Use of mobile devices by federal employees represents “an avenue to attack back-end systems containing data on millions of Americans in addition to sensitive information relevant to government functions,” DHS has warned.

It said that systems managed by agencies including DHS itself, DoD, Treasury, VA, HHS, OPM and others “hold significant amounts of sensitive but unclassed information, whose compromise could adversely impact the organization’s operations, assets, or individuals. Additionally, databases controlled by these organizations hold tremendous amounts of personally identifiable information that could potentially be used to compromise citizen financial wellbeing, privacy, or identity.”

“The threats to government users of mobile devices include the same threats that target consumers, e.g., call interception and monitoring, user location tracking, attackers seeking financial gain through banking fraud, social engineering, ransomware, identity theft, or theft of the device, services, or any sensitive data . . . Government users may be subject to additional threats simply because they are government employees,” a report says.

Mobile device security is improving, it added, but “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Recommendations included that the government: select mobile devices and enterprise mobility management products that have been evaluated to meet a minimum level of security; use best practices defined by private industry and the National Institute of Standards and Technology on how to configure their mobile devices for security and privacy; participate in all key mobile security related standards bodies and industry associations; and strengthen policies regarding government use of mobile devices overseas, where local security protections may be weaker.