"The lack of awareness creates this massive shadow IT problem," he adds. "Each of us — inadvertently or otherwise — violates these policies, because many of these policies are anachronistic."
But Skyhigh's analysis indicates that the problem is real, and compounded by a significant lack of awareness within the IT department about the use of unauthorized applications. In a poll of security and IT professionals, only 7 percent said that their organization had been exposed to an insider threat over the past year. According to Skyhigh's own research, 82 percent of agencies it evaluated "had behavior indicative of an insider threat in just the last quarter."
Slightly more than 96 percent of government organizations were found to have at least one user with comprised identities. The firm points to weak passwords that employees are inclined to use for multiple services, amplifying the potential damage an agency can suffer when one account is compromised.
Shadow IT can give CIOs insight
Gupta argues that CIOs can make an opportunity out of the use of shadow IT in their organizations. Through a closer collaboration with the agency's end users, they can better address the needs of the business and improve the security posture of the enterprise.
"The mindset shift has to move from shadow IT being a real threat and a problem to shadow IT giving me insight," Gupta says. "Rather than become the department of no, how do I become the department of yes?"
Sign up for Computerworld eNewsletters.