Striking a Balance in Mobile Security A Candid Survey of Federal Managers June 2014
Purpose The 2012 Digital Government Strategy laid an ambitious foundation for initiatives to expand federal use of mobile devices, both to deliver information and services to the American public more efficiently, as well as to enhance flexibility and encourage innovative problem-solving among federal employees. Yet, some have raised concerns that mobile devices may lack the security features of legacy systems and that the expansion of mobile technology could pose a threat to the integrity of government data. To fully realize the benefits of mobile technology, federal agencies require mobile security solutions that are both flexible and scalable enough to meet the diverse needs of the federal workforce and tough enough to safeguard government communications against a wide array of modern threats. Noting these pressures, Government Business Council (GBC) and Samsung undertook a study to explore the current state of mobile security in the federal workplace. Methodology To assess the perceptions, attitudes, and experiences of federal executives regarding mobile security in their agencies, GBC deployed a survey to a sample of Government Executive, Nextgov, and Defense One online and print subscribers in April-May 2014. The pool of 318 respondents includes employees at the GS-11 through Senior Executive Service grade levels representing at least 26 different departments and agencies. 2
Table of Contents 1 Executive Summary 4 2 Respondent Profile 6 3 Research Findings 12 i. The Promise of Mobile Technology in the Federal Workplace 13 ii. Security Concerns Challenge Mobile Expansion 18 iii. Achieving Balance Between Flexibility and Security 26 4 Final Considerations 31 3
1 Executive Summary 4
Executive Summary Federal managers see flexibility as the key benefit of mobile technology When asked to rank the potential benefits of mobile technology, respondents indicate that flexibility to telework and enhanced responsiveness to communications are the most important benefits of mobile technology, while benefits of like cost reduction and job satisfaction are largely seen as secondary benefits. Nevertheless, expanding the use of mobile technology is not necessarily seen as a top priority. Security concerns are a major factor determining how federal leaders use mobile technology The survey responses suggest that federal managers believe there is an implicit trade-off between flexibility and security, potentially limiting efforts to expand the use of mobile devices for work functions. Respondents express significant concerns about the security of mobile hardware, mobile applications, and external networks, as well as vulnerabilities to both malicious software and human error. Less than half of respondents believe they are adequately trained in mobile security, while almost two-thirds believe they should use separate mobile devices for work and personal functions. Respondents using an agency-owned device (COPE model) are more confident in the reliability of their agency s current mobile security solution than those using a personal device for work functions (BYOD model). Confidence in mobile security could open the door for mobility s use as tool for innovation In general, respondents favor a government-wide approach to mobile security reflecting one proposed under the 2013 Federal Mobile Security Baseline. However, these standards leave federal agencies and employees with few mobile options that meet their flexibility and security needs. 5
2 Respondent Profile 6
The majority of survey respondents are senior federal executives Job Grade Reports/Oversees SES 1% Over 200 2% GS/GM-15 GS/GM-14 19% 23% 74% of respondents are GS/GM-13 or above 51-200 21-50 4% 6% 53% of respondents oversee at least one report GS/GM-13 31% GS/GM-12 18% 6-20 23% GS/GM-11 5% 1-5 18% Other 3% None 47% Percentage of respondents, n=318 7
Program and project management is the most common job function Job Function Program/project management Acquisition/procurement Finance Agency leadership Human capital Technical/scientific 12% 11% 9% 8% 7% 23% Almost one quarter of respondents work in program or project management. Respondents who select other work in auditing, investigation/ law enforcement, and logistics fields, among others. Administrative 7% Communications Facilities management Legal Policy research/analysis Information technology 4% 3% 3% 2% 1% Other 12% Percentage of respondents, n=318 8
Agencies represented Department of the Treasury Department of Defense Department of Health and Human Services Department of Homeland Security Department of Agriculture Department of Veterans Affairs Department of the Air Force Department of the Army General Services Administration Department of Transportation Environmental Protection Agency Department of the Interior Department of Justice Department of the Navy National Aeronautics and Space Administration Department of Commerce Social Security Administration Department of Education Department of Energy Department of Labor Department of Housing and Urban Development Department of State Office of Personnel Management Small Business Administration Nuclear Regulatory Commission Other Independent Agencies Listed in order of frequency 9
Most respondents use mobile devices for work and most devices are provided by their agency Types of Mobile Users Department/agency-owned device used for work functions 58% Unregistered personal device used for work functions Registered personal device used for work functions 4% 17% 72% of respondents use a mobile device for work-related functions Other 2% Don't know 2% Do not use mobile device for work functions 26% Percentage of respondents, n=318, respondents were asked to select all that apply 10
Defense agencies have been slower in adopting mobile technology Overall Sample DoD Sample 58% 48% 42% 26% Department/agency-owned device used for work functions Does not use mobile device for work functions Percentage of respondents, n=318 (overall) n=69 (DoD), respondents were asked to select all that apply 11
3 Research Findings 12
i. The Promise of Mobility in the Federal Workplace 13
Flexibility is the most important benefit of expanded mobility When asked to rank benefits in order of importance to executing their agency s mission, federal leaders most often ranked the ability to telework and enhanced responsiveness as the most important, emphasizing the value of flexibility in the workplace. 1 st Ability to telework (Mean: 2.76) 2 nd Enhanced responsiveness (Mean: 2.87) 2 nd 3 rd Remote data entry and access (Mean: 3.26) 4 th Efficiency gains from mobile applications (Mean: 3.42) 5 th Cost reduction (Mean: 3.47) 6 th Job satisfaction/morale (Mean: 3.48) Ranked by mean, respondents did not have to rank every choice, n=306 14
Other potential benefits of mobile technology in the federal workplace include Could revolutionize field work make inspections more efficient, for example. Mobile technologies are an advantage in the event of a national emergency or during contingency operations (COOP). It is forcing the unity and completeness of information offered to both employees and those benefiting from the services. Sampling of open-ended responses 15
Expanding mobile technology is not a top priority for federal leaders To what extent is you department/agency prioritizing the expansion of mobile technology (e.g., smartphones, tablets) for work-related functions over the next 12 months? Essential 5% Don't know 19% High priority 13% Not a priority 19% Medium priority 22% Low priority 23% Percentage of respondents, n=318 16
Agencies are reluctant to encourage mobile innovation My department/agency encourages employees to use mobile technology to develop innovative ways of performing workrelated functions. 55% of respondents disagree or strongly disagree 7% 29% 31% 24% 9% Strongly agree Agree Disagree Strongly disagree Don't know Percentage of respondents, n=318 17
ii. Security Concerns Challenge Mobile Expansion 18
Security is the greatest challenge to expanding the use of mobile technology Respondents select security concerns as three of the top four leading challenges limiting the use of mobile technology. A related concern, privacy, is the fifth leading challenge. Top Challenges Security of mobile device hardware/software Budget constraints Security of mobile applications Security of external networks Privacy concerns Lack of leadership buy-in Cultural resistance to change Incompatibility with legacy IT/telecom infrastructure Increased risk of human error Expected low ROI Other Don't know None of the above 2% 8% 8% 12% 19% 29% 32% 32% 39% 47% 50% 49% 55% Percentage of respondents, n=318, respondents were asked to select all that apply 19
Federal managers believe they have to sacrifice flexibility for the sake of security 59% of respondents agree or strongly agree There is an implicit trade-off between flexibility and security when it comes to mobile technology. 17% 42% 20% 8% 13% Strongly agree Agree Disagree Strongly disagree Don't know Percentage of respondents, n=314 20
Federal managers believe both malicious attacks and human factors to be threats Respondents consider the loss or theft of a mobile device or an employee error to be equally as threatening as malicious attacks or technical failures. Which of the following security threats are major concerns for your department/agency? Viruses/malware Loss/theft of mobile device 66% 66% Vulnerable/compromised mobile applications Employee error 55% 54% Eavesdropping/interception of mobile communications 42% Other None of the above Don't know 4% 3% 9% Percentage of respondents, n=318, respondents were asked to select all that apply 21
Only half of federal managers believe they receive adequate training in mobile security Employees in my department/agency receive adequate training in mobile security. 48% of respondents disagree or strongly disagree 11% 36% 32% 16% 6% Strongly agree Agree Disagree Strongly disagree Don't know Percentage of respondents, n=318 22
Federal managers believe they need separate mobile devices for work and personal use To safeguard government data, federal employees should not use the same mobile devices for department/ agency functions and personal use. 63% of respondents agree or strongly agree 6% 11% 20% 31% 32% Don't know Strongly disagree Disagree Agree Strongly agree Percentage of respondents, n=318 23
Federal managers using an agency-owned mobile device are more confident in its security Respondents are more likely to agree that they have confidence in the reliability in their agency s mobile security solution if they use a corporately-owned, personally enabled (COPE) device (62 percent), as compared to those who use a personal device for work functions (BYOD) (36 percent). I have confidence in the reliability of my department/agency s current mobile security solution. Percentage of respondents, COPE users, n=187 9% 53% 16% 10% 12% Percentage of respondents, BYOD users, n=64 6% 30% 28% 27% 9% Strongly agree Agree Disagree Strongly disagree Don't know 24
Confidence in mobile security could translate into confidence in mobile innovation Respondents are more likely to agree that their agency encourages them to innovate with mobile technology if they have confidence in the reliability in their agency s mobile security solution (50 percent), as compared to those respondents lacking confidence in its reliability (20 percent). My department/agency encourages employees to use mobile technology to develop innovative ways of performing work-related functions. Percentage of respondents confident in the reliability of their agency s mobile security solution, n=161 11% 39% 27% 13% 10% Percentage of respondents not confident in the reliability of their agency s mobile security solution, n=109 2% 18% 39% 38% 3% Strongly agree Agree Disagree Strongly disagree Don't know 25
iii. Achieving Balance Between Flexibility and Security 26
Federal managers want common standards governing mobile flexibility and security A government-wide standard exists in the form of the 2013 Federal Mobile Security Baseline, on top of which agencies may add supplementary protocols. The federal government should set common standards governing flexibility and security, rather than allowing each department/agency to set its own. 67% of respondents agree or strongly agree 6% 6% 21% 30% 37% Don't know Strongly disagree Disagree Agree Strongly agree Percentage of respondents, n=318 27
Current security standards limit mobile choice for both employees and agencies Employees in my department/agency have sufficient options when it comes to selecting a mobile device that meets security standards. My department/agency has sufficient options when it comes to selecting a mobile solution that meets its standards for flexibility and security. 20% of respondents agree or strongly agree 2% 18% Strongly agree Agree 4% 20% 24% of respondents agree or strongly agree 33% Disagree 28% 25% Strongly disagree Don't know 18% 22% 30% Percentage of respondents, n=318 28
One respondent told us My agency is so security nervous that applications that other agencies use are forbidden to me. We also have little to no choice in mobile devices if not on the approved list, forget it. 29
One respondent told us I think we need a comprehensive, but flexible, policy for mobile technologies within the DoD. Mobile technologies should be fully integrated with existing software and based upon commercially available hardware. 30
4 Final Considerations 31
When considering how to expand mobility securely Evaluate the potential value that mobile technology could add to your agency s operations Mobile technology is of most value in situations where operations are often decentralized from your agency s headquarters (for instance, field inspections) and where continuity of operations (COOP) may be crucial, especially in light of potential time constraints or work stoppages. Assess your agency s requirements regarding data sensitivity and set security standards accordingly Agencies should conduct a full audit of their mobile and legacy IT and telecommunications infrastructures to assess their data s vulnerability to a wide range of security threats including viruses, malware, compromised applications, loss or theft of mobile devices, and other forms of human error. Agencies should then configure their mobile security solutions in accordance with their degree of data sensitivity. For instance, although some agencies use only public domain data and require a minimum security solution, others operating in the defense and security space may rely on almost entirely sensitive or classified data and require more stringent mobile device management (MDM) and mobile application management (MAM) policies. Align security requirements with budgetary resources Providing end-users with a secure mobile device as part of a COPE plan may offer the greatest level of protection, but doing so on a large scale may be cost-prohibitive in today s fiscal climate. While in the past it might not have been advisable to allow end-users to bring their own device in sensitive data environments, advances in mobile security can allow users to insulate government applications in a secure container, ensuring a greater degree of confidence in the integrity of mobile data. Greater confidence in secure BYOD capabilities could provide federal agencies a scalable and budget-conscious alternative to a COPE plan. 32
Samsung Knox SEPARATION OF COMPANY AND PERSONAL APPS AND DATA SECURE WORKSPACE MANAGEMENT OF APPS VIRUS PROTECTION MDM MANAGEMENT REQUIRED 33
Samsung Security Certifications Common Criteria Certification awarded for Mobile Device Fundamental Protection Profile (MDFPP) Mobile OS Security Requirements Guidelines (SRG) U.S. Dept. of Defense Knox STIG U.S. NIST FIPS 140-2
Underwritten by About Samsung Samsung Telecommunications America LLC (Samsung Mobile), a Dallas-based subsidiary of Samsung Electronics Co. Ltd. Researches, develops, and markets wireless handsets, wireless infrastructure and other telecommunications products throughout North America. For more information, please visit samsung.com 35
About GBC Contact Our Mission Zoe Grotophorst Manager, Research & Strategic Insights Tel. 202.266.7335 zgrotophorst@govexec.com Government Business Council (GBC), the research arm of Government Executive Media Group, is dedicated to advancing the business of government through analysis and insight. GBC partners with industry to share best practices with top government decisionmakers, understanding the deep value inherent in industry s experience engaging and supporting federal agencies. govexec.com/gbc @GovBizCouncil 36
Striking a Balance in Mobile Security A Candid Survey of Federal Managers June 2014