Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Cyberthreat to Government That's Lurking in the Shadows

Many public employees use unsanctioned software on work computers. It poses serious security risks.

Michael Roling, Missouri’s chief information security officer (CISO), knew that some of the state’s 40,000 employees were using unapproved software they had downloaded from the cloud to their work computers and devices. But when his team ran a special software tool to figure out how extensive the practice was, they were surprised to learn that more than 2,500 unknown software programs or services were operating throughout the state’s IT network. “It was definitely an eye-opener,” Roling says. “We guessed we had some problems, but it turned out the number was far greater than what we could imagine.”

Roling isn’t the only IT official to miscalculate the size and scope of the problem. CISOs routinely underestimate the number of unsanctioned software programs that workers are using. A report from SkyHigh Networks, a software security firm, found that the typical public-sector organization uses nearly 750 cloud services -- 10 times the number IT departments expect to find.

The main reason for the explosive growth is the ease with which anyone can use these free services. Roling refers to it as the “consumerization of technology.” Years ago, you had to physically install the software on your computer using disks, and then read a manual to figure out how the software worked. “Today, you don’t need any in-depth understanding of software or computers to use these tools,” he says. “The complexity of installation has been taken out of the equation.”

Google apps, Dropbox and social media such as Facebook and Twitter, for instance, are popular mainstream cloud services that many people use. But what concerns CISOs are the less-known, less familiar services that workers might download, so-called shadow IT. Roling discovered some state workers were using a service called, which is the Russian version of Facebook. “The privacy and security of a platform like that, built in Russia, does not adhere to U.S. privacy and security laws,” he says. “That puts it into a very high-risk category.”

Security is the biggest problem with shadow IT. Whether the software is American or foreign, it often doesn’t meet the strict security standards set by government cybersecurity protocols. Popular file-sharing apps, for example, allow users to easily upload, store and download files, but they may contain viruses or malware that can spread and infect a state government network. 

Despite the risks of shadow IT, most experts agree it’s unlikely to go away. Perhaps more concerning is that it’s difficult to police -- governments can’t anticipate every program a user might find useful and download. They already block the high-risk services they find. For those that are low risk, they go ahead and approve the use of software that doesn’t duplicate a service or tool the state already has on its network. Still, Roling has launched a program to educate state workers about the risk of using shadow IT.

In the end, though, the best way to understand shadow IT may be to view it not as a people or technology problem, but as a data security problem. “In government,” says Roling, “we need to do the best job we can to ensure data remains safe.”

Tod is the editor of Governing . Previously, he was the senior editor at Government Technology and the editor of Public CIO, e.Republic’s award-winning publication for IT executives in the public sector, and is the author of several books on information management.
Special Projects
Sponsored Stories
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?