This article is posted with permission from VC3's blog and shares non-technical, municipal-relevant insights about critical technology issues, focusing on how technology reduces costs, helps better serve citizens, and lessens cybersecurity risks. VC3 is solely responsible for the article’s content.
In the news, we’ve seen plenty of times when government employees get into a lot of trouble by using software that’s not approved by government entities. From
private email servers to
encrypted messaging apps, big problems occur when government employees download software outside of IT policy.
As a recent article by Governing points out, the risks of “unsanctioned software” or “shadow IT” ripples all the way down to local government. According to the article:
Security is the biggest problem with shadow IT. Whether the software is American or foreign, it often doesn’t meet the strict security standards set by government cybersecurity protocols. Popular file-sharing apps, for example, allow users to easily upload, store and download files, but they may contain viruses or malware that can spread and infect a state government network.
Plus, it’s easier to install software nowadays. With so much cloud software dominating our lives, city employees usually don’t need to purchase physical software, stick a CD into their computer, and install it. Cloud software is ready to go in seconds and…boom! Employees start using it immediately.
While downloading such software may be fine at the employee’s home, remember that you’re an important government entity—a municipality that needs to protect critical citizen information and comply with important laws.
The
Governing article gives a great overview of the problem but doesn’t go into many security specifics about why you need to guard against city government employees who download unauthorized software. Here are 7 questions to ask yourself about this software.
1. Who is patching and updating the software?
Software needs regular patching to fix bugs and security holes along with updates to improve performance. With authorized software, your IT staff or vendor oversees this updating and patching. If an employee downloaded the software, then critical security holes could stay open to attackers for months.
And even if employees think the software automatically updates, it’s not unusual for something to go wrong. Who is checking for this? Who is hoping things will go wrong?
2. How do you know you haven’t downloaded a virus or malware?
Employees mistakenly downloading viruses and malware—including from downloading malicious software—remains one of the leading ways that cities suffer disruption and permanent data loss. This is especially a risk when employees download lesser known software that looks appealing on the surface but is riddled with malware or viruses—giving hackers a back door to your city.
You might say, “But my employees only use well-known software.” Even if that’s the case, downloading software on their own still introduces risk. We told a story a few years ago about a tech-savvy colleague of ours who, while not a IT professional, has been involved in the information technology field for over 10 years. He downloaded what he thought was a well-known internet browser that looked like it was from a legitimate website and ended up downloading a virus. So even for “common” software, don’t take the risk.
3. What happens if your employee needs helpdesk support?
Let’s say your employee runs into a problem with an unauthorized cloud spreadsheet application. The file got corrupted somehow and then they lost access to it. Well...it’s not authorized software. Your IT staff or vendor may try to help, but success is not guaranteed.
Why? When your IT staff or vendor supports authorized software, they have installed it, updated it, patched it, maintained it, monitored it, and established a relationship with the vendor. That’s why they can easily help with authorized software problems. None of that knowledge and support framework exists with unauthorized software. When it runs into problems, you’re pretty much stuck.
4. Are you sure that your employee isn’t breaking the law?
This problem crops up with software that stores documents and communications outside of official city government channels. When you receive an open records request, then what do you do if employees are using personal cloud software like Google Docs, Yahoo email, or a file-sharing service like Dropbox. Bring out the lawyers. You’ll need them.
More importantly, these documents and communications may not follow city government security standards.
A state like Arkansas is now legally permitted to take away a city’s charter for such security gaps—and other federal and state laws look like they will eventually follow suit.
5. What happens if you lose data?
While an employee may take the initiative to back up data stored on unauthorized software, don’t hold your breath. It’s probably not happening, not happening frequently enough, or not being tested to make sure they can restore data if it’s lost. By contrast, authorized software is usually backed up professionally and overseen by IT staff or a vendor.
6. Do unauthorized people have access to data?
Government data within applications such as financial software, document management systems, and email is usually locked down and only accessible by authorized users—with user access managed by your IT staff or vendor following strict policy. With unauthorized software, who has access to sensitive data? What if your employee accidentally publicly shares a Dropbox link to documents containing sensitive information? Are you seriously relying on the individual judgment of one employee using unauthorized software rather than locking down authorized software that follows a city-wide policy?
7. What happens when software conflicts with the employee’s machine or device?
On a more tactical level, people often do surprising things when they download software. If they have an old desktop or laptop, they may download new software that the machine or operating system just can’t handle. Then, their computer breaks and guess who they call in a panic? Your IT staff or vendor.
We know. This is a tough problem to solve. It’s hard to police the use of authorized software and root out all unauthorized software. While the problem may never fully go away, you can:
- Create a clear policy about unauthorized software and the consequences for using it.
- Provide a reminder about security risks such as data breaches, permanent data loss, and breaking the law.
- Provide a list of approved, authorized software and a contact number for questions if employees want to confirm the use of a particular kind of software.