When the lights go out, what happens to your secure comms capabilities? And how do you ensure legislative compliance – particularly in regulated industries?
If you are working in a location prone to power outages, how do your employees continue working and communicating securely if your corporate business systems are out of action? How do you ensure operational resilience?
In many areas around the world, power transmission can’t be taken for granted. Power cuts are an all too frequent occurrence in some geographic locations, for numerous different reasons. People and organisations adapt and generally speaking business continues.
But stop and think for a minute. Exactly how do your staff continue working? If they are using their own devices, and non-corporate means of communicating what happens when people are sharing company-confidential information over unmanaged networks to unmanaged devices? All the issues associated with the use of shadow IT during normal operations (lack of oversight, accountability and traceability, and heightened data security risks) are magnified when there is a power outage.
A particular risk for financial services organisations is the punitive fines and loss of reputation should employees be found using non-sanctioned apps such as WhatsApp. Our previous blogs outline the details of nearly $2 bn in fines levied by the US Securities and Exchange Commission (SEC) and the Commodity Futures Trade Commission (CFTC) for the use of unauthorised apps. More recently, the UK energy regulator Ofgem fined US bank Morgan Stanley for failing to keep records of communications after energy market traders used WhatsApp to discuss the details of energy deals.
How confident are you that your intellectual property, corporate data, trade secrets, sensitive customer information and commercially valuable information isn’t being put at risk?
Are Satellite Services the answer
For those used to travelling to remote locations where landlines are non-existent and mobile coverage can be patchy, satellite services have long provided an alternative. Today satellite bandwidths are much greater and hence signals more reliable than even just 5 years ago, and while reception can be affected by atmospheric conditions (rain), services are now far more consistent.
As well as providing an alternative means of communication, using satellite services can, in some respects, be a more secure option because it does not rely on the open internet. In fact, in the US’s National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final, in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”
When combined with a built-for-purpose, Secure by Design secure communications platform, a satellite service can provide a strong solution for business resilience.
What do we mean by Secure Communications
Secure communications are defined as a means by which people can share information with a strong degree of certainty that the communications remain completely private. Third parties cannot intercept or overhear what was said, and that information shared remains in the control of the sender (for example, information cannot be forwarded to other unauthorised parties).
Typically truly secure communications run on an independent platform that does not rely on mass-use consumer technology to operate. Secure communications should include:
- Instant Messaging
- Video calls and conferencing
- Sending attachments and files while conversing
Ideally, the secure communications platform runs over a variety of networks including 3/4/5G, Wi-Fi and satellite, and will also interoperate with SIP-based PBXs, providing secure communications right to the desktop.
What exactly should you be looking for?
Consumer applications all claim end-to-end encryption, but there is a lot more to security than just encryption, so when looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) in its document Secure communications principles which highlights key points to look for in a secure communications solution.
Popular collaboration apps, such as MS Teams, Zoom, GoogleMeet etc. may not provide end-to-end encryption because they often decrypt the data at the server in order to provide an audit capability. And if power is down, the services cannot be relied upon to be operational, even if your employees can gain access to them.
Our Buyers’ Guide provides a list of pertinent questions applicable to commercial organisations, government, defence, and the wider public sector. It covers key points recommended by NCSC as well as some additional questions that are particularly relevant to the protection and preservation of data in regulated industries such as financial services.
10 Questions to Ask?
- How is data protected, both at rest on the device, and in transit?
- How does the app prove identity? Can it protect against deep fake scams?
- Where is the data stored? Does it provide data sovereignty?
- Can you separate business and personal communications? Is it suitable for use on a BYOD device?
- Is the app designed with security in mind (Secure by Design), from the ground up? Are the default settings secure?
- What are the archiving and audit options?
- Are there different levels of security to handle different classifications of data? And can people from different entities or groups communicate across the app?
- How does it handle video conference calls? Does it provide higher levels of security for conference calls?
- How would your IT/business continuity teams communicate in the event of a severe cyber breach?
- Do your existing comms and messaging arrangements meet the NCSC 7 principles for secure communications?
Ensuring compliance with industry regulations
In the event of a severe power outage, or other critical incident, being able to communicate securely is of paramount importance for keeping business running. Many organisations rely on employees using their own phones in an emergency, but when the dust has settled and the lights are back on, it will be extremely difficult to analyse what information was sent where. And with no audit trail, there will be no possibility of complying with data privacy, Know Your Customer, DORA, MiiFID, GDPR or any other form of industry regulation, and little opportunity to learn from mistakes.
Armour Comms has published the Securing Communications Channels – A buyer’s guide to help organisations identify the key points they should look for.
Download your copy here: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/