Shadow IT can be loosely defined as the incorporation of any information technology introduced into an organization that is not necessarily approved by management. One of the most common examples of shadow IT is using a consumer-grade application for work purposes; however, shadow IT can include everything from working on devices that are explicitly prohibited under corporate policy to running jail-broken applications on work systems.
Technically, this problem has existed as long as there were IT statutes in place that could be broken. However, as more end points are introduced to working environments - many of which are personal devices ostensibly allowed under bring-your-own-device policies - the opportunities for shadow IT have risen exponentially. This means that potential cyberthreats are also more numerous. More alarming is the fact that studies suggest chief information officers and other enterprise IT leaders are not always cognizant of just how prolific this trend may be within their organizations.
One sector that simply cannot afford to risk staring down cyberthreats associated with shadow IT is law enforcement, and it is precisely for this reason that the Criminal Justice Information Services (CJIS) Security Policy exists at the federal level. With the right safeguards in place, CJIS compliance can be achieved, and shadow IT can be nipped in the bud before any issues arise.
The threat of shadow IT in law enforcement is unique in that it typically will not entail the downloading or installing of unauthorized applications onto police or FBI systems. The more likely scenario is privilege escalation, in which certain personnel are accidentally - or carelessly - given access to classified or top-secret repositories of information. This data may include anything from current intelligence regarding an ongoing investigation to information about potential threats of criminal activity. In either situation, this sensitive data must be safeguarded, and only accessible by authorized personnel who are well-vetted in proper procedures to protect such sensitive documentation.
This is especially true given that certain law enforcement information may regularly be shared with lawyers, court systems and even technology vendors. There are stringent guidelines in place to ensure that this information is shared via secure portals; however, it is equally as important to guarantee that privilege escalation - whether accidental, malicious or otherwise - does not occur. This could interfere with the integrity of an investigation or trial.
At the consumer level, passwords are typically the most relied-upon form of authentication. While incorporating numbers and special characters can significantly boost the strength of a given password, this single-factor methodology for security is insufficient in high-stakes organizations such as law enforcement.
"Single-factor methodology for security is insufficient in high-stakes organizations."
According to TechTarget, rainbow tables are capable of cracking a password that has 14 characters and multiple numerals within around 160 seconds or so, and security agencies have tools that can perform the same function at 10 times the capacity. If, for example, low-clearance personnel were targeted in a social engineering scheme, or somehow accessed the password database in a non-secure manner, it's highly likely, then, that this information would pass into the wrong hands. After all, there are ample ways to gain access to passwords - even if they are encrypted, and especially if government-level technology from a foreign power is in use.
Enter two-factor authentication. Simply by adding a second layer of authentication in the form of a text message, email - perhaps with the inclusion of a secret question - or other variant of soft token, a password breach would not necessarily grant an unauthorized user access to sensitive law enforcement information.
By taking this concept a step further, and applying token authentication in the form of a key fob, or even a SIM card, access to physical stores of information can also be safeguarded. For good measure, the inclusion of biometric-based authentication is also becoming more common - especially in environments that demand top-notch security. For example, the use of voice and facial recognition, retina and iris scans, fingerprint scans and even finger-vein scans supply an added layer of security that is extraordinarily difficult to bypass. In the event that lower-level personnel are mistakenly given security clearance or are manipulated by a special-interest, outside party, there will be barriers in place to ensure the continued safety of highly sensitive or top-secret law enforcement data.
The same applies to IT staff and technology vendors that may work on-premises at a law enforcement facility, or regularly visit headquarters to maintain a certain system. Advanced authentication can prevent these employees or vendor representatives from accessing privileged information, or from accidently over-stepping boundaries, so to speak. These are risks for law enforcement facilities that are simply not worth taking.
So don't take them. Leverage reliable, multifactor authentication.