A rise in the reliance on unmanaged mobile devices, matched with a lack of patching and increased attacks seeking solely to steal credentials was a perfect storm for government.

You’d think our government has the strongest cybersecurity stance, given the state of modern cyber attacks. But new data from Lookout Software’s just-released US Government Threat Report shows that over the last 2 years, the government hasn’t entirely been prepared, despite cybercriminals being more than ready to attack.

The report, spanning all of 2021 and the first half of 2022, paints a picture of a government under attack, with 1 in 8 government employees were exposed to one or more phishing attacks. Part of the problem lies in the devices being used; being just off the heels of COVID when any mobile device that got an employee working remotely was “acceptable”, some government entities relied on insecure mobile devices:

  • In 2021, 13% of all Federal Government mobile devices were unmanaged; in State & Local, is was 38%
  • The phishing exposure rate was higher on unmanaged devices in 2022 (8.5% of them) than on managed devices (6%)
  • 1 in 11 mobile devices (about 9%) still experience phishing attacks in 2022

According to the report, about half (46%) of all attacks across all government sectors sought to steal credentials, with 70% of them attempting to install malware. It’s this stat about credentials that has me really worried; all it takes is some solid social engineering to trick a user into giving up their credentials.

According to Lookout, 23% of all federal employees clicked on three or more phishing links, despite being notified that they had previously clicked on one. This is a clear cry for continual Security Awareness Training that teaches government employees the need to remain vigilant and that organizational security includes them.