As an example, he envisions a scenario where an employee jailbreaks their phone in order to access unauthorized third-party applications. The device might no longer receive important operating system updates, and in time could become a soft target for hackers looking to gain entry into the government network. In Lookout's survey, 7 percent of respondents admit that they have rooted or jailbroken a device they bring to work or use there.
"Mobile devices are indeed a blind spot for government," Stevens says. "While some of that is based on naivety, I think we'll start to see reality set in as mobile threats become more sophisticated."
Federal agencies need to embrace the consumerization of IT
Stevens argues that strict, reactionary policies that attempt to ban any outside devices altogether are likely to fail, and in fact pose a security risk as unmanaged devices are introduced into the agency network.
He suggests that agencies build a mobile environment focused on securing "the lowest common denominator." That means pegging security standards to protect devices running in what the agency considers to be the least secure operating system, while also allowing the flexibility to accommodate technologies that might become popular over time, positioning the agency for what Stevens calls "future freedom."
"Today, most employees may use iOS and Android devices, but in the near future, I predict that there will be more operating system diversity in the workplace as Microsoft, Ubuntu, Firefox and more introduce competitive software and devices," he says.
Stevens also suggests that agencies develop custom applications that are managed and secured and tailored to the employees' productivity needs, and, when evaluating new apps, to "think mobile-first, and make sure they're secure."
But to this point, despite some high-level prodding from the White House about embracing new mobile devices and applications, implementation on the ground level remains highly uneven.
"There is little consensus among government agencies on the future of BYOD, how much access will be allowed in a BYOD environment, or if it will be a fit for every federal agency," Stevens says.
"The best thing agencies can do to address mobile risks is to realize that devices have become a necessity for employee productivity -- and trying to enforce policies that prevent device use, at this point, will likely cause more harm than good for federal networks," he adds. "When addressing mobile security, I urge agencies to embrace the consumerization of IT and avoid hampering the user experience."
Sign up for Computerworld eNewsletters.