4 minute read
Should Not Use Unapproved Software
7 Reasons City Employees Should Not Use Unapproved Software
John Miller, Senior Consultant, Sophicity: We put the IT in city
Advertisement
In the news, we’ ve seen plenty of times when government employeesgetintoalotoftroublebyusingsoftwarethat’s not approved by government entities. From private email servers to encrypted messaging apps, big problems occur when government employees download software outside of ITpolicy.
As a recent article by Governing points out, the risks of “ unsanctioned software” or “shadow IT” ripples all the way down to local government.According to the article: Security is the biggest problem with shadow IT. Whether the software isAmerican or foreign, it often doesn’t meet the strict security standards set by government cyber security protocols. Popular file-sharing apps, for example, allow users to easily upload, store and download files, but they may contain viruses or malware that can spread and infect a state government network.
Plus, it’s easier to install software nowadays. With so muchcloudsoftwaredominatingourlives,cityemployees usually don’t need to purchase physical software, stick a CD into their computer, and install it. Cloud software is readytogoinsecondsand…boom!Employeesstartusing it immediately.
While downloading such software may be fine at the employee’s home, remember that you ’re an important government entity—a municipality that needs to protect critical citizen information and comply with important laws.
The Governing article gives a great overview of the problem but doesn’t go into many security specifics about whyyouneedtoguardagainstcitygovernmentemployees who download unauthorized software. Here are 7 questions to ask yourself about this software.
1. Who is patching and updating the software?
Software needs regular patching to fix bugs and security holes along with updates to improve performance. With authorized software, your IT staff or vendor oversees this
updating and patching. If an employee downloaded the software, then critical security holes could stay open to attackers for months.
And even if employees think the software automatically updates, it’s not unusual for something to go wrong. Who is checking for this?Who is hoping things will go wrong?
2.Howdoyouknowyouhaven’tdownloadedavirusor malware?
Employees mistakenly downloading viruses and malware—including from downloading malicious software—remains one of the leading ways that cities suffer disruption and permanent data loss. This is especially a risk when employees download lesser known software that looks appealing on the surface but is riddled with malware or viruses—giving hackers a back door to your city.
You might say,
“But my employees only use well-known software. ” Even if that’s the case, downloading software on their own still introduces risk. We told a story a few years ago about a tech-savvy colleague of ours who, while notaITprofessional,hasbeeninvolvedintheinformation technologyfieldforover10years.Hedownloadedwhathe thought was a well-known internet browser that looked like it was from a legitimate website and ended up downloading a virus. So even for “common” software, don’t take the risk.
3. What happens if your employee needs helpdesk support?
Let’s say your employee runs into a problem with an unauthorized cloud spreadsheet application. The file got corrupted somehow and then they lost access to it. Well...it’s not authorized software.Your IT staff or vendor may try to help, but success is not guaranteed.
Why? When your IT staff or vendor supports authorized software, they have installed it, updated it, patched it, maintained it, monitored it, and established a relationship with the vendor. That’s why they can easily help with authorizedsoftwareproblems.Noneofthatknowledgeand support framework exists with unauthorized software. When it runs into problems, you ’re pretty much stuck.
4. Are you sure that your employee isn’t breaking the law?
Thisproblemcropsupwithsoftwarethatstoresdocuments and communications outside of official city government channels. When you receive an open records request, then what do you do if employees are using personal cloud software like Google Docs, Yahoo email, or a file-sharing
service like Dropbox. Bring out the lawyers. You ’ll need them.
More importantly, these documents and communications maynotfollowcitygovernmentsecuritystandards.Astate likeArkansasisnowlegallypermittedtotakeawayacity ’s charter for such security gaps—and other federal and state laws look like they will eventually follow suit.
5. What happens if you lose data?
While an employee may take the initiative to back up data stored on unauthorized software, don’t hold your breath. It’s probably not happening, not happening frequently enough, or not being tested to make sure they can restore data if it’s lost. By contrast, authorized software is usually backed up professionally and overseen by IT staff or a vendor.
6. Do unauthorized people have access to data?
Government data within applications such as financial software, document management systems, and email is usually locked down and only accessible by authorized users—with user access managed by your IT staff or vendorfollowingstrictpolicy.Withunauthorizedsoftware, who has access to sensitive data? What if your employee accidentally publicly shares a Dropbox link to documents containing sensitive information? Are you seriously relying on the individual judgment of one employee using unauthorized software rather than locking down authorized software that follows a city-wide policy?
7. What happens when software conflicts with the employee’s machine or device?
On a more tactical level, people often do surprising things whentheydownloadsoftware.Iftheyhaveanolddesktop or laptop, they may download new software that the machine or operating system just can’t handle.Then, their computer breaks and guess who they call in a panic?Your ITstaff or vendor.
We know. This is a tough problem to solve. It’s hard to police the use of authorized software and root out all unauthorizedsoftware.Whiletheproblemmayneverfully go away, you can:
• Create a clear policy about unauthorized software and the consequences for using it. • Provide a reminder about security risks such as data breaches, permanent data loss, and breaking the law. • Provide a list of approved, authorized software and a contact number for questions if employees want to confirm the use of a particular kind of software.
