Solving the puzzle of shadow IT
Solutions that provide visibility and control over IT assets and data can help agencies secure their blind spots.
Not long ago, physicians at a government health agency found that their organization’s secure email system made it cumbersome to share patient files when conferring on cases. Their solution was to share the files through a popular messaging app. Although the app encrypted communications, misconfiguration of settings could result in vulnerabilities, and use of the app didn’t comply with organization policy.
It’s a classic case of shadow IT, or employees using devices or applications that haven’t been approved by the IT department. Shadow IT is a growing issue for state and local government agencies and private-sector enterprises alike. And now that more than one-third of organizations’ IT budgets are now spent by the lines of business (LoB) rather than the IT department, Gartner reports, the problem will likely grow.
For years IT experts advised organizations to crack down on shadow IT. But when the COVID-19 pandemic required remote work often enabled by personal devices and home-office networks, shadow IT restrictions went out the window.
The fact is, LoB-driven IT is how organizations function today. But it’s crucial for state and local government IT shops to identify the technology their people are using and protect the data that’s created, shared or stored on that technology. Fortunately, effective cybersecurity solutions can help agencies manage shadow IT while protecting their information assets.
Shadow IT stressors
In the past, IT departments provided employees with all the hardware and software they needed to do their jobs. But not all agency applications are easy to use, sometimes leading teams to perform tasks or share files in ways that aren’t supported by agency technology.
At home, intuitive mobile devices and apps put powerful capabilities at people’s fingertips. At work, if workflows aren’t similarly straightforward, employees will find easier ways to get the job done.
Likewise, public cloud services like AWS and Google Cloud make it easy for users to spin up new cloud applications and data storage in minutes. A little technical savvy and a credit card allow teams to act as their own IT and procurement departments.
But shadow IT can result in serious cybersecurity vulnerabilities. Many agencies and organizations have no idea what devices and applications their teams are using, and they have no visibility into who’s creating data, where it’s being stored and how it’s being shared. That opens them up to tremendous risk, and they can’t manage risk they can’t see.
Unmonitored, unprotected and misconfigured devices, applications and data storage are vulnerable to viruses, ransomware, malicious takeover and data damage or exfiltration. They also expose an agency to legal and compliance risks.
Maintaining security, managing shadow IT
The solution to minimizing the risks of shadow IT is effective cybersecurity solutions that provide visibility and control over IT assets and data. That starts with data loss prevention (DLP), a set of technologies that enable agencies to discover, classify, monitor and protect data. DLP enables IT managers to see which devices and applications employees are using to access data, how they’re sharing that data and whether they’re violating policies for data use.
Protection continues with cross-domain solutions for file sharing. With CDS, agencies can securely share sensitive data among trusted organizations. “Transfer guards” inspect data and allow only payloads that meet strict requirements to pass through. That way, no malware moves from one network to another—including the high-security networks of the military.
Two other useful technologies are remote browser isolation and content disarm and reconstruction. RBI lets employees use common devices and browsers to access websites, but it isolates the web session so that no malicious code hidden on the websites can reach employee devices. CDR intercepts files as users download or share them. The technology deconstructs the content and then reconstructs sanitized, malware-free files—all in near real time and completely transparent to the user.
These security solutions ensure that regardless of the devices and applications agency employees are using, data that flows across those technologies remains safeguarded. They’re available on-premises or in the cloud, so they provide protections wherever agency staff happen to work.
Empowering the modern workplace
With today’s increasingly digital-native workforce, government agencies can no longer prevent shadow IT. A smarter approach is to allow teams to equip themselves with capabilities to become engaged, productive and effective. In fact, at least one agency has officially adopted a file storage and sharing service that employees were using anyway.
Shadow IT raises the bar on user training, however. Agencies must make sure employees receive regular lessons on how to use technology safely and how to avoid attacks such as phishing scams. All agency employees should feel that good security hygiene is their responsibility, regardless of the technology they use.
There are circumstances where shadow IT is unacceptable, of course. A health agency, for instance, simply cannot use unsanctioned messaging apps to share confidential patient data. But in the modern workplace, shadow IT is out of the bag. With the right security solutions, agencies can get shadow IT out of the shadows.
Audra Simons is senior director of global products for Forcepoint Global Government and Critical Infrastructure.