Cyber

SBA watchdog warns agency of vulnerabilities from user devices

The OIG told the agency that noncompliance with MFA on personal devices and the accessing of networks from foreign locations presented IT security risks.

By Matt Bracken

April 25, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

People walk past the headquarters of the Small Business Administration in the Southwest Federal Center area on March 24, 2025 in Washington, D.C. (Photo by Chip Somodevilla/Getty Images)

The Small Business Administration’s watchdog has issued a warning to the agency about possible IT security threats due to a lack of multifactor authentication on personal devices.

In a management advisory sent to SBA Administrator Kelly Loeffler that was made public this week, the Office of Inspector General found via Federal Information Security Modernization Act assessments in fiscal years 2023 and 2024 that the agency didn’t have MFA enabled for users accessing secure SBA networks.

The watchdog also discovered that personally owned devices could access those agency networks from foreign locations, a violation of SBA IT policy.

“SBA’s information systems are more vulnerable to unauthorized access that could exploit sensitive agency information,” the advisory stated.

Users were able to access the SBA network from foreign IP addresses through the Microsoft 365 portal, according to the OIG, though agency managers manually blocked one individual two days after the accessing occurred. That vulnerability, however, still exists, per the advisory.

“The vulnerability occurred because the security software the agency uses should have automatically prevented the user from gaining entry to network resources on all attempts,” the advisory explained. “The agency has been vulnerable to cybersecurity threats from foreign IP addresses in the past.”

SBA resources should only be accessed abroad by agency users performing official government duties or on official government travel, the OIG added.

The MFA issue with mobile devices accessing agency networks was flagged by OIG in December of last year, triggering an immediate notification to SBA management. According to the watchdog, SBA managers have since embarked on “a remediation plan.”

“Without multifactor authentication, every personally owned device that connects to the network is a potential cyber threat,” the advisory noted. “Further, sensitive data should not be downloaded, stored, or printed on personally owned devices.”

The OIG delivered four recommendations to the SBA that have already been addressed: enforcing MFA on personal devices; ensuring personal devices connected to SBA networks have updated anti-malware software; ensuring that various security measures can be enforced for mobile devices; and barring users from connecting to SBA systems via overseas IP addresses.

The watchdog also recommended that SBA embrace “real-time continuous monitoring of mobile phone and personal computer data with rules-based automated response and analysis,” which the agency said it will do.