How to make a standard mobile secure enough for business use even when handling sensitive information and intelligence.
As Dan Sabbagh rightly points out in his article in the Guardian on 30 October 22, “mobiles are inherently insecure”. He also opens with the very sensible line: “We may never know just what happened with Liz Truss’s mobile, but it’s clear that ministers need to up their security game.” https://www.theguardian.com/technology/2022/oct/30/liz-truss-mobile-inherently-insecure-surprise-british-politicians-ministers-security
Another security foul-up
This most recent high profile ‘security foul-up’ story is yet another reminder, if we needed any, that everyone relies on their mobile phones, and with familiarity comes contempt. Contempt for security and privacy, of our own data as well as business information, and in this example, information that could affect national security.
Furthermore, it has been widely reported, including by the BBC: https://www.bbc.co.uk/news/uk-politics-63442813, that something happened during the summer when Liz Truss was Foreign Secretary, necessitating a new phone number and a replacement government-issued handset. And if you’re a world leader who can’t be separated from your personal phone because you’re tweeting all the time, then the potential security concerns are pretty obvious, as we outline in this blog for a couple of years ago: https://www.armourcomms.com/2018/06/05/ss7-vulnerability-still-going-strong-near-the-white-house/
In fact, calls and other communications involving classified or sensitive data CAN be made safe on ordinary mobiles using appropriate software. Although, if the user is deliberately subverting security, or determined to leak data to malicious actors or commercial competitors, security has a much tougher job.
Securing comms on standard mobile phones – it CAN be done, quite simply
For everyone else, apps like Armour Mobile (or SigNet by Armour) can enable secure comms via a standard phone. Something that most business-people, and presumably most ministers/politicians would prefer, as it avoids the need to carry two phones.
Great user experience – fast to deploy
As well as providing a user experience every bit as engaging as a consumer-grade app, Armour Mobile is Secure by Design and Secure by Default, based on our many years of working with the UK’s National Cyber Security Centre (NCSC). It is easy to download from the appropriate app store, and user provisioning (set-up) is controlled centrally, so that only invited, known, trusted (or indeed, vetted) users can join a community. This is in stark contrast to a consumer app, which anyone can use, and if you know someone’s mobile number, you can contact them – opening the doors wide for a whole range of phishing and social engineering attacks.
Be certain who you are talking to
All communications via Armour are protected within the app, and can only be shared with trusted colleagues in the same or a federated allow list (community of known users), ensuring that users are communicating only with who they intended to communicate with. (This blog explains just how easy it is to spoof a call, and what you can do to prevent it: https://www.armourcomms.com/2018/02/27/are-you-talking-to-me/)
Using Armour Mobile, people, including ministers, are able to share sensitive documents and have privileged discussions, safe in the knowledge that their conversations will remain private. Details of all communications, be they voice, video, message or attachment, including associated meta-data are stored securely, preserving data sovereignty.
Engaging bolt-ons – Secure collaboration
In addition, Armour Mobile also has some useful bolt-ons that enable secure collaboration, such as Unity by Armour for secure conferencing and Recall by Armour for audit and archive. Again, all data is held within the app and on designated servers either on a secure cloud, or on-premises, ensuring that you know where your sensitive data is held at all times.
There’s really no excuse for using insecure, easily hacked, easily spoofed consumer-grade apps for sensitive business communications. If people in your organisation are still using consumer communication apps for business, it’s time to contact us and start the clean-up operation.