Jun 15 2015

Reality Check: Use of Shadow IT Is 10 Times Higher Than Believed

Skyhigh Networks looked at cloud computing use in public-sector organizations and found a chasm in perception versus reality.

The use of shadow technology is a growing problem in public-sector organizations, but how big is it? The truth is, even public-sector technology leaders are unsure.

A newly released report from Skyhigh Networks reveals some startling numbers: The average public-sector leader believes his or her organization uses 60 to 70 shadow technology solutions, but in reality the number is 10 times that.

“You can’t manage what you can’t measure,” says Kamal Shah, vice president of products and marketing at Skyhigh Networks. “Public-sector organizations need more visibility into the cloud services they are using and then come up with the proper solutions that help employees who are using these services as a shortcut to be more productive.”

Instead of the traditional survey, Skyhigh Networks based the study on its internal public-sector network traffic. The results include the behaviors of more than 200,000 public-sector employees from the federal, state and local governments, along with Canada’s federal government.

The results were scrubbed of identifiable data, but show a rapidly growing trend. On average, employees of public-sector organizations used 742 cloud-based solutions, many of which are unknown to technology leaders. A number of these services, though not all, feature high inherent security risks.

Instead of immediately shuttering access to all of these services, Shah says organizations should see it as an opportunity. Yes, cloud services with high risk – like those that fail to encrypt data or have a data center outside the United States – should be blocked.

But Shah says a number of the services employees use are completely safe. He says gaining visibility into this problem can allow the organization’s technology office to be proactive in providing the services employees want.

“If you see that 60 percent of your employees are using the same file-sharing system, it’s obvious there is a demand for that,” Shah says. “Instead of blocking everything, organizations should contact the provider and try to work out an enterprise-licensing agreement that fits with the organization’s security needs. That will provide employees with a tool they want to use and show the technology office in a positive light.”

Also in its report, Skyhigh Networks looked at the perception of insider threat incidents versus reality. Along with the Cloud Security Alliance, Skyhigh Networks surveyed IT professionals in the public sector and found that only 7 percent said they had an insider threat in the past 12 months.

The company’s data, though, showed otherwise. Looking at anomaly detection data, the company saw that 82 percent of these organizations had behavior indicative of an insider threat in the last quarter alone.

“While not all of these insiders were acted-upon threats, they showed the chasm in visibility that public-sector leaders have in some aspects of their technology,” Shah says. “This shows the threat is greater than believed. While we know that you will not be able to stop 100 percent of incidents, it’s important to invest in the process and people to deter as many as possible.”


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.