Category: Blog

 

Just how secure is your Video Conferencing service?

The National Cyber Security Centre (NCSC) has recently launched its Exercise in a Box online tool for organisations of all sizes, in all sectors, to test how resilient they are to a cyber attack. The free-to-use tool provides a range of exercises that give organisations the chance to practice how they would respond to a cyber attack in a safe environment.  As they develop their internal processes, they can repeat the exercises to see how their cyber resilience stance has improved.

How secure is your video conferencing service?

One of the exercises is: Securing video conferencing services. A key question to ask is;

Can your video conferencing service be separated from your existing communications infrastructure to ensure resilience? Will it work as a standalone system when a critical incident occurs and your communications infrastructure has been compromised?

Organisations should be aware that any mass-adoption messaging and collaboration tool is likely to be the target of malicious hackers itself, because it presents such a vast attack surface, and the spoils of a successful attack can be considerable. Often these mass adoption collaboration tools are part of the very infrastructure that is subject to a cyber attack, and once compromised the infrastructure can no longer be trusted for important communications with external suppliers, partners, customers or law enforcement. Ask yourself, what would happen if your email system went down?.  Also these tools don’t solve the issue of communicating with external parties securely which you need to do in the event of an incident.

Mass-adoption desktop platforms that include messaging and collaboration tools are often the basis for an entire enterprise technology infrastructure with many critical dependencies. For example, if your main systems were attacked so that your Active Directory or Identity and Access Management systems were no longer working, how would the business operate?  What would be the ramifications for your employees trying to do their jobs and communicate with colleagues?

An organisation using a compromised service doesn’t need to be the subject of the attack, they can become collateral damage despite not being a target, simply by relying on the service and not having a secure alternative.

Therefore, for all organisations it is crucial to have a back-up comms channel (often referred to as out-of-band) that can be used to marshal a response to any attack or major incident, and organise recovery processes.

What do we mean by ‘out-of-band’?

An out-of-band communications channel is one that does not rely on the standard enterprise infrastructure. It is a system that can operate completely on its own as a standalone solution. It doesn’t rely on email, Microsoft Office/365, or any mainstream system to access the open internet. An out-of-band comms platform can work when all other systems are compromised.

As we’ve explained in some detail in our blog In the midst of a Cyber Attack who you gonna call – and how?, you can’t rely on a compromised system to communicate (assuming it still operates which is a big assumption), because your adversaries could be monitoring it, keen to see how the organisation is responding so that they can reap even more havoc. In addition an organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.

So when assessing your video conferencing service for security and resilience, what should you be thinking about?.

5 Questions you need to ask about your Video Conferencing service

1. Do you have a video conferencing platform that uses identity-based encryption to authenticate both end points?

If you rely on a mass-adoption collaboration platform then you almost certainly don’t!

2. Can you control who can initiate or join a video call?

Are you able to manage who joins your video conferencing platform? When there are only known users allowed, participants on a call can be sure who they are sharing potentially sensitive information with.

3. Do you know where your data is stored and who has access to it?

Do you retain complete control of your data, including chat, and files shared within a call?  Do you know where your data is stored, i.e. does it meet the requirements for data sovereignty and GDPR compliance? If you use a system that allows third party access to your users’ contact lists, it is unlikely to be GDPR compliant.

4. Can you be sure who you are communicating with?

Identity-based attacks are on the increase, with deepfake and AI-generated impersonation attacks hitting the headlines more often.  A video conferencing platform that uses the NCSC recommended MIKEY-SAKKE protocol for identity-based encryption authenticates users, so that you can be sure who you are communicating with.

 5. Do you have pre-arranged incident response secure federated call groups set up?

Both NIST and the Digital Operational Resilience Act (DORA) suggest that incident response groups with key contacts/structures are pre-defined and set up before an incident occurs, so that communications can begin immediately on the secure channel. Groups can be internal and external, typically including suppliers, law enforcement, internal groups, employees and key stakeholders and the SOC team, etc. If your organisation relies on mass-adoption infrastructure for critical communications, it can be difficult to communicate with external parties without trusted, secure federated groups already in place. Indeed, NIST SP800.61 recommends having multiple back up communications solutions in place.

If the answer is NO to any of the 5 questions above, then you should be looking for an additional, out-of-band secure communications channel that your key people can use to communicate between themselves, and critically, with external third parties in the event of a serious incidents and cyber attacks.

How Armour can help

Armour Unity™ extends the highly successful Armour® ecosystem to provide secure, pre-defined or on-the-fly enterprise-level mobile video conferencing, screen sharing and in-app messaging for iOS and Android devices. Documents and chats associated with a conference call benefit from the trusted security of the Armour platform. This can be achieved as an on-premises or cloud solution to suit your business needs.

With the Armour Comms platform, organisations are able to create internal and external user groups and integrate them into business continuity processes.

In common with Armour Mobile™, Unity uses MIKEY-SAKKE identity-based encryption, which is recommended by the UK National Cyber Security Centre (NCSC).  This innovative approach means that participants on a call can be certain that only authenticated and invited attendees are able to join the conference.

Secure Communications Buyer’s Guide

For more comprehensive information about what you should be looking for in a secure communications platform, download our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

Proof of Concept or Pilot Offer

For those undertaking the NCSC Exercise in a Box, Armour offers a free Proof of Concept or Pilot project, subject to conditions.  Contact us today for more details.

MIKEY-SAKKE provides higher assurance for sensitive communications

Never heard of MIKEY-SAKKE? If not, you need to find out about it soon because it can help mitigate the threat from deepfake and AI-generated impersonation attacks. Our CTO, Dr. Andy Lilly, explains how.

The privacy of calls, messages and emails is an on-going challenge for government and enterprise organisations alike. The proliferation of remote working and mass-adoption collaboration platforms has completely changed the way that business is conducted in recent years. Add to this the rapidly growing threat from deepfake, and AI-generated impersonation-based attacks, and the need for protecting the digital identity at both ends of a communication becomes imperative. Despite the increasing threat levels  there are steps that organisations can take to provide higher levels of assurance for sensitive communications. Adopting products developed using the MIKEY-SAKKE standard and protocol for encryption and identity-based authentication means that you can mitigate the threat from impersonation-based attacks by being certain who you are communicating with.

Securing mobile communications – Confidentiality, Integrity, Authentication

When looking at securing mobile communications, be it voice, instant messaging, video or data, it is important for any solution to deliver three key outcomes. The first is confidentiality, i.e. ensuring no unauthorised person or machine can access the content of any data exchange. The second is integrity, ensuring that information, messages, attachments have not been tampered with. Third is authentication of identity, i.e. ensuring that the parties exchanging data – whether persons or machines – are doing so with the individual or the machine with which they believe they are exchanging data.

Sharing information securely with someone remotely is a more complex task than it at first appears.  Below we explain different techniques for using encryption keys to safely share data.

Traditional encryption – How encryption keys are managed 

Encryption of data passed between two parties requires an encryption key. However, the challenging part of a cryptographic protocol is deciding on a key to use for encrypting a particular set of data (for example, a voice call between two users). One method is called asymmetric cryptography, also known as public key cryptography: this uses the concept of a public and private key pair, encrypting the data with the public key, such that only the owner of the private key can decrypt it (thus also proving the recipient’s identity if they are the only holder of that private key). Each user’s application holds a private key within it which remains secret whilst their public key is made available to any other users who wish to encrypt a call or send a message to them.

However, there are disadvantages with typical implementations of public key cryptography in that it is cumbersome to scale in large organisations as public keys need to be distributed to all the users before encrypted communications can take place. To ease administration, organisations can use a central trusted server to store the public keys and users can then ‘look-up’ the public key of another user whenever needed. However, this requires the server to be always available 24×7 and fully secure, so no one can maliciously insert fraudulent keys.

Alternatives include one-time asymmetric encryption also known as ephemeral Diffie-Hellman. This method establishes a one-time key between two users; however, a disadvantage of this method is that it doesn’t prove the other user’s identity (so could be spoofed by a malicious hacker posing as the recipient, or acting as a man-in-the-middle between the two users) and is therefore reliant on another layer of complexity to prove authenticity of the end points.

MIKEY-SAKKE protocol – Secure multimedia communications

Secure communications are clearly needed across government and within regulated industries such as finance, telecoms, health, critical national infrastructure, defence and others. To this end MIKEY-SAKKE, an international standard RFC6509 defined by the IETF and expanded upon by the 3GPP for use in Mission Critical communications, has been adopted and is recommended by the UK’s National Cyber Security Centre (NCSC) for the development of products that enable secure, cross-platform multimedia communications.

The MIKEY-SAKKE protocol uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient and effective protocol for building a wide range of secure multimedia services for government and enterprise organisations. As the capabilities of malicious actors embrace AI and deepfake technology, MIKEY-SAKKE is one reliable way to be sure that you know who you are communicating with.

Identity-based encryption and authentication

Identity-based encryption uses the publicly known identity of the communicating parties to determine the encryption keys to use. For example, a trusted domain management service provides a domain certificate giving any user within its system with the ability to take an input ‘identity’ and create a public key to encrypt data to the user with that unique ‘identity’. The identity could be a phone number, email address or other similar identifier. So the key to encrypt to the recipient doesn’t need to be pre-distributed to every possible contact, nor stored on a server; it can simply be generated “on the fly”, as needed.

Each user’s identity needs to be centrally verified, so that everyone in the system knows the identity is associated with a particular user. Using an existing unique identity (such as a mobile phone number) can provide a ready source for these identities. However, with a system such as Armour Mobile™, any unique identifier can be used, and the option to use something other than a mobile phone number can add an extra level of security. The recipient, provisioned with the private key for their unique identity, can then decrypt the calls and messages sent to their identity. As a result, anyone can securely communicate with any user in the domain without having to individually exchange any prior information between the users.

Scalable, flexible and complete control

Armour’s identity-based encryption solution Armour Mobile™ delivers the flexibility, convenience and security required for fast-paced communications from any location and any device. As secure registration is established using a single message, the Armour® identity-based encryption solution is highly scalable and flexible, while providing the higher assurance that only known and approved individuals can be enrolled into a secure communications community.

The Armour platform supports both real-time communications such as one-to-one and group conference calls (both voice and video), and deferred delivery such as instant messaging, group chats, documents and voicemail. It is designed to be centrally-managed, providing communications domain managers with full control of the security of the system while maintaining high availability.

With Armour Mobile, activation and revocation of users is handled centrally. Should a person change roles or leave the organisation or a device be lost, stolen or compromised, the data held on the device within the Armour ecosystem can be securely wiped remotely.

In addition, the Armour platform provides a wealth of other enterprise-grade features not provided by mass-adoption collaboration platforms, such as archive and audit capabilities to securely store and review communications at a later date (using processes compatible with higher assurance requirements). This capability enables organisations to comply with industry regulations and meet data privacy requirements, as well as public record and Freedom of Information requests.

A new approach

Securing modern methods of communication and collaboration requires a new approach. Various forms of public key infrastructure have attempted to provide usable and scalable, client-to-client security. However, these processes have often been cumbersome and the driving factor behind frustrated users adopting less than secure practices in order to ‘get their job done’, thus creating a weak link in the security chain.

Identity-based encryption avoids having to tie a user to a hard-to-remember-and-exchange public key, instead the user’s identity ‘becomes’ their public key. Armour Mobile provides a feature-rich, secure communications and collaboration platform that provides the higher assurance offered by products that use the MIKEY-SAKKE protocol, with a user-experience to match consumer-grade apps.

Security should not be seen as a hindrance but as a significant component of the overall culture of an organisation and as a business enabler that can allow innovation by supporting modern working practices.

For more information about MIKEY-SAKKE visit:  https://www.ncsc.gov.uk/articles/using-mikey-sakke-building-secure-multimedia-services   

When it comes to mission-critical conversations, ‘secure-enough’ mass-use communications applications, are often NOT secure enough – they need an extra layer of assurance.  

Technology industry website, CRN, recently ran its Cybersecurity Week, publishing the 10 Emerging Cybersecurity Threats and Hacker Tactics 2023.  It made alarming reading.

One of the most worrisome trends is identity-based attacks where hackers use compromised credentials to gain access to systems, or to dupe victims into giving up valuable and/or sensitive information. Identity-based attacks are one way to get around endpoint detection and response.  Phishing and social engineering remain huge threats, and again, are based on people being tricked into actions that they would not otherwise have considered had they realised that the person they were communicating with wasn’t actually who they thought it was.

In the PwC Cyber Security Outlook 2023, cloud and digital transformation is once again top of the agenda. This global research also makes the point that investing in people and technology is key for successful cyber transformation.

 

Who are you really communicating with?

Phishing attacks via mass-use collaboration apps was one of the top threats identified by CRN. Impersonation threats are posed when a compromised account is used to carry out phishing attacks.  Typically, the attacks aim to steal credentials from a targeted organisation by engaging a user and eliciting approval of multifactor authentication prompts.

Deepfake, another class of impersonation attack that has been a threat for a few years now, has continued to develop, with deepfake video creation software now reportedly available.  In 2023 audio deepfakes have been used for funds transfer scams. A larger threat is that attackers may soon be able to generate real-time voice-clone deepfakes.

 

Secure collaboration?  One size does not fit all

With the rise of impersonation-based cyber attacks, it is time for organisations to re-consider the use of mass-use communication and collaboration tools. While they may be ‘secure-enough’ for many mission-critical conversations, when a higher level of assurance is required, the latest research indicates that an extra layer of security is required based on the use case scenario, its related sensitivity and related risk.

For conversations and interactions that need additional assurance, there are secure communication platforms readily available.  Built with a Secure by Default ethos with UK government/NCSC and NATO accreditations, the Armour® platform provides the same ease of use, and great user experience as mass-use apps, but with considerably more security for managing users and content.

 

Identity-based Authentication supports Trusted Communications

To pick up the point made in the PwC Cyber Security Outlook report, which cites a catastrophic cyberattack as the number one risk in Operational Resilience plans, organisations should be looking to protect their more sensitive, commercially valuable communications with additional security.  Indeed, best practice guidelines from NCSC and NIST stipulate that if communications channels are even suspected of being compromised, an ‘out-of-band’ secure comms channel should be used to assess the damage and lead the recovery.  Mass-use communications platforms are simply too large and amorphous. Anyone can join, and the platforms themselves provide very little control over where data is stored, who has access to it and what they do with it.

By using a secure messaging and collaboration platform that has Secure by Default as its very heart, and that uses identity-based authentication, organisations can maintain complete privacy and security of communications.  Armour Unity^TM extends the highly successful Armour ecosystem to provide secure, pre-defined or on-the-fly enterprise-level mobile video conferencing, screen sharing and in-app messaging for iOS and Android devices. Documents and chats associated with a conference call benefit from the trusted security of the Armour platform.

In common with Armour Mobile, Unity uses MIKEY-SAKKE identity-based encryption, which is recommended by the UK National Cyber Security Centre (NCSC).  This innovative approach means that participants on a call can be certain that only other invited attendees are able to join the conference. Read our previous blog for an explanation of how MIKEY-SAKKE works and why it is important: https://www.armourcomms.com/2018/02/27/are-you-talking-to-me/

 

Share information only with those you Trust

Using a communications solution that harnesses identity-based authentication, such as the Armour platform, ensures that information is shared only with the intended recipient, safeguarding corporate intellectual property, sensitive commercial information, and complying with data privacy and operational resiliency requirements such as GDPR, DORA and the PRA’s Operational Resilience regulations.

Armour’s holistic Secure by Design approach delivers assurance that mass consumer-use conferencing applications simply can’t provide.

We will be showcasing Armour’s secure (and high assurance) collaboration solutions, including Armour Unity at the forthcoming SDSC-UK, 1-2 November at the Telford International Centre.  Contact us today for a free expo and conference ticket and to arrange a meeting.

How global cyber security frameworks are evolving to meet the cyber & operational resilience challenges, and how secure communications is a key part of the solution

With the ever-increasing incidence of cyber attacks, particularly via mobile phones, cyber security is arguably one of the biggest threats to business in modern times. Almost everyone carries a mobile phone, and many of us take for granted the connectivity and convenience they provide.  These are the very reasons that we love our phones, however, they also open up a whole host of risks around data security.  Not just our own personal data, but that of our friends, family, and if the phone is used for work communications (and most are), then business data too!

Recently there has been a lot of media attention on the importance of cyber security frameworks with updates from national and international security agencies. The UK’s National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) and the US’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) have both increased their scope. Likewise, in the EU the NIS2 Directive (which takes effect from October 2024) has extended the previous NIS 1 regulations to cover many more industries. In the financial services sector the Digital Operational Resilience Act in Europe, and the Operational Resilience regulations in the UK, already impose mandatory cyber requirements.

Cyber security and assessment frameworks now cover most industries

The key theme running through all of this is that all of the regulations and frameworks mentioned above have been expanded to cover more industries, more organisations of all sizes and more risk scenarios.  In short, having a formal cyber security assessment framework and policies for managing cyber incidents is no longer the preserve of just the semi-public sector companies that run critical national infrastructure. Any organisation providing any public service, such as healthcare, telecommunications, transportation, financial services, energy/water/utilities, digital services and infrastructure, pharmaceuticals, chemicals, food production, space, communications and manufacturing will all be subject to new cyber security legislation.

All of these frameworks and regulations outline their own variations on the five key functions of an effective cyber security function, namely:

• Identify
• Protect
• Detect
• Respond
• Recover

 

None of the frameworks or regulations are prescriptive, but rather suggest processes by which each organisation can develop their own internal procedures for handling cyber security and dealing with cyber attacks.

Building resilience – how secure mobile communications are a key part of the solution

Mobile phones play a key role.  While providing a huge risk to organisations, mobile phones are also part of the solution – or at least, the way they are used, and the way that data can be separated and managed on them. This is equally true for BYOD devices that are used for business but that the organisation does not manage (e.g. via a Mobile Device Management solution).  An enterprise secure communications platform can ensure separation between business and personal data, even on BYOD devices.

A secure communications platform that runs independently of the mass-use consumer-grade apps that are very often monitored and targeted by hackers and other malicious and state-backed actors, can provide a communications channel when other corporate systems are compromised. This is a critical requirement when first discovering a cyber breach, and marshalling a response. Calls and other communications involving classified or sensitive data CAN be made safely on ordinary mobiles when appropriately secure software is used.

Indeed in the NIST Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final , in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”

NCSC CAF, NIST CSF and DORA all suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOCs, etc. are pre-defined and set up before the incident occurs, so that communications can begin immediately on the secure channel. With the Armour Comms platform, organisations are able to pre-define the groups for internal and external contacts and integrate them into business continuity processes in the event of a critical incident.

https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/

Secure Communications – Beyond Incident Management

There are many other ways in which a secure comms platform can support compliance with cyber security and assessment frameworks beyond simply providing a safe communications channel in the event of an attack.

• Incident co-ordination with colleagues, collaborators and third parties
• Supply chain communications
• Central user management, for rapid deployment and (just as importantly) one-click revocation of lost or stolen devices, ensuring only authorised users can access your secure communications
• Identity based authentication so that users can be sure who they are communicating with (protect against spoofed accounts, identity theft and deepfake scams)
• Data security for corporate information held on BYOD devices. Features such as Message Burn and remote wipe capabilities mean that the organisation keeps control of data within its secure communications ecosystem, even after it has been sent
• Resilient communications networks supported by ‘out of band’ channels that do not rely on the public internet so are more robust to attack
• Response and recovery planning is kept private and secure, so that adversaries cannot monitor plans and progress

 

Look out for our upcoming White Paper on Incident Management and Secure Communications.  In the meantime, our recent webinar with The Register explains NCSC’s 7 Principles of Secure Communication https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar and our Buyer’s Guide outlines exactly what you should be looking for, with a Top 10 Questions to Ask.  Download your copy here: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2

WhatsApp mis-use is becoming a wider issue for businesses than simply compliance with financial regulations.

The UK energy regulator Ofgem has fined US bank Morgan Stanley for failing to keep records of communications after energy market traders used WhatsApp to discuss the details of energy deals. Ofgem said that the bank “did not take sufficient reasonable steps to ensure compliance with its own policies and the requirements of the regulations.”

The growing risk from Shadow IT

This incident is a prime example of the dangers of shadow IT which was highlighted in a recent blog from the National Cyber Security Centre (NCSC). In guidance published by NCSC on how best to tackle the risks of shadow IT, it comments that if employees are using unsanctioned processes and insecure workarounds to get their work done, it is usually because the tools provided by the organisation don’t work, are slow, or cumbersome to use.  NCSC recommends using such situations as an opportunity to investigate what issues the users are experiencing, what exactly it is that employees are trying to achieve, and why the systems provided by the organisation are not working. With this information IT can re-examine approved solutions and source suitable alternatives that do meet the users’ requirements.

Penalties applied to employees as well as business

This is not just an issue that affects organisations, it can also have a huge impact on employees. In 2021 Morgan Stanley was one of a number of US banks that were fined $2.5bn for their employees’ use of WhatsApp and other unapproved apps to discuss deals with clients and colleagues.  It was reported by the Financial Times that as a result of these fines, the bank imposed pay forfeitures of as much as $1m on some staff, depending on the number of messages sent, seniority and whether the employee had received prior warnings.

Preserve communications for later auditing

One of the key elements in the latest case with Ofgem, is the failure to store communications, which has long been a requirement of the financial services industry. The major failing with the use of WhatsApp and other consumer apps like it is that there is no ability to archive and audit conversations. Cathryn Scott, regulatory director of enforcement at Ofgem stated; “It is unacceptable that [Morgan Stanley] failed to prevent electronic communications which could not be recorded or retained. It risks a significant compromise of the integrity and transparency of wholesale energy markets.”

Enterprise secure communications applications such as Armour Mobile and Recall by Armour provide the ease of use of consumer messaging/calling/conferencing apps, but with UK MOD/government-accredited security and a secure audit facility, meaning that a copy of all communications and associated files are saved and can be reviewed later, subject to the appropriate security processes. Recall stores communications even when the original messages have been deleted from the user’s device (whether through normal use or in an attempt to hide misuse), something that simply can’t be achieved with a consumer app.

Recall by Armour

With Recall by Armour, suitably approved compliance officers are able to playback messages, audio or video calls subject to strict security processes:

• All transmitted media (text, attachments, audio) are archived.
• Tightly managed authorisation for audit access.
• Individual encryption keys limits access.
• All access to audit files is audited.

 

It’s not just FCA compliance that is important

The fine imposed on Morgan Stanley by Ofgem is the first of its kind under the transparency rules, which are aimed at protecting consumers against market manipulation and insider trading. It demonstrates the ever widening requirement for organisations to maintain transparency in communications, and to be able to prove that they have complied. Providing Armour Mobile on employees’ mobiles ensures there is no excuse for not using a secure and compliant communications app for all business use.

As we have argued on many occasions, keeping business communications secure, separate from personal communications and under the control of the organisation, even on devices that the organisation does not own (BYOD) IS possible, and is increasingly a business imperative.

Providing centrally managed applications for secure business communications puts you back in control of your data while still enabling the use of BYOD devices. Armour Mobile can also be deployed within an organisation’s own infrastructure, providing total surety of data sovereignty to comply with Data Protection / GDPR laws.

For more information about how Armour Mobile and Recall by Armour could help your organisation to keep control of all business conversations, prove compliance with a wide range of regulatory requirements and avoid heavy fines, CONTACT US today.

Complying with the EU’s Digital Operational Resilience Act (DORA) will affect any financial institution offering their services to clients in the EU.

When it comes to operational and cyber resilience, there are a lot of regulatory requirements, which are NOT optional, and plenty of best practice guidelines. While wrestling with the requirements for compliance, finding the resources and budget to complete resilience projects, many IT Directors and CISOs are looking at how they can generate additional benefits for the business off the back of such projects. Use of productivity tools that boost cyber resilience, can also increase compliance with data protection laws such as GDPR, and tackle the growing spectre of shadow IT.  There are many aspects to making an organisation more resilient to cyber attacks and other incidents that may disrupt the business, and a secure communications channel is one way to support resilience while delivering additional business benefits to the rest of the organisation.

Financial services firms and ICT technology providers have less than 18 months to comply with the new legislation which comes into effect on 17 January 2025.  DORA comes hot on the heels of the UK’s own Operational Resilience regulations developed by the Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA). The PRA announced that the deadline for starting the implementation of the Operational Resilience Framework for UK financial institutions was 31 March 2022 and the deadline for implementing all aspects of operational resilience is 31 March 2025.

With multiple deadlines looming so close together, many financial firms are tackling both sets of legislation concurrently. As both adhere to the five pillars of operational resilience there is a lot of common ground.

Five pillars of Operational Resilience

• • • ICT risk management and governance
    • ICT-related incident reporting
    • Digital operational resilience testing
    • Intelligence sharing
    • ICT third-party risk

 

Secure communications are key to enhancing Cyber & Operational Resilience

There are several ways in which secure communications are essential for compliance with best practice advice, regulations and legislation. These are applicable whether firms are working towards compliance with UK or EU regulations and are good business practice for any organisation looking to increase business resilience.  An organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.

Indeed in the NIST Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final , in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”

Incident Response Plans – What are your safe communications channels?

Well run organisations will have an incident management process that is well documented in advance, with technology and infrastructure in place, so that they are prepared for a crisis. When an organisation succumbs to a cyber-attack or catastrophic IT failure, the first thing to do, even before assessing the situation fully and putting together a plan for recovery and future mitigation, is to understand exactly how you are going to communicate.

One cannot only consider the IT department discussing the technicalities, and business continuity managers communicating with the C suite and the board to keep them abreast of events. There is a wide variety of people involved in handling the situation that will need secure, reliable comms.  They will include those with internal roles such as project managers, risk and incident managers, as well as employees with external roles such as customer relationship managers, public relations, and legal counsel/lawyers.  The last thing you should do is use the very platform that has just been compromised, i.e, your corporate network, if indeed that is still functional.

DORA and NIST suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOC, etc. are pre-defined and set up before the incident occurs, so that communications can begin immediately on the secure channel. With the Armour Comms platform, organisations are able to create the groups and integrate them into business continuity processes.

https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/

Robust ICT Risk Management Practices – Keep tight control of your data

There are many situations where sensitive corporate information can be put at risk by the use of non-approved communications apps which cannot separate business from personal data. For example, details of what were thought to be private messages can be leaked to malevolent third parties (see our previous blog for some grizzly details: https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/).  Calls and other communications involving classified or sensitive data CAN be made safely on ordinary mobiles when appropriately secure software is used.

Armour Mobile is able to provide secure archive and audit capabilities which record conversations and messages and so allow full review (and policing) of employee communications. The archived details are securely preserved, even if the original messages are deleted from the user’s phone.

Enhanced Information Security Measures

In the event of a major cyber attack, by protecting the communications of the IT and digital forensics team, as well as other key senior members of staff, you are blocking a very useful source of information from being intercepted or modified by the hackers (who commonly infiltrate and monitor a company’s normal communications to see if they have been detected, and to pre-empt any countermeasures). In addition, by using a secure communications platform, such as Armour Mobile, and having the secure comms hosted by a third party, you are further isolating the senior management and IT team’s comms from the potentially compromised systems that they are trying to recover.

Out of band comms is essential not optional.

It’s not just DORA compliance

Quite apart from Governance, Risk & Compliance (GRC) requirements for which a secure communications platform is essential for compliance, every enterprise has some intellectual property to protect; every HR department discusses the relative merits of job candidates; managers and supervisors discuss the performance of people in their team; sales people discuss sensitive details of negotiations to close a large deal.  All of this information could cause financial loss, be deeply embarrassing if leaked, lead to loss of reputation, breach GDPR and attract huge fines, or at worst, could jeopardise the entire business.

A secure communications platform will provide a safe channel for communications during a serious cyber security event, it provides an audit trail to prove compliance and it can also be used to protect all manner of business information.

To find out exactly what you should be looking for, the questions you should ask, and the NCSC’s 7 principles of Secure Communication, read our Buyer’s Guide.

What it means for enterprise secure communications

Secure by Design and Secure by Default are both terms coined by the UK National Cyber Security Centre (NCSC), and used in different contexts.  Sometimes they are used interchangeably, however, they do have slightly different meanings, which are important for enterprise security in general, and for secure communications in particular.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security.

In short, when you turn on your device and turn on your Armour Mobile app you are immediately configured to be secure. This protects against human error, where an end-user may not realise that they need to turn on encryption or security.  After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

• • security should be built into products from the beginning, it can’t be added in later;
  • security should be added to treat the root cause of a problem, not its symptoms;
  • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
  • security should never compromise usability – products need to be secure enough, then maximise usability;
  • security should not require extensive configuration to work, and should just work reliably where implemented;
  • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
  • security through obscurity should be avoided;
  • security should not require specific technical understanding or non-obvious behaviour from the user.

 

Armour’s Secure by Design and Secure by Default principles are intended to help organisations safeguard and control data, privacy, and whatever secrets they need to protect, whether that’s government, military, financial, legal, medical, intellectual property, strategic or competitive.

Armour Mobile complies with Secure by Design AND Secure by Default

At Armour Comms we have been working with NCSC since our inception in 2014 to ensure that our products are designed with best practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices, and targeting NCSC’s latest Principles Based Assurance (PBA).

Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels, as well as being suitable for handling Corporate Confidential information. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in numerous areas of Government departments and the MoD, as well as to commercial customers who understand the value of securing their sensitive communications.

For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance: https://www.armourcomms.com/2022/01/25/the-future-of-ncsc-technical-assurance/  and for more information about the NCSC Secure by Default principles please read: https://www.ncsc.gov.uk/information/secure-default.

The UK Government’s Secure by Design principles are outlined at: https://www.security.gov.uk/guidance/secure-by-design/  and these principles are recognised internationally, e.g. by the US Cybersecurity and Infrastructure Security Agency (CISA) at  https://www.cisa.gov/securebydesign

NCSC’s Principles Based Assurance is described at https://www.ncsc.gov.uk/information/principles-based-assurance and is discussed in detail in https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar

How securing your communications channels can help

The National Cyber Security Centre has recently updated its Cyber Threat Report for the UK Legal Sector. https://www.ncsc.gov.uk/files/Cyber-Threat-Report_UK-Legal-Sector.pdf  Last published in 2018 the report gives a summary of what’s changed during the intervening years, to help firms understand current cyber security threats, and the extent to which the legal sector is being targeted. It also offers practical guidance on how organisations can be more resilient to these threats.

SRA finds 75% of legal firms reported a cyber attack

The Solicitors Regulation Authority (SRA) stated in September 2020 that 75% (30) of the firms that they visited while researching for the report had been the target of a cyber attack. https://www.sra.org.uk/sra/research-publications/cyber-security/  In another 10 cases, clients of firms were targeted directly during a financial transaction.

Serious impacts for clients and reputational damage

There is no doubt that the legal sector is experiencing increasing threat levels from  cyber criminals. This is understandable given that firms are typically handling sensitive client information, for example, relating to criminal cases, or mergers and acquisitions, or handling large financial transactions. Cyber attacks and the compromise of data can have significant implications for clients, not to mention damage to the reputation of a law firm. Indeed, NCSC warns that larger organisations are even being targeted by nation states if they are working on causes with which the state disagrees, for example, human rights or regime change. Some firms have suffered intellectual property theft from state sponsored actors attributed to China. Similarly, firms working in life sciences or energy sectors are seeing increased attacks from hacktivists.

However, it doesn’t end with nation states and organised crime. NCSC also warns that there is a growing threat from ‘hackers-for-hire’ who can be commissioned to carry out malicious activities for people or organisations prepared to pay. This typically involves industrial espionage, and theft of sensitive information that could give an advantage in a legal case and seriously impact your client, for example.

The NCSC report outlines the main types of cyber attacks which include:

• Phishing
• Business email compromise (BEC)
• Ransomware and other malware
• Password attacks
• Supply chain attacks

And gives advice on the best way to tackle each.

A common theme – communications channels

Social engineering – the insider threat

A theme common across all of these attack vectors is the insider threat – i.e. the ability for people to be manipulated by clever social engineering during routine communications, whether this be voice calls, emails, instant messaging or video/conferencing calls. Several of the attacks listed above trick people into actions that can result in malware or other forms of cyber attack infiltrating the business.

BYOD – risk to business data

In addition, if people are using their personal devices (BYOD) for business communications this can open up the firm to additional risks such as compliance and GDPR contraventions, as well as issues around data sovereignty and separating business and personal data on unmanaged devices.

Identity spoofing

Another common theme is that people are tricked into revealing confidential or commercially sensitive information in the mistaken belief that they are communicating with someone they think they know. In other words, identities are hacked or spoofed, either as part of a deepfake scam or business email compromise (BEC).

 

Secure and compliant collaboration

The answer is to provide secure collaboration tools that are easy and intuitive enough for everyday use. Tools that are designed with security in mind from the ground up (with settings which automatically default to a secure configuration without any intervention from the end user) are a crucial part of protecting employees from social engineering attacks, and keeping sensitive client information, and financial transactions, safe.

Providing a secure communications channel can add an extra layer of security to address the risks for when the stakes are high, providing cyber and operational resilience. Large financial transactions, details of on-going criminal cases, mergers and acquisitions, sensitive client information all benefit from the additional security that a Secure-by-Design communications solution can provide.  Using closed-group communications platforms where only known, previously approved users can get access can dramatically reduce the likelihood of phishing, deepfake or BEC attacks.

Such solutions must also provide Archive and Auditing features, so that details of communications are preserved, and available for review at a later date (subject to strict security measures), even if the conversations/documents have been deleted or lost from the original device – thus satisfying legal compliance requirements, public records needs, freedom of information (FOIA), etc.

Securing Communications Channels Buyer’s Guide

Armour Comms has recently published our Securing Communications Channels Buyer’s Guide.  It provides the Top 10 Questions to ask when Securing your Communications and explains:

• Why and when you need secure communications.
• Are consumer apps secure enough? (No, they are not!)
• Who got caught out?
• What exactly you should be looking for

 

Download your copy here: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2

Or watch our recent webinar: How to deal with the evolving threat to our sensitive communications, which was hosted by The Register.  https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar

IBM says: “Shadow IT is any software, hardware or IT resource used on an enterprise network without the IT department’s approval and often without IT’s knowledge or oversight.” And according to Randori’s State of Attack Surface Management 2022 report, nearly 7 in 10 organisations have been compromised by shadow IT in the past year. Full details here: https://www.ibm.com/topics/shadow-it#:~:text=Sharing%20work%20files%20on%20a,malicious%20assets%20planted%20by%20hackers.

Shadow IT is the insidious, creeping, adoption of unauthorised applications (or unauthorised devices), often as short cuts, to get the job done, such as the use of consumer apps for business communications. For example, sending a message to a colleague to arrange the logistics for a stop at a coffee shop before a meeting.  This sounds so innocent, yet can be the thin end of the wedge, as the app gradually becomes a ‘de facto’ key application across the organisation and is used for more sensitive corporate scenarios.  The habit is formed, it spreads across the enterprise and people are using these consumer apps to discuss business, putting sensitive corporate data at risk. Here’s how.

How do you separate business and personal data?

If your employees are using their own phones (i.e. BYOD) to send and receive work-related information, it begs the question, who owns those messages?

If it’s work data, then the business owns it, even if it’s held on a personally owned device. But while the business owns it, they don’t control it.  This is an important point because what happens if the data is forwarded to an unauthorised third party? Could there be GDPR issues?  What if the data is misused, causing embarrassment to the business, or harming reputation? Were the WhatsApp messages that ex-Minister Matt Hancock shared with a hostile journalist really his to share? They were on his phone, but discussed matters of state, and involved colleagues.  Our previous blog gives the details of this sorry episode, and the very serious risk that the use of such apps pose to corporate data.  https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/

How do you leverage BYOD safely?

BYOD devices provide benefits to both employee and organisation. No one really wants to carry two phones around, so using personal devices is great for the employee.  However, while utilising the tech that staff already have is a siren call for managers looking to make the most of IT budgets, it does bring with it a range of risks, of which managing data on a device that the organisation doesn’t own is key.  Mitigating the risk to corporate data could be done with any number of mobile device management solutions, but people are extremely resistant to having their personal property controlled in this manner.  The trick is to securely separate work data from home data.

How do you combat the risk of consumer apps in business?

Providing a separate app for all business communications puts you back in control of your data while enabling the use of BYOD devices.

A separate app for business communications means that all work data is ring-fenced in a secure platform.  It avoids data, photos/images, and documents being leaked to other non-managed applications on the phone.  Ideally, it also provides a secure audit facility, meaning that a copy of all communications and associated files are saved and can be reviewed later, subject to the appropriate security processes (crucial in regulated industries). This audit feature needs to work even if the original messages have been deleted from the user’s device (whether through normal use or in an attempt to hide misuse), something that simply can’t be achieved with a consumer app.

Keeping control of data

With a built for purpose, secure by design communications solution, the organisation can retain control of its messages/communications data, even after sending.  Features like Message Burn mean that a message can be set to delete after a set amount of time, either after it has been sent, or after it has been read. This feature should be configurable by the individual sender, or by central administration as part of a group security policy. Furthermore, central administration features should be able to ensure t all messages can be deleted from devices after a set time, say 30 days.

Central administration and a controlled environment also mean that only invited people can join the collaboration/communications group. This significantly reduces the risk from phishing and deep fake scams because people always know who they are communicating with. Only authorised users can access the app, making it much more difficult to spoof an identity.

Secure communications apps such as Armour Mobile are every bit as easy and intuitive for end users, providing a very similar experience to using consumer-grade apps. Not only does using a specific application for business purposes keep your enterprise data under your control, it also fosters a more security-conscious approach to safeguarding data throughout your organisation, and it helps to mitigate one of the biggest risks of shadow IT within the enterprise – the use of consumer apps for business.

For more information about how Armour Comms can help your organisation combat the creep of shadow IT and keep control of business data, even on BYOD devices, contact us today.