Locking down an agency’s mobile devices, restricting the apps that can run on them and keeping data off of them might keep those devices secure, but it also restricts their utility for staff working in the field.
That approach also runs counter to users’ basic expectations now, said Kern Smith, vice president of Global Solutions Engineering at Zimperium. A more flexible approach that uses continuous device monitoring can support both cybersecurity and mission delivery strategies, while enabling a wide range of mobile device use cases, Smith said during Federal News Network’s Industry Exchange Cyber 2025.
Federal cyber and tech staff therefore should take flexible approaches to dealing with mobile devices, he recommended.
“It’s imperative that, as organizations and agencies are looking at addressing the challenge of protecting these mobile devices, they’re looking at the platforms and the specific risks they need to address,” he said.
Balancing mobile security, usability
Policy choices for devices must balance security, privacy and mission support, Smith added.
To be sure, mobile devices are growing in popularity as attack targets. That’s in part because of the data they house and because they tend to be less protected than other network endpoints, Smith said.
Given the range of device types and operating systems in use at any given agency, protection “is no longer just a question of, do you have management on the devices?” he said. “Now, it’s how are you addressing the risk and threats specific to the device?” And those questions remain in play, Smith said, regardless of whether devices run iOS or Android and whether they are government-furnished or used under a bring your own device (BYOD) policy.
More than deciding what to allow users to do or have loaded on their devices, he said, agencies must figure out what they “need to enable, to support the mission, to support the user community.”
For example, law enforcement and other organizations whose users connect with confidential sources may not be able to use Microsoft Teams, commercial messaging systems and other commonly used tools. Yet the organization can protect devices that enable these applications which are also used to perform unrelated or administrative tasks.
“Let’s open up the use case a little bit,” Smith said, “but put some guardrails and some detection capabilities, not necessarily around user activity, but around what the actual risk and threats are.” That way, the agency can mitigate the risks without impacting the usability of its devices.
Avoid static device policies
Smith said that regardless of the mobile device policies an agency enforces, it must continuously monitor devices to stay aware of new threats and ensure application updates don’t break enterprise safeguards.
“Mobile security is not a one-time policy exercise,” he said. “It’s a continuous evolution of the platform and how it’s being used, and how that is being ingested into the agency’s larger security posture.”
This advice comes against a backdrop of widening mobile threats. Smith cited “mishing,” or mobile phishing, for instance.
“It’s the links coming through text messages,” he said. “It’s the links coming through WhatsApp. It’s links coming through personal email because oftentimes that’s set up on the devices. But it’s also things like QR codes. Mobile phishing is an exponentially increasing threat.”
Artificial intelligence (AI) has made it easier for attackers to engineer messages and texts so they seem more realistic, he added. That reinforces the need to continuously monitor devices.
Unfortunately, mobile devices sometimes fall in a gap in visibility, relative to other endpoints throughout the network, Smith said. Device monitoring must extend to apps, which their publishers often update automatically.
“So unless you’re continuously vetting that app as it’s being updated, as it’s being pushed out automatically, you don’t have a good handle on what’s going on,” he said.
Yet he advised taking a careful approach to whitelisting and blacklisting applications.
“Certain agencies can get away with an understandably more locked down approach,” Smith said. “When you think of high security, you think of classified environments.”
In other areas, “users expect to be able to use these devices maybe not in the same way that they use a BYOD device but at least similar enough to get the job done. There’s an expectation about utility and productivity that goes into it.”
CISOs will need to balance the risk of a popular app and whether disallowing it creates more friction, he said. Sometimes, Smith added, it will be technically easier to monitor a particular app than to try and keep it off all users’ devices.
AI and mobile devices
Whatever risk and compliance approach an agency takes, tech staff must be vigilant about how artificial intelligence “is quickly reducing the barrier to entry for bad actors to start targeting mobile assets.”
Smith said that because AI morphs to keep ahead of defense mechanisms, the question for organizations becomes, “How do you use AI or machine learning to create the tools to detect things?” Mechanisms for verifying cloud-stored digital signatures often get foiled by AI-enabled hackers.
Discover more articles and videos now on Federal News Network’s Industry Exchange Cyber 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
