Solving the puzzle of shadow IT

d3sign/Getty Images

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Audra Simons,
Senior Director, Global Products, Forcepoint
 

Connecting state and local government leaders

By Audra Simons

|

Solutions that provide visibility and control over IT assets and data can help agencies secure their blind spots.

Not long ago, physicians at a government health agency found that their organization’s secure email system made it cumbersome to share patient files when conferring on cases. Their solution was to share the files through a popular messaging app. Although the app encrypted communications, misconfiguration of settings could result in vulnerabilities, and use of the app didn’t comply with organization policy.

It’s a classic case of shadow IT, or employees using devices or applications that haven’t been approved by the IT department. Shadow IT is a growing issue for state and local government agencies and private-sector enterprises alike. And now that more than one-third of organizations’ IT budgets are now spent by the lines of business (LoB) rather than the IT department, Gartner reports, the problem will likely grow.

For years IT experts advised organizations to crack down on shadow IT. But when the COVID-19 pandemic required remote work often enabled by personal devices and home-office networks, shadow IT restrictions went out the window.

The fact is, LoB-driven IT is how organizations function today. But it’s crucial for state and local government IT shops to identify the technology their people are using and protect the data that’s created, shared or stored on that technology. Fortunately, effective cybersecurity solutions can help agencies manage shadow IT while protecting their information assets.

Shadow IT stressors

In the past, IT departments provided employees with all the hardware and software they needed to do their jobs. But not all agency applications are easy to use, sometimes leading teams to perform tasks or share files in ways that aren’t supported by agency technology.

At home, intuitive mobile devices and apps put powerful capabilities at people’s fingertips. At work, if workflows aren’t similarly straightforward, employees will find easier ways to get the job done.

Likewise, public cloud services like AWS and Google Cloud make it easy for users to spin up new cloud applications and data storage in minutes. A little technical savvy and a credit card allow teams to act as their own IT and procurement departments.

But shadow IT can result in serious cybersecurity vulnerabilities. Many agencies and organizations have no idea what devices and applications their teams are using, and they have no visibility into who’s creating data, where it’s being stored and how it’s being shared. That opens them up to tremendous risk, and they can’t manage risk they can’t see.

Unmonitored, unprotected and misconfigured devices, applications and data storage are vulnerable to viruses, ransomware, malicious takeover and data damage or exfiltration. They also expose an agency to legal and compliance risks.

Maintaining security, managing shadow IT

The solution to minimizing the risks of shadow IT is effective cybersecurity solutions that provide visibility and control over IT assets and data. That starts with data loss prevention (DLP), a set of technologies that enable agencies to discover, classify, monitor and protect data. DLP enables IT managers to see which devices and applications employees are using to access data, how they’re sharing that data and whether they’re violating policies for data use.

Protection continues with cross-domain solutions for file sharing. With CDS, agencies can securely share sensitive data among trusted organizations. “Transfer guards” inspect data and allow only payloads that meet strict requirements to pass through. That way, no malware moves from one network to another—including the high-security networks of the military.

Two other useful technologies are remote browser isolation and content disarm and reconstruction. RBI lets employees use common devices and browsers to access websites, but it isolates the web session so that no malicious code hidden on the websites can reach employee devices. CDR intercepts files as users download or share them. The technology deconstructs the content and then reconstructs sanitized, malware-free files—all in near real time and completely transparent to the user.

These security solutions ensure that regardless of the devices and applications agency employees are using, data that flows across those technologies remains safeguarded. They’re available on-premises or in the cloud, so they provide protections wherever agency staff happen to work.

Empowering the modern workplace

With today’s increasingly digital-native workforce, government agencies can no longer prevent shadow IT. A smarter approach is to allow teams to equip themselves with capabilities to become engaged, productive and effective. In fact, at least one agency has officially adopted a file storage and sharing service that employees were using anyway.

Shadow IT raises the bar on user training, however. Agencies must make sure employees receive regular lessons on how to use technology safely and how to avoid attacks such as phishing scams. All agency employees should feel that good security hygiene is their responsibility, regardless of the technology they use.

There are circumstances where shadow IT is unacceptable, of course. A health agency, for instance, simply cannot use unsanctioned messaging apps to share confidential patient data. But in the modern workplace, shadow IT is out of the bag. With the right security solutions, agencies can get shadow IT out of the shadows.

Audra Simons is senior director of global products for Forcepoint Global Government and Critical Infrastructure.

NEXT STORY: Local cyber budgets growing but still inadequate, survey finds

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.