Category: Blog

During a cyber incident, your usual communications channels may not be available. You may need to establish alternative ways to keep in touch with staff, stakeholders and customers, using phone lines, messaging apps or social media platforms – NCSC

In the past couple of weeks, UK intelligence and security organisations have been raising threat levels. The National Protective Security Authority (NPSA) has updated its threat picture regarding the likelihood of Russian state sabotage, and issued guidance on how to counter the risk of sabotage to UK interests and national security. At about the same time, NCSC has issued guidance on effective communications in a cyber incident. And, the Economist published an article entitled: Vladimir Putin’s spies are plotting global chaos, citing named sources from both MI5 and MI6. It states that the number of incidents in Europe has grown dramatically, listing examples in Germany, France, UK, Poland, America, Africa and the Middle East.

Obviously, we are all aware of the on-going war in Ukraine, and we’ve heard about the allegations of Russian tampering with the last US election. However, the threat is increasing and now coming demonstrably closer to home.

Prepare with incident management and response

One way that organisations can protect themselves is to prepare for such threats with incident management and response policies and processes, set up and tested in advance. Threats include physical sabotage, which might be particularly targeted at organisations providing critical national infrastructure (CNI; which the EU NIS2 has widened beyond government and public administration, critical infrastructure, finance, telecommunications, to include sectors such as postal and delivery, food production/distribution, chemicals production/distribution, high-tech manufacturing, hospitals, diagnostic laboratories, medical device manufacturers, pharmaceutical companies, and other life sciences organisations). But the threats also include cyber attacks on almost any type of business for the purposes of extortion, disruption and general mischief making.

Communication with external third parties is crucial to protect corporate reputation

Secure communication with key stakeholders is one area that many organisations overlook in the panic to deal with a serious incident. Indeed, it is one of the first points that NCSC makes in its guidance document for effective communications in a cyber incident (referred to above) and goes on to state that “…effective communication to staff, stakeholders, customers and the media is crucial for shaping how an organisation is perceived.”

NCSC advises that a key step for preparing communications strategy as part of incident response is to set up an alternative communications channel, i.e. one that does not rely on the organisation’s usual channels, since these may have been compromised in the attack.

Both NIST and the Digital Operational Resilience Act (DORA) suggest that incident response groups with key contacts/structures are pre-defined and set up before an incident occurs, so that communications can begin immediately on the secure channel. Groups can be internal and external, typically including suppliers, law enforcement, internal groups, employees, key stakeholders and the SOC team, etc.

If your organisation relies on mass-adoption infrastructure for critical communications, it is difficult to communicate with external parties without trusted, secure federated groups already in place. Indeed, NIST SP800.61 recommends having multiple back up communications solutions in place.

Our previous blog In the midst of a cyber attack, who you gonna call? And how? explains the challenges in more detail.

How do current systems stack up?

Think for a moment about how your organisation communicates currently?  You probably use mass-adoption desktop platforms that include messaging and collaboration tools, which are often the basis for an entire enterprise technology infrastructure with many critical dependencies. For example, if your main systems were attacked so that your Active Directory or Identity and Access Management systems were no longer working, how would the business operate?  What would be the ramifications for your employees trying to do their jobs and communicate with colleagues?

An organisation using a compromised service doesn’t need to be the subject of the attack, they can become collateral damage despite not being a target, simply by relying on the service and not having a secure alternative.

Ensuring you have the right infrastructure components for effective incident management and response is key

For all organisations it is crucial to have a back-up communications channel (often referred to as out-of-band) that can be used to marshal a response to any attack or major incident, and organise recovery processes.

A standalone, independently or in-house hosted secure communications platform that is as engaging and easy to use as a consumer-grade app can ensure that employees have a solution that keeps data secure, while providing the capability to communicate effectively.  Such platforms deliver:

• Data protection using UK Government and NATO approved tools, Secure by Design/Secure by Default
• One easy-to-implement solution that enables multi-domain integration of communications amongst trusted third parties and stakeholders
• Instant, remote and mobile secure collaboration

What is an ‘out-of-band’ communications channel?

An out-of-band communications channel is one that does not rely on the standard enterprise infrastructure: It is a system that can operate completely on its own as a standalone solution, i.e. it doesn’t rely on email, Microsoft Office/365, or other mainstream systems. An out-of-band communications platform can work when other systems are compromised and its standalone nature protects it from the attackers.

NCSC Exercise in a Box – testing resilience

NCSC’s online tool Exercise in a Box is aimed at organisations of all sizes, in all sectors, and shows how to test resilience to a cyber attack. The free-to-use tool provides a range of exercises that give organisations a safe environment in which to practice how they would respond to a cyber attack.  As they develop their internal processes, they can repeat the exercises to see how their cyber resilience stance has improved.

How Armour can help

Armour provides a single platform for communicating securely even on BYOD devices, keeping control of the data without the requirement for an MDM. It enables secure calls (audio and video), video conferencing, and secure instant messaging with document exchange, using personal, off-the-shelf smartphones and desktops. This allows trusted colleagues to share and discuss sensitive information, protected from eavesdroppers, even in the event of a cyber attack.

Armour can also provide a secure archive/audit capability, as required by regulated industries and public sector bodies where a record of material conversations/communications including voice/messages/video are a legal imperative, and may be required for FoI responses.  Recording the incident response maybe needed for internal review, criminal proceeding against the hackers and for use to review and refine response to incidents by an organisation in the future to further improve incident management processes.

Users/call groups are centrally managed, and people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE secure social media protocol) means that users can be confident when using the platform that they are communicating with who they think they are.  Armour addresses the issue of identity-spoofing and ghost-callers, particularly useful when video conferencing.

With the Armour Comms platform, organisations are able to create internal and external user groups and integrate them into business continuity processes, ideal for when communications with distinct groups of stakeholders is imperative. In addition to pre-defined call groups, new people can quickly be provisioned onto the service via secure QR codes and downloading the app from the appropriate app store.

Armour can be deployed as a cloud or on-premises installation which preserves data sovereignty by giving full control as to where data resides, as well as providing the independence from third party solutions required to provide an ‘out-of-band’ emergency communications channel.

And, of course, Armour can also be deployed for day-to-day, sensitive communications (with built-in audit compliance), if your business needs to protect its C-suite users, frequent overseas travellers, etc.

Secure Communications Buyer’s Guide

For more comprehensive information about what you should be looking for in an ‘out-of-band’ secure communications platform, download our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

It’s certainly better for data sovereignty and some prefer it for security too.

AWS has stated that it is facing stiff opposition from on-premises infrastructure in a recent Competition and Markets Authority (CMA) case.  This could simply be AWS supporting its position that it provides a suitably flexible service that customers are able to move some or all of their IT back on-premises if they so desire.  However, there are a growing number of high-profile cases where organisations are moving back in-house – a process now termed cloud repatriation. One organisation says that it saved $1 million after a cloud hosting bill for $3.2m prompted them to undertake a cloud repatriation project; they expect to save $10 million over the next five years.

Is this just the latest chapter in the in-house versus out-sourced trend? Those who have been in IT or business services for any length of time will have seen such cycles played out before, so could it be that after the rush to push everything into the cloud, we are now seeing a correction?

Public Cloud restricts Data Sovereignty capabilities

Organisations are starting to not only add up the financial costs but also consider the potential risks due to the lack of flexibility with having all their data and workflows in the cloud.  Data sovereignty is becoming increasingly important as the assumption that ‘globalisation is always the answer’ looks somewhat shaky given current global political frictions and uncertainty.  Recently, Microsoft admitted that it couldn’t guarantee UK data sovereignty, even for UK government customers. Which instantly begs the question: Where should particularly sensitive data be stored, which really shouldn’t be leaving sovereign soil?

In the same article The Register quoted a senior research director for EMEA at IDC, stating that cloud repatriation is becoming more common. However, a more important trend in EMEA is that over half of companies still have a preference to deploy workloads into their private infrastructure, rather than the public cloud.

This chimes well with our own experience of providing secure communications solutions for higher assurance customers, where the ability to provide an on-premises solution is paramount.

On-premises – the extra facilities

The option to deploy the Armour® Secure Communications Platform in-house provides many security benefits that are not offered by the mass-adoption collaboration products or free-to-use consumer apps. An on-premises deployment renders communications completely private not just secure and sovereign. You can add your own protective measures to anonymise traffic and ensure only you have access to the meta data which could give a potential attacker or eavesdropper so much potentially useful information.”

This deployment option puts our customers in complete total control of their data; they know exactly where it is being stored, and have total control over who has access to it.

Suitable for higher assurance video conferencing

Security conscious organisations such as government departments, the military, defence contractors and public sector bodies all need products designed with their specific requirements in mind. The Armour Secure Communications platform is built to give organisations control of where they deploy and where their data resides, with both secure hosted and on-premises options available. It addresses issues such as GDPR and industry-specific regulations including DPA 2018 Part 3 as cloud-based providers often cannot satisfy sovereign needs.

Armour Recall™ captures, retains and archives data to ensure organisations keep control of their data, can prove compliance and can respond to Freedom of Information requests.

Armour Unity™ delivers secure conferencing in an easy-to-use app for mobile use and is available in several configurations to ensure the level of security matches the sensitivity of the conversation.

Armour Connect™ provides voice and video interoperability with unified comms systems, and Armour Bridge™ delivers messaging interoperability with other messaging apps,

Total control of data

Strict security measures within Armour give the organisation total control over data. For example, constraining message retention, Message Burn (automatically deleting messages after a set time), controlling features like forwarding/sharing data, and erasing all data in the event of device (or user) compromise.

Mitigate impersonation-based attacks with identity-based authentication

Users and call groups are centrally managed, such that people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE protocol) means that users can be confident when using the platform that they are communicating with who they think they are.  In this way Armour addresses the issue of identity-spoofing and ghost-callers, including AI-generated deepfakes.

Federated secure communications – share confidential information   

The Armour Platform can provide a multi-domain, multi-organisation structure with strictly siloed security making it suitable for federated secure communications between  Armour communities.  This means that different police forces, government departments or social services (for example) using Armour are able to communicate, once Admins have set up the appropriate links between the groups of users, while each organisation retains total control over its own user lifecycles.

Cloud repatriation puts you back in control of sensitive data

Analysts agree that the cloud is here to stay, but organisations are now taking a more considered approach when it comes to deciding which workflows and data they commit to the public cloud. When it comes to data security and protecting sensitive information there is no one-size-fits-all.

For more information about protecting your sensitive communications, particularly for higher assurance requirements, contact us today: sales@armourcomms.com or visit us at SDSC UK stand 29B, where we’ll be showing our new Armour Unity secure conferencing capabilities and our Advanced Mobile Solutions.

Dave Holman, director and co-founder of Armour Comms, explains what they are and why we’re introducing them.

Armour® Communications will soon be celebrating our 10^th anniversary.  In that time the technological and threat landscape has changed considerably.  Our product set has grown from a single solution to provide robustly secure mobile communications, mainly for voice calls and instant messaging, to a comprehensive platform for secure collaboration.

The multi award-winning Armour Secure Communications Platform now incorporates secure video conferencing, file attachments, and comprehensive interoperability via any number of integrations and bridges to other technologies. Secure archive and audit are now also available – a hugely complex piece of engineering to support compliance requirements of regulated industries such as financial services, health, and legal, and those that need to comply with Freedom of Information requests, such as local authorities, NHS, blue light services and organisations providing critical national infrastructure.

The Armour Secure Comms Platform meets the NCSC’s 7 Principles of Secure Communication and is Secure by Design and Default.  It also provides UK data sovereignty – something which mass adoption services such as Microsoft Teams cannot – even for government customers.

All this to make secure collaboration seamless, and as easy to use as a consumer product

Growing requirements to meet a growing threat level

As our solution capability has grown so too has our customer base, in terms of both numbers and breadth of industry sectors served.  Once secure comms was the preserve of government departments (although sometimes news stories would belie this fact!), special services, military and other security conscious organisations. Now with threat levels rising exponentially and the advent of AI and deepfake technology, many more organisations are looking to protect their business communications, ensure compliance with data protection legislation and guard against financial fraud.

Packaged solutions to meet different requirements

With all of this in mind we have put a great deal of thought into how we can best present our products in a series of packaged bundles, to make it easier for organisations to ascertain the level of service that they require and then procure it for a simple price per user that makes budgeting more transparent. The Armour Secure Communications Platform is now available in a range of flexible packages to suit most deployment requirements from a fully managed, turnkey solution; to hosted/self-managed; and full on-premises installations.

In brief here are the three packages, all of which can be tailored to meet specific requirements.

Armour Cloud

A fully managed SaaS solution for standard deployments for SMB/SME sized organisations, with one simple affordable price and a minimum user base of 100 licences. Armour Cloud™ is aimed at organisations looking to replace the use of consumer apps, improve security of mobile communications mitigating deepfake and impostor-based cyber threats, retain control of corporate data including data sovereignty, and for improved security, GDPR and regulatory reasons.

Armour Cloud is also ideal for organisations looking for an out-of-band communications channel with which to handle incidents or to protect sensitive C-suite communications.

Armour Cloud+

A SaaS solution for SMB/SME sized organisations to manage their own users for standard deployments, with a minimum user base of 250 licences.  The package includes secure recording, archiving and audit of voice and instant messaging conversations, with interoperability by extending the reach of mobile secure communications to enterprise unified communications systems which include desk phones and IP soft phones.

Armour Cloud+ is ideal for any regulated organisation and those that needs to respond to Freedom of Information requests.

Secure video conferencing can be added as an optional extra, as required.

Armour Enterprise

Configured to provide a solution that supports the robust requirements of higher assurance and SME/Enterprise organisations that need complete control over all aspects of their secure communications. Armour Enterprise™ is provided as either an on-premises implementation or via a number of SaaS options. Secure interoperability with enterprise unified communications including desk and IP soft phones, secure video conferencing and secure archive and audit are also included within the packaged price.  Armour Enterprise has a minimum user base of 50 licences.

 

For more detail please download our new Packages brochure: CLICK HERE

Technology is evolving like never before bringing with it so called artificial intelligence (AI) and huge increases in computing power that are set to deliver all manner of improvements for the human race, for example, new breakthroughs in healthcare and fighting disease.  However, powerful new technology can equally be used for malign purposes, bringing increased threats. From fraudulent financial transactions to misinformation that puts soldiers’ lives at risk, AI is fuelling the latest attack vectors against nation states, government departments, and enterprises alike.

A growing number of FTSE companies have been subjected to convincing impersonation-based attacks attempting fraud, with five attacks on FTSE 100 companies and one on a FTSE 250 reported so far this year, and this is probably just the tip of the iceberg. AI has been used to generate deepfake clones of CEOs that then instruct employees to transfer money for a deal that requires speed and secrecy – a takeover for example.  The attacks, which typically use a mix of unmonitored and insecure instant messaging (e.g. WhatsApp) and voice calls using the cloned voice, are now so prevalent they have been dubbed the ‘CEO scam’.

While the reporting of these cases focuses on the financial fraud aspects of impersonation-based attacks, it is not difficult to see how this technology could be put to even more nefarious purposes.  For example, nation states looking to subvert the democratic political process, disrupt critical national infrastructure, or gain military intelligence.  Indeed, only a few weeks ago the then Foreign Secretary, David Cameron, was the victim on of a hoax video call from someone pretending to be the former Ukrainian President Petro Proshenko with whom he’d had numerous face-to-face meetings.  Fortunately Mr Cameron thought something was amiss when sensitive information was requested and so finished the call.

With the growth of AI, impersonation-based attacks using deepfakes will become more commonplace and even more believable. This is reinforced by an assessment from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) https://www.ncsc.gov.uk/news/global-ransomware-threat-expected-to-rise-with-ai   which reports that the growth and accessibility of AI will rapidly increase the number and believability of ransomware and other attacks. As AI gathers momentum so the barrier to entry is lowered meaning that relatively unskilled threat actors such as novice cyber criminals, hackers-for-hire and hacktivists are able to carry out more effective attacks.

So what can organisations do to protect themselves from what is fast becoming a new attack vector?

Tackling Deepfakes and other Impersonation-based attacks

Eventually people will become better able to spot deepfakes, in the same way that most of us don’t believe every photo we see, knowing that it is all too easy to manipulate images using software. However, there is an immediate need for organisations to do everything they can to protect themselves and their employees from becoming victims of this newest threat.

Increasingly, authenticating the source of news, content, and all manner of communications is critical. Being able to trust that you are communicating with the genuine person (and not an impostor) will be a key to safety online, and for any type of transaction, whether that is taking financial or legal instructions from colleagues or customers, sharing commercially sensitive information with third-parties in the supply chain, or discussing matters of state with trusted advisors and co-workers.

Identity-based Encryption will help to mitigate the risk

Technology is already available to protect sensitive business communications via voice, instant messaging and video conferencing. Secure communication solutions that use identity-based encryption, such as the NCSC’s MIKEY-SAKKE protocol https://www.ncsc.gov.uk/information/the-development-of-mikey-sakke, help organisations to verify that only approved participants can join a group call or chat group, meaning that everyone on a video conference call (for example) has been authenticated. This type of security feature is NOT provided by mass-adoption communication platforms, where very often all that it needed to set up an account is a mobile phone number or email address, and those are very easily spoofed, hacked or compromised (e.g. by SIM-swapping).

For protecting the most sensitive of conversations, such as state secrets, military movements, or government negotiations, there are highly secure, on-premises communications solutions that can be used. By running an on-premises solution organisations significantly reduce the potential attack vectors, as well as keeping total control of every aspect of their sensitive communications,

However, every organisation has important information that they would not like to fall into the wrong hands, for example, price lists, customer details, product formulae, legal or financial instructions from clients, clinical or pharmaceutical research findings, patient records, amongst many other things. All organisations can benefit from using a secure communications platform to protect corporate assets and intellectual property.

Whether deployed on-premises (on in-house servers), or as a secure hosted solution, an enterprise-grade secure comms platform that covers voice calls, instant messaging and video conferencing ensures UK data sovereignty, i.e. organisational data stays on sovereign soil (something that Microsoft has recently admitted it can’t guarantee, even for UK Government users) and data separation (no mixing of data, be that of different classifications of data, or business and personal).

As this recent proliferation of impersonation-based attacks demonstrates all too vividly, organisations of every shape and size in both public and commercial sectors need to start taking the cyber security of their communications seriously.  This means banning the use of unsanctioned shadow IT for business purposes.  When a built-for-purpose, Secure by Design secure comms platform can provide a slick user experience to rival any consumer app, plus the ability to manage and control organisational data, there is really no need to use consumer-grade apps.

Operational and cyber resilience is key to incident management and business continuity.

This morning the world has woken up to chaos with many airports cancelling flights, supermarkets unable to process payments taking cash only and major broadcasters are struggling to get back on air. Even the systems for the Paris Olympics, due to start in a week’s time, have been affected. https://www.bbc.co.uk/news/live/cnk4jdwp49et

The reason? There’s been a glitch with Microsoft Windows 10. Currently it is believed that this was introduced by a product update from CrowdStrike.

Safety in numbers – not necessarily

Businesses go with huge tech giants because they believe that they are a safe bet, that they provide everything a company needs, and that they are impregnable.  To be fair the end-to-end technology from the same vendor does make life easy in so many ways. BUT, what happens when it goes wrong – as it has done today.  Critical systems are down, and what back-up systems do they have in place?

This incident highlights the dangers of having all of your eggs in one basket! From a security perspective it is important to have independent systems that will still run even when the largest software vendor on the planet has a meltdown.

Out-of-band secure communications channel

This is where Armour comes in.  The Armour Secure Communications Platform provides independent voice calling, instant messaging and video conferencing. It can be installed on-premises for total control and security, or hosted via a secure cloud. Many of our customers use Armour as an out-of-band emergency comms channel, for additional operational resilience and cyber security.

Contact us today for more information about how to make your emergency communications more resilient. sales@armourcomms.com or read our Buyer’s Guide: Download Here

View our on-demand webinar to find out more 

As cyber-espionage, state-sponsored attacks. impersonation and identity-based attacks powered by AI and deepfake technology become mainstream, so details of sensitive communications – typical of defence projects, consortium-based bids and amongst supply chain partners – are at severe risk of compromise.  Attacks may come from a range of actors including hostile nation states, repressive regimes and terrorist groups, corrupt competitors willing to pay for illicitly-gotten information and disgruntled (ex-) employees.

Add to this the latest revelations by Computer Weekly, that Microsoft has admitted that it cannot guarantee the sovereignty of UK data hosted on its hyperscale public cloud infrastructure. This is particularly worrying for government departments, military and defence organisations, as well as the wider public sector.

Recently the BBC reported that Germany admitted to a hack by Russia of a military meeting where officers discussed giving Ukraine long-range missiles, and their possible targets. https://www.bbc.co.uk/news/world-europe-68457087

By not using a secure communications platform designed specifically to protect sensitive conversations, people are making it easier for adversaries than it should be.

Any organisation that collaborates with others and shares commercially sensitive information needs to take robust action to secure their internal, external and supply chain communications to avoid becoming victims of malicious attacks. Organisations delivering mission-critical capabilities to our armed forces also need to consider the operational impact of any data breach on UK miliary personnel, as well as any financial loss or embarrassing reputational damage. The resulting loss of contracts and commercial/brand value is even more critical for those working in the defence and government contractor sectors.

How can consortiums communicate securely?

Consortiums working together on major programmes such as critical national infrastructure, defence projects, and other multi-company, international undertakings need to be able to communicate securely.

Projects that involve highly sensitive information that must be shared securely amongst participants from different organisations, potentially spanning the globe, such as FCAS and GCAP members, pose a particularly tough security challenge, so what is the answer?

Three key problem areas

When looking at how to communicate securely with colleagues in external partner organisations there are three key considerations.  These are:

• IT systems that are designed to keep people out and data in – how do you open them up to trusted colleagues and consortium partners securely when they are supposed to be locked down?
• Managing data with different classifications – when you can’t use the same communications app. Which app should people use?
• Impersonation-based attacks – AI generated deepfakes are highly believable now – how can you be sure that you are communicating with who you think you are, and not an impostor?

 

Mass-adoption applications are NOT secure enough

Mass-adoption communication applications offer ubiquitous ease of use, but they have not been designed for use in markets that require higher levels of security to protect the type of data shared by defence contractor consortiums and bid groups.

On top of this, well-funded and highly capable adversaries are constantly looking for ways to attack such solutions and exploit the information gained as a result. Using products not specifically designed to address the complex needs of high assurance organisations introduces unnecessary risk to all organisations within the supply chain, the consortium, and their customers. A Secure Communications Platform

A standalone, independently or in-house hosted secure communications platform that is as engaging and easy to use as a consumer-grade app can ensure that employees have a solution that keeps data secure, while providing the capability to communicate effectively.  Such platforms deliver:

• Data protection using UK Government and NATO approved tools, Secure by Design/Secure by Default
• One easy-to-implement solution that enables multi-domain integration of communications amongst consortium members
• Instant, remote and mobile secure collaboration
• Time saved by reducing unnecessary commutes to secure meeting venues

Our on-demand webinar: Sharing secrets amongst friends – How to securely collaborate with bid partners, provides some of the answers to sharing extremely sensitive information with bid and consortium partners securely, with:

• Standards-based, certified secure communications platforms
• Federated secure communications
• Identity-based encryption and authentication

 

Watch here:  LINK  

Will your organisation be the next victim of a ‘‘CEO scam’?

The Times recently that a growing number of FTSE companies have been subjected to convincing impersonation-based attacks.  AI has been used to generate deepfake clones of CEOs that then instruct employees to transfer money for a deal that requires speed and secrecy – a takeover for example.  The attacks which typically use a mix of instant messaging (WhatsApp) and voice calls using the cloned voice are now so prevalent they have been dubbed the ‘CEO scam’.

Five attacks on FTSE 100 companies and one on a FTSE 250, including the likes of WPP, discoverIE and Octopus Energy, have been reported, but it is likely that the true figure is substantially higher. Currently the National Fraud Intelligence Bureau, which is responsible for recording fraud cases in the UK, does not monitor impersonation based attacks. However, the FBI’s Internet Crime Report for 2023 highlights that phishing schemes (which use unsolicited e-mail, text messages, and telephone calls purportedly from a legitimate company to request personal, financial, and/or login credentials) was the most frequently reported crime in 2023.

While The Times article focuses on the financial fraud aspects of impersonation-based attacks, it is not difficult to see how this technology could be put to even more nefarious purposes.  For example, nation states looking to subvert the democratic political process, disrupt critical national infrastructure, or gain military intelligence.  Indeed, only a few weeks ago the then Foreign Secretary, David Cameron, was the victim on of a hoax video call from someone pretending to be the former Ukrainian President Petro Proshenko with whom he’d had numerous face-to-face meetings.  Fortunately Mr Cameron smelt a rat before any sensitive information was disclosed and finished the call.

How to mitigate the risk of deepfake fraud

The proliferation of AI-generated deepfake impersonation attacks has spiralled, and will only get worse as the technology continues to evolve. One way that organisations can protect against this threat is to use a secure communications platform that utilises identity-based encryption. Protocols such as the NCSC’s MIKEY-SAKKE ensure that people can be confident that they are communicating with who they think they are and not an impostor.

As these recent attacks demonstrate all too vividly, organisations of every shape and size in both public and commercial sectors need to start taking the cyber security of their communications seriously.  This means banning the use of unsanctioned shadow IT for business purposes.  When a built-for-purpose, Secure by Design secure comms platform can provide a slick user experience to rival any consumer app, plus the ability to manage and control your organisation’s data, there is really no excuse to use consumer-grade apps.

Whether deployed on-premises (on your own servers), or as a secure hosted solution, an enterprise-grade secure comms platform that covers voice calls, instant messaging and video conferencing ensures data sovereignty (your data stays on sovereign soil, something that Microsoft has recently admitted it can’t guarantee, even for UK Government users) and data separation (no mixing of data, be that of different classifications of data, or business and personal).

For more information about how the award-winning, Armour Secure Communications Platform can protect your organisation’s sensitive conversations, contact us today: sales@armourcomms.com

 

 

In revelations by Computer Weekly, Microsoft has admitted that it cannot guarantee the sovereignty of UK data hosted on its hyperscale public cloud infrastructure.  This worrying development was discovered via a Freedom of Information (FOI) request to the Scottish Police Authority (SPA).

SPA has discovered that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas, a situation that is also likely to be true for all UK government users.

In a detailed article Computer Weekly explains the situation.  Part 3 of the Data Protection Act (DPA) 2018 says that law enforcement data must be kept within the UK, as must all public sector data under the G-Cloud 14 framework regulations. In the article it states that Microsoft has confirmed for the first time that a guarantee of sovereignty for ‘data at rest’ does NOT extend to ‘data being processed’, NOR does it cover the provision of support which may entail accessing data. Microsoft, in common with many multi-national suppliers, provides ‘follow-the-sun’ support, meaning that people providing support outside of UK office hours are not necessarily going to be UK-based.

Furthermore, in a separate FOI response from SPA, as recently as May 2024 Microsoft confirmed that they cannot guarantee data sovereignty for M365 (Microsoft 365 is a suite of productivity apps that includes Microsoft Teams, Word, Excel, PowerPoint, Outlook, and OneDrive).  As many police forces, government departments and the wider public sector rely on M365 for the day-to-day desktop operations, this brings into question, what is happening to classified data, and how can it be handled in accordance with UK law?

Certainly any information that needs higher assurance handling should not be discussed using M365, including the Teams video conferencing app, if data sovereignty cannot be guaranteed, which appears to the case. This is quite apart from the other security issues we have highlighted before regarding the use of a mass-adoption communications apps which includes their susceptibility to AI-generated deepfake and impersonation-based attacks.

So how can organisations that need to protect highly sensitive data ensure data sovereignty?

Award-winning Armour secure communications

The Armour® Secure Communications Platform (recent recipient of the SC Awards Best Communications Security Solution) provides an alternative to consumer grade applications. The platform brings together a quick-to-deploy, easy-to-use solution suitable for BYOD devices and desktops, with enterprise security features not provided by mass-adoption collaboration products or free-to-use consumer apps. It protects data throughout its lifecycle, providing all elements of mobile communications/collaboration including voice, instant messaging, and video conferencing, encrypting data both at-rest and over-the-air.

Suitable for higher assurance video conferencing

Security conscious organisations such as government departments, the military, defence contractors and public sector bodies all need products designed with their specific requirements in mind. The Armour Secure Communications platform is built to give organisations control of where they deploy and where their data resides, with both secure hosted and on-premises options available.  It addresses issues such as GDPR and industry-specific regulations including DPA 2018 Part 3 as cloud-based providers often cannot satisfy sovereign needs, as this latest story demonstrates.

Armour Recall™ captures, retains and archives data to ensure organisations keep control of their data and can prove compliance.

Armour Unity™ delivers secure conferencing in an easy-to-use app for mobile use and is available in several configurations to ensure the level of security matches the sensitivity of the conversation.

Armour Connect™ provides voice and video interoperability with unified comms systems, and Armour Bridge™ delivers messaging interoperability with other messaging apps,

Strict security measures within Armour give the organisation total control over data. For example, constraining message retention, Message Burn (automatically deleting messages after a set time), controlling features like forwarding/sharing data, erasing all data in the event of device (or user) compromise.

Users and call groups are centrally managed, people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE protocol) means that users can be confident when using the platform that they are communicating with who they think they are.  In this way Armour addresses the issue of identity-spoofing and ghost-callers, including AI-generated deepfakes.

Federated secure communications

The Armour Platform can provide a multi-domain, multi-organisation structure with strictly siloed security making it suitable for federated secure communications between  Armour communities.  This means that different police forces, government departments or social services (for example) using Armour are able to communicate, once Admins have set up the appropriate links between the groups of users, while each organisation retains total control over its own users.

This type of robust secure collaboration is not available from mass-adoption communication tools such as MS Teams, Zoom, GoogleMeet and WebEx. They all claim end-to-end encryption, however, as we’ve mentioned on numerous occasions, there is a lot more to security than just encryption.

When looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations’ decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) Seven Principles for Secure Communications and Armour distinguishes itself by meeting all seven principles.

For more information on this topic, read our blog:  https://www.armourcomms.com/2021/04/21/replacing-whatsapp-advice-from-ncsc/

Also for Nine tips for keeping communications secure read this blog: https://www.armourcomms.com/2024/02/05/nine-tips-for-keeping-communications-secure-within-the-supply-chain/?cat-slug=10

Armour® provides highly usable and engaging solutions, so your users will have no reason not to use them.  Our Buyer’s Guide gives detailed advice as to what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/