Almost half of the government employees are not practicing several essential security practices designed to protect data, according to a new survey. Government agencies also remain vulnerable to hacking through lost or stolen devices, according to the survey, which suggests that the risk of data breaches as a result of lax security practices is likely to grow as the number of employees dependent on mobile devices also grows.
The findings from the 2014 Mobilometer Tracker: Mobility, Security, and the Pressure In Between reveal how vulnerable the federal government remains two years into a Digital Government Strategy that made mobility and security key tenets of the government's efforts to use new technologies.
The study noted as a baseline that about 90% of the respondents use at least one mobile device -- laptop, smartphone, or tablet -- for their work.
About 41% of the government employees who participated in the voluntary survey indicated they were practicing some potentially harmful behaviors from a security standpoint.
[Traveling with electronic gear containing sensitive data carries a greater security risk today than ever before. Read Data Security: 4 Questions For Road Warriors]
Among the risky behaviors: a lack of multifactor authentication or data encryption (52%), the use of public WiFi (31%), and failure to use passwords on mobile devices for work (25%). A third of respondents admitted to using passwords that would be considered easy to guess.
What's more, 15% of government respondents admitted downloading a nonwork-related application on to the mobile device they use for work.
Deeply troubling was the revelation that 6% of respondents who use a mobile device for work confessed to having lost or misplaced it. "In the average federal agency, that's more than 3,500 chances for a security breach," said Larry Payne, US federal vice president at Cisco.
The study shines a light on some glaring shortcomings in government mobile security. For example, one-fourth of government employees have not received mobile security training from their agencies, and only 50% of respondents said their agencies have formal, employee-focused mobile device programs.
In addition, half of the agencies covered in the survey are missing fundamental mobile security steps, such a remote wipe function or multifactor authentication or data encryption on mobile devices.
The study was commissioned by Cisco and conducted by the Mobile Work Exchange, a public-private partnership that promotes the value of mobility and telework. The partnership surveyed 155 government employees from 30 agencies during the last quarter of 2013.
The study found some bright spots in employee practices; 86% of respondents lock their computer when they leave their desk and have a safe, alternative workplace compatible. And 78% said they always store files in a secure location. In addition, nearly all the respondents who do telework (97%) have formal telework agreements in place. More than half (53%) are required by their agencies to register their mobile devices, and the same percentage are required to take regular security training related to mobile devices.
But much work remains to be done before the wide gaps in government agency mobile security are narrowed or closed altogether.
"Ensuring policies are being enforced is the best way to secure critical government data," said Cindy Auten, general manager of the Mobile Work Exchange. "Closing this gap equips government employees with the knowledge to thwart potential security breaches."
Too many companies treat digital and mobile strategies as pet projects. Here are four ideas to shake up your company. Also in the Digital Disruption issue of InformationWeek: Six enduring truths about selecting enterprise software (free registration required).William Welsh is a contributing writer to InformationWeek Government. He has covered the government IT market since 2000 for publications such as Washington Technology and Defense Systems. View Full Bio