Shadow IT in the government is much more common than many people realize – introducing threats to these organizations but also highlighting opportunities. Skyhigh recently analyzed usage data for over 200,000 government employees and found that the average public sector organization uses 742 distinct cloud services. This number is more than ten times higher than what is known by the IT department. Broken down by category, the sprawl of cloud services brought to work by employees highlights gaps in current IT efforts and the fragmentation of technology platforms as employees use multiple cloud services in each category to do their jobs (e.g. file sharing, collaboration, content sharing, etc.).
The most common cloud service category in the public sector is collaboration. The average organization uses 120 distinct services including Microsoft Office 365, Gmail, Cisco WebEx, and Evernote. That’s followed by 55 software development services (e.g. SourceForge, GitHub, etc.) and 39 content sharing services (YouTube, LiveLeak, etc.). The average employee uses 16.8 cloud services, including 2.9 content sharing services, 2.8 collaboration services, and 1.3 file sharing services. Of course, when collaboration is spread across multiple platforms it introduces friction and impedes collaboration while also increasing cost and risk to the organization.
Troublingly, the actions of government employees are tracked online by 2.7 web analytics and advertising services, which are increasingly used by cyber criminals to inform watering hole attacks. In a watering hole attack, cyber criminals identify venerable websites that employees of a government agency frequent and plant malware on these sites in order to infiltrate the organization, rather than attack the organization’s cyber defenses head on. These attacks and others often seek the account usernames and passwords of government employees in order to gain access to sensitive data.
Skyhigh found that 96.2% of US federal government agencies have compromised passwords for sale on the darknet and 6.4% of employees have at least one compromised account. One U.S. cabinet-level department has a shocking 55,080 compromised identities. A study by Joseph Bonneau at the University of Cambridge found that 31% of passwords are used in multiple places. This means that for 31% of government employees whose accounts are compromised attackers could gain access to other systems using the same password. When you consider the average employee uses over 16 cloud services and that 37 percent of users upload sensitive data to file sharing services, the impact of compromised accounts is immense.
Not all risks originate outside the organization. Edward Snowden is probably the most extreme example of an insider threat. While his story is well known, the incidence of insider threats within most organization is underestimated. Just 7% of IT leaders in government surveyed by the Cloud Security Alliance reported knowledge of an insider threat incident at their organization in the last 12 months. However, anomaly detection data from Skyhigh shows that 82% of public sector organizations experienced behavior indicative of an insider threat last quarter alone. Not all insider threats are as damaging as Snowden, but their incidence is significantly underestimated by most organizations.
On a positive note, the public sector is embracing cloud services and reaping the benefits of the cloud including improved productivity, agility, and lower IT cost. While unsanctioned usage goes against policy, many employees are simply trying to do their jobs better and get around lengthy procurement processes. Under FITARA, Federal CIOs have new responsibilities to oversee IT projects including all cloud technologies brought into the organization. By acknowledging that shadow IT reveals unmet needs within their organizations, government IT leaders can identify high-impact cloud projects and then provide an organization-approved alternative that meets security and compliance requirements.