Former Secretary of State Hillary Clinton may be catching the most public flack for using a personal device for government work in her bid for the White House, but she’s far from the only one guilty of connecting out of convenience — or putting sensitive information at risk.
That’s according to a report out this week from cybersecurity firm Lookout, which found about 40 percent of more than 1,000 government employees surveyed are breaking rules against using personal devices at work.
Lookout conducted the survey on mobile device usage at work to “suss out whether that behavior puts sensitive government data at risk.”
“The answer is unequivocally ‘yes,'” the report states.
Lookout began by analyzing 20 federal agencies and discovered 14,622 Lookout-enabled devices associated with government networks, meaning users are connecting their phones to government systems. Eleven percent of those same devices had a high frequency rate of “serious mobile threat encounters” per year.
“The problem is ‘Shadow BYOD,’ a reference to unmanaged or unknown mobile devices accessing a network,” the report explains. “Similar to Shadow IT, Shadow BYOD introduces a risk of sensitive data leakage due to the lack of visibility and control of this access.”
According to the report 50 percent of federal employees access work email from personal devices, and 49 percent download work documents on those devices. Of those, 27 percent use their device for work email often and download documents often. Seventeen percent store work documents on personal file-sharing applications, and 24 percent send work documents to personal email accounts.
In a further detriment to security, 7 percent of those personal devices have been jailbroken, rooted or otherwise manipulated with custom aftermarket software, including 6 percent of iPhone users’ devices and 8 percent of Android users’ smartphones. Nine percent of those employees are 35 or younger, 16 percent are using government-issued devices, and 22 percent regularly connect to government WiFi networks.
Sixty-five percent have access to work email on a broken or rooted device, and 57 percent can access work documents on it.
For many lacking the cybersecurity-savvy to protect such a device, jailbreaks and roots can expose operating systems to vulnerabilities regularly patched through updates by manufacturers, and open the door to malicious third-party app downloads.
Of the respondents 40 percent said they routinely ignore workplace rules prohibiting the use of personal devices, and a surprisingly high number — 24 percent — are downloading third-party applications from outside the Google Play or Apple App Store, which companies warn exposes smartphones to a significantly greater degree of malware.
“This can put a phone at risk because apps from outside of these stores are not guaranteed to have gone through the same vetting rigors that Google and Apple put their published apps through,” the report said. “This also highlights the myth that you can only download apps to an iPhone through an official app store, when, in fact, it’s very easy to download an app to an iOS device through a website or link.”
Eighteen percent of federal employees said they have encountered malware on their personal and government-issued devices, including 19 percent of Android users and 14 percent of iPhone users. Despite the significantly higher encounter rate reported over last year’s 7 percent, 49 percent of employees don’t have any security preventative countermeasures installed on their personal or work devices.
The report concludes that simply educating federal employees about the dangers of using a personal device at work is not enough, as illustrated by the 58 percent who said they’re aware of the security risks — 85 percent of whom chose to ignore them and use those devices as a matter of convenience anyway.
Clinton has repeatedly echoed that sentiment herself in the months since coming under scrutiny for using a private home-brewed email server connected to her personal device during her tenure as head of the State Department.
“I’ve said in the past that I used a single account for convenience — obviously these years later it doesn’t look so convenient,” Clinton told reporters last weekend about the use of the server, which investigators now say transmitted a number of classified documents, though the two confirmed so far weren’t sent by Clinton and weren’t deemed classified until after the fact.
“Hillary isn’t the only one using her personal device for work,” the report said.