.
But more importantly, it means we can now help agencies across the federal government. And as agencies accelerate their shift to a telework environment, mobile security is now more important than ever. With the FedRAMP authorization, federal agencies can be confident that Lookout has the qualification to help them with our mobile security solutions and expertise.