While applications like TikTok are grabbing the most headlines, these stories mask a deeper problem for municipalities — TikTok is not doing much differently than other common social media, productivity, financial, and entertainment apps in the marketplace today. They mostly all collect sensitive data, introduce cybersecurity risks and open cities and towns up to legal liability.
As an article by GCN points out, the risks of “shadow IT” — the unauthorized use of software by employees — heavily impacts local government. According to the article:
“Many agencies and organizations have no idea what devices and applications their teams are using, and they have no visibility into who’s creating data, where it’s being stored and how it’s being shared. That opens them up to tremendous risk, and they can’t manage risk they can’t see.”
You need to put policies in place to prevent employees from downloading unauthorized software. If you’ve been unconcerned up to this point, ask yourself these questions.
1. Who is patching and updating the software?
Software needs regular patching to fix bugs and security holes, along with updates to improve performance. With authorized software, your IT staff or vendor oversees this updating and patching. If an employee downloaded the software, then critical security holes could stay open to attackers for months.
2. How do you know you haven’t downloaded a virus or malware?
Employees mistakenly downloading viruses and malware remains a leading way that cities and towns suffer disruption and permanent data loss.
3. What happens if your employee needs helpdesk support?
Let’s say your employee runs into a problem with an unauthorized cloud spreadsheet application. The file got corrupted and then they lost access to it. Your IT staff or vendor may try to help, but success is not guaranteed.
Why? When your IT staff or vendor supports authorized software, they have installed it, updated it, patched it, maintained it, monitored it, and established a relationship with the vendor. None of that knowledge and support exists with unauthorized software.
4. Are you sure that your employee isn’t breaking the law?
This problem crops up with software that stores documents and communications outside of official government channels. When you receive an open-records request, what do you do if employees are using personal cloud software like Google Docs, Yahoo email, or a file-sharing service like Dropbox?
5. What happens if you lose data?
While an employee might back up data stored on unauthorized software, don’t hold your breath. It’s probably not happening, not happening frequently enough, or not being tested to make sure they can restore data if it’s lost. Authorized software is usually backed up professionally and overseen by IT staff or a vendor.
6. Do unauthorized people have access to data?
Government data within applications such as financial software, document management systems and email is usually locked down and only accessible by authorized users. With unauthorized software, who has access to sensitive data? What if your employee accidentally publicly shares a Dropbox link to documents containing sensitive information?
7. What happens when software conflicts with the employee’s machine or device?
People often do surprising things when they download software. If they have an old desktop or laptop, they may download new software that the machine or operating system just can’t handle.
Next steps
It’s hard to police the use of authorized software and root out all unauthorized software. While the problem may never fully go away, you can take these steps:
- Create a policy about unauthorized software and the consequences for
- using it.
- Remind employees of security risks like data breaches, data loss and breaking
- the law.
- Provide a list of approved, authorized software and a contact number for questions if employees want to confirm the use of particular software.
Kevin Howarth is the marketing content manager at VC3, the Municipal Association’s technology partner.