Technology & Tools
Shadow IT and Growing Concern in the Public Sector

There’s been a lot of interest in the press recently about the use of personal devices – and indeed mobile devices in general – in the public sector workplace and (while there are benefits, especially in front-line emergency services) the security risk they can pose. No-one is suggesting this was a cause of the recent WannaCry hack, but it is a good example of how quick it is for a whole organisation to be badly affected.

Malicious software of this kind (Ransomware) blocks access to a computer or its data and demands money to release it – a type of cyber-extortion. Then it threatens to destroy the information if it doesn’t get its money (usually in bitcoin). This is the kind of attack that threatened the UK health service recently, and Telefonica in Spain, and other organisations around the world, including major attacks in Russia, the Ukraine and Taiwan.

Because a lot of ransomware is hidden inside the likes of Word documents, PDF files and other files that can easily be sent via email, it makes it particularly easy for it to spread, from PC to PC, and even unwittingly by the BYOD user. It also attacks through computers that already have a virus, or are prone to infection, because of antiquated or legacy software and systems.

A good article appeared recently in Public Technology.net “Turning the tide: how the public sector can win the battle against shadow IT.” It explains how Shadow IT – the use of IT systems and software inside an organisation, without explicit approval from Finance or IT – can leave a firm vulnerable to security breaches. And that it has become a major problem in the public sector.

Why the public sector in particular? In the NHS case, it does not appear it was specifically targeted, but this kind of service is not helped by its reliance on old, unsupported software – like other public sector departments and bodies that maybe don’t invest as much in technology as private sector organisations of a similar size. Also because there is more and more evidence that users increasingly use cloud services – sometimes on their own devices – to carry out day-to-day work in government bodies. Procurement is no exception. It’s not unheard of for an app to be downloaded, and low-end purchasing carried out because it’s quicker and easier to circumvent the procurement rules and processes.

The article highlights that “According to a survey conducted by Vanson Bourne, Shadow IT is rife in the public sector, with 33% of respondents saying that employees at their organisation regularly disregard corporate guidelines by using personal devices and file sync-and-share applications at work.”

Because public sector organisations often house data that is sensitive or business-critical, it is not always considered safe to move to the cloud, but when employees find this a quicker and more convenient route, via SaaS, PaaS or other cloud platforms, it creates the phenomenon of Shadow IT. Sometimes a government’s procurement process is found to take too long, especially if the purchase is simply needed to solve another, time-critical issue. According to the same survey: “… nearly half of the respondents think a long or cumbersome IT acquisition process is also at least partly responsible for the use of Shadow IT.”

The article suggests that it is worth re-educating “employees on the dangers, enforcing clearer IT usage policies and understanding the deficiencies in information management procedures that drive employees to shadow IT in the first place.”

It doesn’t do any harm to regularly remind ourselves that all government Directives, regulations, policies and guidance relating to the procurement of supplies, services and works for the public sector, do exist, and are easily accessible on government websites.

That’s not to say employees can’t be offered ‘authorised apps or mobile solutions to track spending data or compare prices, but they must work within the procurement and IT guidelines, and procurement must build a mobile policy into its procurement strategy if it wants to keep consistency and visibility. But also with the General Data Protection Regulation (GDPR) coming into force next year, and the accompanying heavy fines for non-compliance, it’s even more important that department’s keep control and visibility of their documents and information-handling practices.

The article offers some advice on tackling the risks of Shadow IT – and more information about the GDPR to help organisations understand the new legal framework in the EU is available on the Information Commissioner’s Office website.