Critical Read

Who knows what IT lurks in the hearts of feds?

Shutterstock image (by igor.stevanovic): anonymous computer hacker.

(Image: Igor.Stevanovic / Shutterstock)

What: Cloud security and analytics firm Skyhigh Networks’ “Cloud Adoption & Risk in the Government Report,” released June 3.

Why: “Shadow IT” – the use of unauthorized IT services by employees seeking work-arounds – is a bigger concern than agency IT departments realize.

According to Skyhigh’s new report, the average public-sector organization uses a whopping 742 cloud services. That’s 10 to 20 times more than IT departments thought they were using.

Much of the disconnect stems from the fact that agencies’ cloud offerings (or lack thereof) can leave employees frustrated and seeking collaboration substitutes like, say, Google Drive or Dropbox.

“This isn’t malicious behavior,” said Kamal Shah, VP of marketing at Skyhigh. “This is employees trying to do their jobs.”

But when well-intentioned employees buck the rules, it can create chaos, threaten organizational security and work against the very collaboration that (standardized) cloud services are supposed to promote.

The report is not based on survey data, Shah noted. Instead, the analysis is based on anonymized usage data from 200,000 public-sector users.

The average public sector employee uses 16.8 cloud services, including social media and file sharing tools, and their movements are tracked by an average of 2.7 ad and analytics services, opening the gates to a watering hole attack.

More stunning: Almost every single public sector organization has users with compromised identities, And at 82 percent of public sector organizations, Skyhigh analysis turned up behavior indicative of an insider threat – though only 7 percent of IT pros at those agencies said they’d had an insider threat in the last year.

Shah advised that the best way to combat the security risks of shadow IT is not to try to nix cloud services.

The best approach, he said, is to try to say, “Yes, if…,” and educate employees while providing quality, secure cloud services to fill their collaboration needs.

Verbatim: “We found that 96.2 percent of public sector organizations have users with compromised identities. At the average organization, 6.4 percent of users have at least one account that has been compromised. At the time of our analysis, we found that some accounts had been updated with new passwords, while many others remained active with compromised identities. The availability of stolen credentials online is widespread. Anecdotally, we identified one US cabinet-level department with a staggering 55,080 compromised identities.”

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.