Prior to joining Google Cloud, I spent 20 years in the public sector serving in various security roles, most recently as the head of the cybersecurity division at the newly established Cybersecurity and Infrastructure Security Agency (CISA). I was responsible for delivering services and capabilities to about 100 civilian agencies, as well as our critical infrastructure for state and local partners across the country.
Throughout my time serving in the U.S. government, I spent a great deal of energy working to keep bad actors out of our systems. What I eventually realized was that we were at a disadvantage. We didn’t just have legacy systems to deal with; we also had a legacy mindset. Our policies and capabilities were overly reliant on a perimeter-based approach to defense and introduced layers of friction with tools like VPNs, which inhibited productivity and increased frustration.
I spent the last few years of my time in the government doing my best to modernize this approach to security and supporting the many people who shared this vision. While most of them are still there, doing excellent work, repeated cybersecurity breaches of U.S. government systems have interrupted vital work and cost taxpayers billions of dollars. The SolarWinds breach in 2020, for example, may have cost governments and businesses more than $100 billion and the loss of vital national security information. Yet many government agencies continue to rely on the same legacy productivity software.
Today, a new survey conducted by Public Opinion Strategies and commissioned by Google Cloud shows that many government workers echo these concerns. The survey—which polled 2,600 working Americans, includes 600 workers from the D.C. metro area and 338 workers employed by federal, state, or local governments across the country—found that the majority of government employees surveyed reported being “very” concerned about cyberattacks striking their employers in the coming years. And nearly one-third of surveyed government employees in the D.C. metro area say they have experienced a disruption at work because of a cyberattack.
Results from the survey also showed a lack of satisfaction with legacy software, with more than 50% of government workers nationally responding that there are other products and services that could help them do their jobs better.
These new findings not only speak to the challenges our government employees face, but also outline an opportunity for improved innovation and security that can help government employees better achieve their missions.
Concerns about cybersecurity
The majority of respondents said they believed it was likely that the federal government would be the victim of a cyberattack in the next few years. This percentage was even higher in the D.C. metro area and among government employees, with 40% of government workers living in metro D.C. saying it was “very likely.”
Respondents in all groups—national, D.C. metro, and government employees—were more likely to be concerned about cyberattacks as the perceived threat moved closer to home. For example, 80% of those surveyed said that recent attacks have them concerned about their personal data and privacy, and that of their family members. And for those in the D.C. area or in government jobs, the numbers were consistently higher than the national average.
One likely reason for such broad concern about cyberattacks is that many respondents reported experiencing a cyberattack at work. And while more than one-in-ten workers nationally have experienced disruptions from a cyberattack, the number increased to nearly one-in-three for D.C.-based government employees—nearly three times higher than the national average.
The problem with IT ‘monoculture’
According to survey respondents, 84% of D.C. metro government employees primarily use Microsoft products at work, including Word, Outlook, Teams, and OneDrive. This is confirmed by another recent study by Omdia that found 85% of government employees use Microsoft productivity software, far and away the largest IT productivity vendor by market share.
This reliance on a single software suite might suggest that these products are safe and secure, but the Public Opinion Strategies survey found that more than half of all respondents said that the government’s reliance on these Microsoft products actually made the federal government more vulnerable to hacking or cyberattacks.
Given these vulnerabilities, why does government IT continue to rely on the same set of productivity tools in the workplace? The reason, according to survey respondents, has more to do with inertia than innovation. When asked why their employers used Microsoft services, around half said that the reason their employer continues to choose legacy, incumbent vendors was more about not wanting to change than wanting the most effective tool for the job.
Choice and shadow IT
Coupled with these concerns about vulnerabilities comes a noted sentiment among those surveyed that their current IT solutions are not best for their needs. About half of those surveyed who primarily use Microsoft at work said that they would prefer to have a choice to use products and services from other companies. And among those who use Microsoft at work, 43% believe there are other products and services that would allow them to do their job better.
This may be leading workers to adopt “shadow IT,” or using products and services that are not officially approved or endorsed by their IT departments. In fact, the Public Opinion Strategies survey found that 35% of D.C. metro government workers have used shadow IT to get their jobs done. And among workers aged 20 to 34, that number jumps to 41%.
Rethinking IT purchasing priorities
With so many survey respondents reporting that they are dissatisfied with their legacy IT solutions, it may be time for the government to rethink its approach to procurement. In a separate research survey from Omdia in December 2021, 250 people responsible for technology purchasing decisions in the U.S. federal, state, and local governments said that government technology and procurement practices often are more about making things easier for IT vs. choosing what employees feel would be the best solution. In fact, only 27% of officials surveyed in that research cited “user demand” as a factor affecting their purchasing decisions.
As governments work to meet the demands and preferences of their constituents—and their employees—it’s clear that there’s an overreliance on legacy solutions, despite a track record of cybersecurity vulnerabilities and poor user perception.
At Google Cloud, we believe it’s time for more diversity and choice in the tools available for our civil servants across the nation—70% of whom use Gmail outside of work, according to our survey. Government workers have the right to benefit from the same flexible, secure-by-design tools at the office that they use in their personal lives. You can learn more about Google Workspace for Government here.
By: Jeanette Manfra (Senior Director, Global Risk and Compliance)
Source: Google Cloud Blog