by Kenneth Corbin

Shadow BYOD runs rampant in federal government

News Analysis
Sep 01, 2015
CareersGovernmentGovernment IT

A new survey highlights the extent to which government employees insist on bringing their own devices to work, despite rules to the contrary.

Credit: Thinkstock

Government CIOs have been struggling mightily with developing prudent policies to enable employees to use their personal mobile devices for work without putting sensitive information at risk or otherwise compromising the security of agency systems.

[ All About BYOD: Strategies, Resources, News and More ]

As it turns out, many federal employees haven’t been waiting for those policies to take effect before introducing their devices into the workplace.

That’s according to a new survey from Lookout, a mobile security firm, that identifies a rampant problem of “shadow BYOD” and warns CIOs that “you have a BYOD program whether you know it or not.”

To be sure, some agencies maintain strict prohibitions on the use of personal devices to access government systems, but Lookout’s survey revealed that many workers simply ignore the rules.

In the poll of 1,000 government employees, half of the respondents say that they use their personal devices to access email, and 49 percent say they use them to download work documents.

Of employees at agencies with rules against the use of personal devices, 40 percent say that those restrictions “have little to no impact on their behavior.”

Wake up call for Feds

“Federal agencies need to wake up to the fact that mobile devices have become a predominant tool for productivity,” Bob Stevens, Lookout’s vice president of federal systems, writes in an email. “Policies that flat out prohibit the use of mobile devices in the government are not keeping up with technology or realistic user behavior.”

Stevens argues that when it comes to mobile devices, the genie is essentially out of the bottle, that users have become so accustomed to the convenience of their own smartphones and tablets that they will bring them into the workplace with or without the blessing of the CIO or CISO.

The data from the survey seems to support that trend. In addition to the large minority of users who admit that they ignore their agency’s policy, nearly 20 percent said that they would be willing to sacrifice some measure of government security for the convenience of using their personal devices.

And Lookout’s analysis of some 14,000 devices running its technology in government environments found significant exposure to malware.

All of this typically comes as a great surprise to agency leaders, according to Stevens.

“I’ve been in meetings where a federal CIO insists they don’t have a BYOD program. Then I show them an assessment of the devices connecting to their network and it’s in the hundreds. They are always shocked,” he says.

[ Related: The BYOD debate is not over ]

“I think that in general, federal CIOs must have an inkling that some employees are breaking the rules,” Stevens adds. “But I’m sure that most are unaware of just how expansive the ‘shadow BYOD’ problem really is, and of the risks it introduces.”

As an example, he envisions a scenario where an employee jailbreaks their phone in order to access unauthorized third-party applications. The device might no longer receive important operating system updates, and in time could become a soft target for hackers looking to gain entry into the government network. In Lookout’s survey, 7 percent of respondents admit that they have rooted or jailbroken a device they bring to work or use there.

“Mobile devices are indeed a blind spot for government,” Stevens says. “While some of that is based on naivety, I think we’ll start to see reality set in as mobile threats become more sophisticated.”

Federal agencies need to embrace the consumerization of IT

Stevens argues that strict, reactionary policies that attempt to ban any outside devices altogether are likely to fail, and in fact pose a security risk as unmanaged devices are introduced into the agency network.

[ Related: Technology, the law, and you: BYOD ]

He suggests that agencies build a mobile environment focused on securing “the lowest common denominator.” That means pegging security standards to protect devices running in what the agency considers to be the least secure operating system, while also allowing the flexibility to accommodate technologies that might become popular over time, positioning the agency for what Stevens calls “future freedom.”

“Today, most employees may use iOS and Android devices, but in the near future, I predict that there will be more operating system diversity in the workplace as Microsoft, Ubuntu, Firefox and more introduce competitive software and devices,” he says.

Stevens also suggests that agencies develop custom applications that are managed and secured and tailored to the employees’ productivity needs, and, when evaluating new apps, to “think mobile-first, and make sure they’re secure.”

But to this point, despite some high-level prodding from the White House about embracing new mobile devices and applications, implementation on the ground level remains highly uneven.

“There is little consensus among government agencies on the future of BYOD, how much access will be allowed in a BYOD environment, or if it will be a fit for every federal agency,” Stevens says.

“The best thing agencies can do to address mobile risks is to realize that devices have become a necessity for employee productivity — and trying to enforce policies that prevent device use, at this point, will likely cause more harm than good for federal networks,” he adds. “When addressing mobile security, I urge agencies to embrace the consumerization of IT and avoid hampering the user experience.”