Critical Read

Who knows what IT lurks in the hearts of feds?

Shutterstock image (by igor.stevanovic): anonymous computer hacker.

(Image: Igor.Stevanovic / Shutterstock)

What: Cloud security and analytics firm Skyhigh Networks’ “Cloud Adoption & Risk in the Government Report,” released June 3.

Why: “Shadow IT” – the use of unauthorized IT services by employees seeking work-arounds – is a bigger concern than agency IT departments realize.

According to Skyhigh’s new report, the average public-sector organization uses a whopping 742 cloud services. That’s 10 to 20 times more than IT departments thought they were using.

Much of the disconnect stems from the fact that agencies’ cloud offerings (or lack thereof) can leave employees frustrated and seeking collaboration substitutes like, say, Google Drive or Dropbox.

“This isn’t malicious behavior,” said Kamal Shah, VP of marketing at Skyhigh. “This is employees trying to do their jobs.”

But when well-intentioned employees buck the rules, it can create chaos, threaten organizational security and work against the very collaboration that (standardized) cloud services are supposed to promote.

The report is not based on survey data, Shah noted. Instead, the analysis is based on anonymized usage data from 200,000 public-sector users.

The average public sector employee uses 16.8 cloud services, including social media and file sharing tools, and their movements are tracked by an average of 2.7 ad and analytics services, opening the gates to a watering hole attack.

More stunning: Almost every single public sector organization has users with compromised identities, And at 82 percent of public sector organizations, Skyhigh analysis turned up behavior indicative of an insider threat – though only 7 percent of IT pros at those agencies said they’d had an insider threat in the last year.

Shah advised that the best way to combat the security risks of shadow IT is not to try to nix cloud services.

The best approach, he said, is to try to say, “Yes, if…,” and educate employees while providing quality, secure cloud services to fill their collaboration needs.

Verbatim: “We found that 96.2 percent of public sector organizations have users with compromised identities. At the average organization, 6.4 percent of users have at least one account that has been compromised. At the time of our analysis, we found that some accounts had been updated with new passwords, while many others remained active with compromised identities. The availability of stolen credentials online is widespread. Anecdotally, we identified one US cabinet-level department with a staggering 55,080 compromised identities.”

About the Author

Zach Noble is a former FCW staff writer.


  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.