Critical Read

Who knows what IT lurks in the hearts of feds?

Shutterstock image (by igor.stevanovic): anonymous computer hacker.

(Image: Igor.Stevanovic / Shutterstock)

What: Cloud security and analytics firm Skyhigh Networks’ “Cloud Adoption & Risk in the Government Report,” released June 3.

Why: “Shadow IT” – the use of unauthorized IT services by employees seeking work-arounds – is a bigger concern than agency IT departments realize.

According to Skyhigh’s new report, the average public-sector organization uses a whopping 742 cloud services. That’s 10 to 20 times more than IT departments thought they were using.

Much of the disconnect stems from the fact that agencies’ cloud offerings (or lack thereof) can leave employees frustrated and seeking collaboration substitutes like, say, Google Drive or Dropbox.

“This isn’t malicious behavior,” said Kamal Shah, VP of marketing at Skyhigh. “This is employees trying to do their jobs.”

But when well-intentioned employees buck the rules, it can create chaos, threaten organizational security and work against the very collaboration that (standardized) cloud services are supposed to promote.

The report is not based on survey data, Shah noted. Instead, the analysis is based on anonymized usage data from 200,000 public-sector users.

The average public sector employee uses 16.8 cloud services, including social media and file sharing tools, and their movements are tracked by an average of 2.7 ad and analytics services, opening the gates to a watering hole attack.

More stunning: Almost every single public sector organization has users with compromised identities, And at 82 percent of public sector organizations, Skyhigh analysis turned up behavior indicative of an insider threat – though only 7 percent of IT pros at those agencies said they’d had an insider threat in the last year.

Shah advised that the best way to combat the security risks of shadow IT is not to try to nix cloud services.

The best approach, he said, is to try to say, “Yes, if…,” and educate employees while providing quality, secure cloud services to fill their collaboration needs.

Verbatim: “We found that 96.2 percent of public sector organizations have users with compromised identities. At the average organization, 6.4 percent of users have at least one account that has been compromised. At the time of our analysis, we found that some accounts had been updated with new passwords, while many others remained active with compromised identities. The availability of stolen credentials online is widespread. Anecdotally, we identified one US cabinet-level department with a staggering 55,080 compromised identities.”

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.