Critical Read

Who knows what IT lurks in the hearts of feds?

Shutterstock image (by igor.stevanovic): anonymous computer hacker.

(Image: Igor.Stevanovic / Shutterstock)

What: Cloud security and analytics firm Skyhigh Networks’ “Cloud Adoption & Risk in the Government Report,” released June 3.

Why: “Shadow IT” – the use of unauthorized IT services by employees seeking work-arounds – is a bigger concern than agency IT departments realize.

According to Skyhigh’s new report, the average public-sector organization uses a whopping 742 cloud services. That’s 10 to 20 times more than IT departments thought they were using.

Much of the disconnect stems from the fact that agencies’ cloud offerings (or lack thereof) can leave employees frustrated and seeking collaboration substitutes like, say, Google Drive or Dropbox.

“This isn’t malicious behavior,” said Kamal Shah, VP of marketing at Skyhigh. “This is employees trying to do their jobs.”

But when well-intentioned employees buck the rules, it can create chaos, threaten organizational security and work against the very collaboration that (standardized) cloud services are supposed to promote.

The report is not based on survey data, Shah noted. Instead, the analysis is based on anonymized usage data from 200,000 public-sector users.

The average public sector employee uses 16.8 cloud services, including social media and file sharing tools, and their movements are tracked by an average of 2.7 ad and analytics services, opening the gates to a watering hole attack.

More stunning: Almost every single public sector organization has users with compromised identities, And at 82 percent of public sector organizations, Skyhigh analysis turned up behavior indicative of an insider threat – though only 7 percent of IT pros at those agencies said they’d had an insider threat in the last year.

Shah advised that the best way to combat the security risks of shadow IT is not to try to nix cloud services.

The best approach, he said, is to try to say, “Yes, if…,” and educate employees while providing quality, secure cloud services to fill their collaboration needs.

Verbatim: “We found that 96.2 percent of public sector organizations have users with compromised identities. At the average organization, 6.4 percent of users have at least one account that has been compromised. At the time of our analysis, we found that some accounts had been updated with new passwords, while many others remained active with compromised identities. The availability of stolen credentials online is widespread. Anecdotally, we identified one US cabinet-level department with a staggering 55,080 compromised identities.”

About the Author

Zach Noble is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.