Lookout Finds Federal Employees, Too, Flout BYOD Prohibitions

Good news and bad news: Government employees are no better behaved than your co-workers when it comes to mobile-security discipline.

A study of 1,000 U.S. federal employees, buttressed by its own data from 70 million consumer users, tells mobile-security provider Lookout that federal employees are using personal devices to access potentially sensitive government data, and a “significant number” engage in the sort of mobile behavior that exposes that data to risk.

Lookout’s State of Federal BYOD report reveals that mobile devices are extremely prevalent in federal agencies, even where official policy prohibits their use. An analysis of 20 federal agencies found 14,622 Lookout-enabled devices associated with those agencies’ networks. Those devices encountered 1,781 app-based threats, as reported (and averted) by the Lookout app and SaaS.

Released Wednesday, the report turns up incidents of rooting, jailbreaking, and uploading unsanctioned applications from places other than official app stores, such as websites or email links.

“The cybersecurity practices, or lack thereof, of the federal government are under the microscope in the wake of the OPM [Office of Personnel Management] hack. Yet hardly anyone is scrutinizing the unsanctioned use of mobile devices that could be putting government data at risk,” said Bob Stevens, vice president of Federal Systems at Lookout. This report shows that rules, policies and employee education alone are insufficient in stopping risky or threatening events before they cause damage.”

Among Lookout’s chief findings:

• Twenty-four percent of federal employees send work documents to personal email accounts.
• Fifty percent use their personal devices for work email and 17 percent store work-related documents on personal file-sharing apps.
• Seven percent of federal employees are jailbreaking or rooting the devices they bring to or use at work. Fifty-seven percent of those have access to work documents on that device and 65 percent have access to work email. Since jailbroken or rooted devices are not patched or supported by their OS providers, they develop new vulnerabilities that attackers can exploit.
• Twenty-four percent of federal employees (21 percent of iPhone users and 25 percent of Android users) have side-loaded apps to their mobile devices from places …

• … other than official app stores.
• Eighteen percent of federal employees with smartphones (personal or government-issued) report encountering malicious software.
• Nearly 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior.
• Nearly half (49 percent) have no security app or solution installed on the mobile devices they use at or bring to work. Thirteen percent of them use these unsecured devices for reading or downloading work-related documents.

Asked how Lookout collected data beyond the scope of the survey, Stevens noted, “We have more than 70 million consumer users worldwide and a lot of them, of course, work in business or government. As they bring their devices into the workplace and connect to their organization’s publicly known IP addresses, we begin to have insight into the risks that mobile devices introduce to their organizations.

“To be clear, because they are Lookout users, they are protected from the threats they encountered. We are sharing this data is to illustrate that personal devices are indeed being brought into federal agencies, and to show that while the Lookout users are protected from threats, there are certainly other, unprotected devices accessing sensitive data.” 

Lookout is available for consumers via app download, in free or premium versions. For enterprise and government customers, Lookout’s partner page says it is “establishing a sustainable enterprise growth engine exclusively through channel partners.”