SBA’s Office of Inspector General Issues Advisory of Security Threats from SBA Personnel Using Personal Devices
On April 22, 2025, the SBA’s Office of Inspector General (OIG) issued a Management Advisory on Undetected Vulnerabilities from Personally Owned Devices—those being used by SBA personnel. Recall, that SBA handles exceptionally sensitive information for individuals and cyber threats are ever mounting. SBA’s use of personal devices cannot only be a threat risk but can also potentially make public records harder to access by the public, which has been the target of controversy as of late. This is a follow up report to a similar warning issued in 2022 regarding the COVID-19 EIDLs Funds—amounting to $1.3 Billion in theft.
The OIG Findings:
· SBA unknowingly allowed personally owned devices, such as smartphones, laptops, or tablet computers, to access, store, and transmit agency data with only a username and password from national and international locations.
· Shadow information technology (IT) is any software, hardware, or IT asset used on a network without the IT department’s approval, knowledge, or oversight.
· Personally owned devices are a form of shadow IT. They can open the agency up to IT security risks, such as unauthorized access and theft of personally identifiable information, which can be exploited by cyber criminals and other bad actors. Cyber threats include, but are not limited to, disclosure of sensitive data, unauthorized changes, or backdoor access to other network resources.
The OIG Recommendations:
· Recommendation 1: Ensure personally owned devices use multifactor authentication as required by SOP 90 47 6.
· Recommendation 2: Ensure all personal devices connecting remotely to SBA’s network have updated anti-malware software running with the latest signature files, a firewall installed and running, and all security patches installed as required by SOP 90 47 6.
· Recommendation 3: Ensure that appropriate security, including encryption, application controls, password usage, remote locking, remote wiping, and operating system protection can be enforced for mobile devices as required by SOP 90 47 6.
· Recommendation 4: Restrict users from connecting to SBA systems from international IP addresses as required by SOP 90 47 6.
· Recommendation 5: Implement or enhance current real-time continuous monitoring of mobile phone and personal computer data with rules-based automated response and analysis capabilities as required by OMB M-22-01.
SBA’s Response to the Finding and Recommendations:
· SBA overall agreed with the OIG’s assessment of the cyber risk personal use of private devices by SBA personnel can cause and took action to make it more secure—such as dual authentication.
· SBA also banned the usage of personnel devices connecting remotely to SBA systems.
· SBA managers stated they have developed policies for device compliance, app protection, and conditional access for all government-furnished phones and devices.
· In addition, management also stated SBA-issued mobile devices, including phones, are secured, scanned for threats, and provide alerts of threat-level data to SBA managers.
· Management stated they plan to implement the corrective action by April 30, 2025.
· Management demonstrated that they blocked personal devices from accessing its systems based on documentation they provided.
· OIG reviewed the evidence and determined that it was sufficient to address the corrective action plan. Specifically, OIG determined that SBA no longer allows personal devices to connect remotely to its systems.
SBA responded with clarity to the threat of cyber security and instituted policies to protect US taxpayer information from being exposed and protect the agency from further crime. Some would say that over a billion dollars was lost before SBA personnel were banned from using unsecured and vulnerable personal devices, like cell phones, in exposing information to cyber threats. Considering SBA only banned the use of downloading data to thumb drives being connected and walking out the door a few years ago, these changes were implemented quickly and are hopefully effective in protecting sensitive data and guarding against further criminal behavior.