Managing the risks of shadow IT in the public sector

Leighton James

We’ve long been aware of the security risks of shadow IT – the use of digital tools without the knowledge or consent of an organisation’s IT or security team. These risks have been exacerbated during the Coronavirus pandemic. With lockdown measures forcing many to work from home, people are using the applications that will make their lives easier, often unaware of any security threat they might pose.

The issue is particularly significant in the public sector. Communities across the country depend on the delivery of essential services, from healthcare and education to welfare and national security, but the sudden enforcement of remote working has created a strain on delivery. A reliance on legacy tech has restrained the ability to work from afar and, consequently, employees are often forced to look for other alternatives – and revert to the shadows – to keep delivering services.

Unseen Solutions

The main challenge in overcoming the use of shadow IT is the fact that employees aren’t giving any thought to security, they’re simply looking for ways to get their work done more quickly. It’s not safe versus unsafe, but cumbersome versus agile. This is especially the case in the public sector where, in an effort to provide better service to citizens, employees and agencies will take it upon themselves to look for solutions that perform tasks more efficiently than the legacy tech they’re used to working with.

The issue, made more common due to the enforced remote working because of the pandemic, is that these solutions can go unseen by security teams, thereby placing data in harm’s way. Data is valuable in any industry but in the case of the public sector, it is a national asset. The country needs the public sector to drive innovation, but it simply cannot come at the cost of digital safety.

Clearly, then, there is a need for public sector organisations to improve their visibility, by increasing transparent monitoring of their employees’ software use, and by tightening up their existing governance and usage policies. This way, they can better understand what solutions are being used and, subsequently, manage them.


Providing employees with secure, scalable and agile environments to use the latest applications is also important and that means adopting cloud.

The use of cloud environments is relatively old news in the corporate world, but there is still some way to go in the public sector. There remains concerns and confusion over how it can best be adopted meaning many organisations don’t act and continue to rely on their legacy setups that may have been decades in the making. The drawbacks of this approach would never have been more apparent than in a year when employees where quickly forced to leave premises and networks and attempt to complete work at home.

The need to act and adopt cloud environments has been fuelled by the situation, and the most advantageous setups are multi-cloud, a hybrid mix of public and private clouds. Fundamentally, a multi-cloud approach allows organisations to use the full diversity of cloud services, enabling them to harness the innovation and experimentation they need to make their services faster, easier, and more effective.

Guaranteeing security

As we’ve mentioned, though, security is paramount, so it’s crucial to work with a trusted partner when deploying and managing multi-cloud infrastructure. It makes sense, for instance, for public sector organisations to seek out a strategic cloud provider with experience of using cloud to deliver public services, and that will offer a mixture of cloud technology at the right classification level for that organisation. These providers should also be recognised by the Crown Commercial Service and must demonstrate how its services meets each of the National Cyber Security Centre’s Cloud Security Principles. By ensuring it has credentials such as these, an organisation can be confident that its partner complies with all necessary policies, regulations, and standards and will, therefore, be able to help lessen the need for employees to use shadow IT.

Ultimately, as digital technologies form a part of our everyday lives, they will naturally bleed into the public sector. Employees will see avenues to perform their roles more effectively and deliver a better service to citizens, but it must be done with the knowledge of IT. When it’s not, even though employees have the best intentions, the use of unsanctioned shadow IT is a national danger.

Public sector organisations must provide employees with the tools they need so they don’t have to revert to the shadows. Multi-cloud environments provide the perfect backdrop for a now agile workforce, while also providing greater visibility over where data is – but collaborating with the right provider is crucial.

Partnering with the right strategic cloud provider, with the right experience, and the right credentials, will go a long way to allowing the innovation, while guaranteeing the security, so important to public sector organisations and the citizens they serve.

The UKCloud team will be presenting at the Digital Government Virtual Summit on 13th May 2021. To watch their session and speak with the team, register your place today!