Category: Blog

From the South East Cyber Resilience Centre

Our friends over at the South East Cyber Resilience Centre (SERCR) recently updated their Cyber Incident Response Plan template.  This document is free for organisations to use, share, adapt and build upon, so long as it is not used for commercial purposes.

The template highlights the importance of communications in the event of a cyber attack with the following statement:

During a cyber security incident either targeting your systems or directed towards an external partner/supply chain, careful consideration should be had surrounding communications capabilities.

There may be a diminished capacity for those affected partners because of the impact from the cyber security incident. Resilient communication options should be considered such as alternative phones. Internally, a successful cyber-attack can affect multiple communication methods. Intranet and internet websites alongside communication avenues such as online contact, or email communication may be lost; effectively isolating the public from accessing your services and the service from using internal communications.

It further notes that: Voice over Internet Protocol (VoIP) telephone and Microsoft Teams are all telecommunications systems which could be lost or compromised.

This is a topic that we cover in more detail in our recent blog: https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/

About SECRE

The SECRC offers a range a membership options depending on what level of support businesses in Hampshire, Surrey, Sussex, Oxfordshire, Berkshire and Buckinghamshire need.

The Core Membership is free and provides businesses with 50 or fewer employees, access to a range of resources and tools to help them identify their risks and vulnerabilities, as well as providing guidance on the steps they can take to increase their levels of protection.

For more information about SECRC and to download the Cyber Security Incident Plan template please visit: https://www.secrc.police.uk/post/cyber-incident-response-plan

Just back from Cyber UK and the tide seems to be turning. The message that consumer grade apps are not secure enough for business and government communications is really starting to resonate.

Holding the event in Belfast a few days after the visit by US President Joe Biden seemed to result in a more strategic audience.  The majority of conversations we had were about the importance of data sovereignty, who owns corporate data and keeping control of where it goes, and, operational and cyber resilience. All key themes that are central to secure communications and keeping mobile data safe – and all issues that cannot be properly addressed by the use of consumer apps.

As well as being busy on the stand throughout both days with more visitors and more follow up meetings booked than ever before, we were also pleased to meet a Major General; Jonathan Berry, the Viscount Camrose, Parliamentary Under Secretary of State (Department for Science, Innovation and Technology); and the following day, Minister of State (Home Office) (Security) Tom Tugendhat. Of the 90+ exhibitors the Minister and Under Secretary visited only about 5 or 6 stands, of which Armour featured for both.   Clearly the recent stories in the press about sensitive messages on phones being compromised is filtering through. (Read more here: https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/) 

If you are looking for a highly usable alternative to consumer messaging apps to reduce cyber risk in your organisation, even on BYOD devices, then contact us today

Enterprise data security is never an A or B option – Good cyber security is far more nuanced

As those that have been in cyber security for any length of time know, protecting data is not a simple process. The dynamic between individual privacy and security of the population at large, whether due to terrorists , paedophiles/abusers or any number of bad actors, is a complicated balancing act that depends on many variables. There has been a recent outcry by some providers of consumer apps regarding the Online Safety Bill (currently going through Parliament) reported by the BBC: https://www.bbc.co.uk/news/technology-65301510 which is said to compromise people’s privacy. In short, some providers of messaging apps are threatening to block UK users should the bill become law.

Citizen’s want to be protected

The bottom line is that the vast majority of citizens want to be protected and for the police and law enforcement agencies to be allowed to fight crime.  In order for this to happen, under certain circumstances, additional measures need to be put in place. Indeed, this isn’t the first time that there has been push-back from interested parties trying to stop new legislation.  The Regulation of Investigatory Powers (RIPA) 2000 witnessed a backlash from journalists (amongst others) at the time.

Consumer apps have no place in business communications

Putting all this into the context of business communications, it really is a big ‘so what’. Or at least, it should be. Business communications should never be conducted over consumer-grade apps for many reasons (which we’ve explained elsewhere numerous times – NCSC also gives advice: https://www.armourcomms.com/2022/05/17/advice-from-ncsc-using-secure-messaging-voice-collaboration-apps/).

Keep business and private data separate

Corporate data is owned by the organisation wherever it may be, including on BYOD devices or a company/organisation supplied phone, and needs to be treated as such at all times. Consumer apps should not be installed on corporate devices (witness the recent banning of Tiktok by several governments (https://www.armourcomms.com/2023/03/23/global-backlash-against-tiktok-grows/).  Such apps pose a business security risk as users may be targeted via these apps, and the apps themselves may be used to send data which will later compromise the organisation. All this emphasizes the need for organisations to control their own data – something that the use of consumer apps simply doesn’t allow.

Choose your secure comms platform carefully

When it comes to enterprise secure comms, organisations should avoid the lure of ‘shadow IT’ – just because people like it and everyone uses it doesn’t make it acceptable, particularly when there are credible alternatives. A built-for-purpose, Secure by Design secure comms platform can provide an equally slick user experience plus the ability to manage and control data and meta-data.  Whether on-premises or a secure hosted solution, an enterprise-grade secure comms platform ensures data sovereignty (your data stays on sovereign soil, i.e. you know where it is being held) and data separation (no mixing of data, be that different classifications of data, or business and personal).

Enterprise secure comms platforms provide additional services such as archive and audit, which enable the review of communications at a later date, to ensure compliance with regulations (GDPR, FOI, for example). None of this is available from consumer apps.

In short, if you rely on a consumer-grade app for any part of your business, you are not only at the whim of the supplier, you are also risking your business reputation.

In the midst of a Cyber Attack who you gonna call – and how?

Don’t rely on the very IP channel that has just been hacked, because your adversaries will be monitoring it!

As the number of organisations suffering major cyber-attacks continues to increase dramatically, the National Cyber Security Centre (NCSC)’s message on building operational and cyber resilience  has never been more pertinent. Indeed, according to the UK Government’s Cyber Breaches Survey 2022, some 39% of businesses reported a cyber-attack, demonstrating the point that its not a case of if, but when, your organisation will suffer a cyber breach.

Building resilience from the ground up

When an organisation succumbs to a cyber-attack or catastrophic IT failure, the first thing is to do, even before assessing the situation fully and putting together a plan for recovery and future mitigation, is to understand exactly how you are going to communicate.  It’s not just the IT department discussing the technicalities, and business continuity managers communicating with the C suite and the board to keep them abreast of events. There is a wide variety of people involved an handling the situation that will need secure, reliable comms.  They will include those with internal roles such as project managers, risk and incident managers, as well as employees with external roles such as customer relationship managers, public relations, legal consul and lawyers.  The last thing you should do is use the very platform that has just been compromised, ie, your corporate network, if indeed you can.

Don’t rely on a compromised system

In layman’s terms, if your email has been hacked, sending an email to your friends asking for help is nonsensical – your email alerts the hackers to the fact you’ve detected their presence.  And, you can’t tell if any of the responses are genuinely from your friends or from the hackers messing with you.

It is very common when hackers have compromised a system for them to watch carefully for the responses from any IT resources that are tasked with countering their attack. Typically this includes watching and subverting any communications channels that IT may be using.  It’s not unusual for hackers to send spoof messages to try and assess just how well the IT team understands the nature of the attack, to capture new passwords or other changes to security, and prevent key messages from being delivered.

During the initial investigation phase of a cyber attack it is difficult to know what systems have been compromised, so it is best not to rely on any of them, if possible.

Secure your emergency communications for key staff

By protecting the communications of the IT and digital forensics team, as well as other key senior members of staff, you are blocking a very useful source of information from being intercepted or modified by the hackers. In addition, by using a secure communications platform, such as Armour Mobile, and having the secure comms hosted by a third party, you are further isolating the senior management and IT team’s comms from the potentially compromised systems that they are trying to recover.

Armour Mobile, which is approved by NCSC and NATO, can be up and running in minutes

For third party ‘blue teams’ brought in to handle such hacking situations it makes perfect sense for them to bring their own secure comms solution with them – and this is a question that you should be asking any would-be supplier when tendering for such services.

Armour works with a number of organisations that can provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance, to incident management and response, and technical security research.

Contact us today for more information about protecting your emergency and sensitive communications and building operational resilience:  sales@armourcomms.com

How Armour Comms can provide a turnkey solution for Zero Trust mobile comms – even on BYOD devices

The UK National Cyber Security Centre (NCSC) defines zero trust as “an architectural approach where inherent trust in the network is removed, the network is assumed hostile and each request is verified based on an access policy.”

This is music to our ears at Armour® where, by their very nature, our products and services have been designed for communicating securely in potentially hostile environments. When a network is hostile, security comes from trusting users, devices and services. This means that user identity and authentication become critically important. Something, which in the secure comms space, we have been working on for many years.

Our flagship product, Armour Mobile® uses MIKEY-SAKKE identity-based encryption to secure multimedia services. This enables secure voice and video calls, voice and video conference calls, one-to-one and group messaging, and sending file attachments. The solution ensures that the parties exchanging calls and data are who they claim to be (hence the term “identity-based”). Armour offers several secure communications products with closed user groups, protecting against fake contacts from external hackers. These systems can run on your own servers for total sovereignty for data and metadata.

The MIKEY-SAKKE protocol, which uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient, effective and NCSC-accredited protocol for building a wide range of secure multimedia services for government and enterprises.

Guidance from NCSC provides eight design principles for implementing a Zero Trust environment. https://www.ncsc.gov.uk/collection/zero-trust-architecture   The eight principles are as follows:

1. Know your architecture, including users, devices, services and data

2. Know your User, Service and Device identities

3. Assess your user behaviour, devices and services health

4. Use policies to authorise requests

5. Authenticate & authorise everywhere

6. Focus your monitoring on users, devices and services

7. Don’t trust any network, including your own

8. Choose services designed for zero trust

NCSC states that “When choosing the components of a zero trust architecture, you should prefer services with built-in support for zero trust.”  Furthermore, NCSC advises “Using products that utilise standards-based technologies allows for easier integration and interoperability between services and identity providers.”

Moving to a Zero Trust environment will in most cases be a significant undertaking for any organisations. With this in mind, the 8^th principle to choose services designed for a zero trust environment makes obvious sense and avoids re-inventing the wheel.

At Armour we have consistently taken a standards-based approach to all design and development and have achieved; ISO27001:2013 registration for the Armour Communications Information Security Management System covering the development and delivery of Armour Mobile, SigNet by Armour® and white-labelled products; and Cyber Essentials Plus for our whole organisation.

Secure by Design and Secure by Default principles are in our very DNA. We’ve been working with the NCSC since our inception to ensure that our products conform to the appropriate industry standards and are designed with the end user in mind. Armour Mobile is used by some of the most security conscious organisations in the world including Governments, defence organisations and financial institutions, while SigNet is used in many enterprise environments and seen as a secure WhatsApp replacement product.

Contact us today to find out how Armour can empower your organisation with secure mobile comms that comply with Zero Trust requirements sales@armourcomms.com

What other undesirable apps are potentially accessing your corporate data?

On 16 March the UK Government announced a ban on the use of TikTok on government phones and devices.  The ban is in line with those announced by US and Canadian governments and the European Commission.  A report submitted to the Australia’s Select Committee on Foreign Interference through Social Media “…confirms beyond any plausible doubt that TikTok is owned by ByteDance, ByteDance is a People’s Republic of China (PRC) company, and ByteDance is subject to all the influence, guidance and de facto control to which the Chinese Communist Party (CCP) now subjects all PRC technology companies.”  The report shows “… how the CCP and PRC state agencies (together, the Party-state) have extended their ties into ByteDance to the point that the company can no longer be accurately described as a private enterprise.”

The Register states: “The report, by a quartet of researchers, was hailed as “the most comprehensive exploration yet of the CCP’s ties to TikTok” by Brendan Carr, commissioner of the United States’ Federal Communications Commission. India’s IT minister Rajeev Chandrasekhar retweeted Carr’s remarks.”

This latest revelation must raise serious concerns amongst CISOs and anyone with any interest in data security. Any mobile phone that is used for business that also uses TikTok may raise the risk of leaking valuable commercial data and intellectual property to a totalitarian regime that actively pursues industrial and academic espionage.

If we needed any further reminder that consumer apps should NEVER be trusted to handle enterprise data, here are a few other recent stories…

Mobile phone account takeovers – are you safe from mobile phone number recycling?

When registering for a free messaging app it is common practice to use your mobile phone number.  Indeed, for most services, this is the only option available.  However, this brings its own privacy  issues because the data security at the multi-national social media companies that tend to own consumer apps is often found wanting.

This cautionary tale appeared on El Reg recently concerning accidental WhatsApp account takeover  and is about a person moving from one country to another for work, and changing to a local mobile phone number as they did so. They then started receiving WhatsApp messages meant for someone else. While not specifically a WhatsApp issue, it serves to highlight the issues of using a mobile phone number when setting up a messaging app.

It begs the question – what messages do you have in your WhatsApp chat history?  Would you be happy for them to be read by a complete stranger?

Protect your own privacy

Unlike consumer apps, with Armour Mobile and Signet you are able to register with a unique identifier.  As well as protecting your account against spoofing (mobile phone numbers being notoriously easy to clone/hack/impersonate), the benefits of identity-based authentication (MIKEY-SAKKE) is that you can be sure that you are communicating with who you think you are communicating with (avoiding deep fake scams).  In addition, all this provides an extra level of personal privacy protection.

WhatsApp fined again

In other news, WhatsApp has once again been slapped with a fine for mis-handling data under GDPR legislation. While the sum in question, €5.5m, is fairly paltry in terms of scale it is a further indication of the seriousness of such transgressions in that it has been levied in addition to previous fines. The Data Protection Commission (DPC), Ireland’s data watchdog, has upheld a complaint against WhatsApp dating from 2018, around the requirement of users to accept new terms and conditions that require them to share data, in order to continue using the app.

This comes despite having rewritten its European privacy policy after a previous eye-wateringly hefty fine of €225million for GDPR contraventions.

Armour Mobile and Signet by Armour ensure that contact lists remain private and that personal information is not shared without the owners’ permission. Read our previous blog about GDPR and mobile comms for more information.

Not suitable for Government says ICO (or Enterprise)

Last year, the Information Commissioners Office (ICO) recommended that Government departments review the use of consumer-grade apps such as WhatsApp, private emails and messaging platforms after a year-long investigation that highlighted inadequate data security during the COVID pandemic.

If there are fears for the privacy of government communications, there should equally be caution among the private sector.  All enterprises, no matter how large or small, have intellectual property that they would not wish to fall into competitor hands (formulae, customer lists, product roadmaps, employee information, details of proposed mergers and acquisitions, to give just a few examples).

In line with the recommendations made by the ICO, at Armour we urge organisations to review the use of messaging apps to ensure that sensitive and commercially valuable information is not in danger of being compromised, or shared unwittingly.  Here we go into more depth about why consumer-grade apps are a security risk.

For more information about how Armour Mobile can help your organisation to protect sensitive information and comply with GDPR, while providing an engaging and easy to use secure comms app to your staff, contact us today 

Whose data is it that was leaked to the press – were they personal messages, or was it Government information?

The latest story of leaks to the press involves a “hapless” and “controversial” Matt Hancock, former Secretary of State for Health and Social Care. Having commissioned a high-profile journalist who was known to be critical of the government’s handling of the pandemic, to ghost write a memoir of his time in office during the pandemic, he was then surprised when said journalist leaked supposedly private WhatsApp messages, despite a confidentiality agreement.

Someone in his position should know that there is no such thing as ‘off the record’ when dealing with journalists.  If you don’t want them to write it, don’t tell them!

Whatever you think of Hancock – an article in the FT ‘The tragedy of Matt Hancock’ described him as mainly “annoying” – this case does highlight some extremely important aspects of managing information, and more specifically, Government information.

Whose data is it anyway?

While the precise definition of “public record” is open to interpretation, such records do include  “…‘not only written records, but records conveying information by any means whatsoever’ – so including electronic documents, emails, social media and databases…” so whether Hancock’s messages were sent via an email, or via WhatsApp, they could be construed as Government data, and so, part of the Public Record.

Question: If they were sent from a Government-provided device/mobile, no matter via what type of app, are they Government data?  One would think so!

Question: Would you be happy if you thought that messages you’d sent to a work colleague expecting them to remain confidential, were subsequently shared with a third party without your permission?

Question: Should someone be making huge profits off the back of data they acquired while in a privileged position, serving the people of this country?  It seems unprofessional and inappropriate to most people.

For example, the Civil Service code is quite clear that one must not “misuse your official position, for example by using information acquired in the course of your official duties to further your private interests or those of others” nor “disclose official information without authority (this duty continues to apply after you leave the Civil Service)”.

The danger of the current slipshod manner of handling such Government information calls into question another important issue – Ministers should be able to discuss policy matters frankly, in private, without fear that their conversations/messages will be leaked. Yet such private discussions keep being leaked – this has happened repeatedly, for example Hancock ‘conspiring’ with Dominic Cummings while Cummings, after being forced out of Downing Street, shared WhatsApp messages where the then-prime minister Boris Johnson criticised Hancock as “hopeless”. As the saying goes… “What goes around comes around.”

Protecting Government data

There is no doubt that consumer messaging apps are easy to use.  But when discussing important Government policy, or any other sort of sensitive information, surely more care should be taken of how and where these discussions take place.

There are built-for-purpose apps available to Government, that are approved for handling classified information.  Armour Mobile is every bit as easy to use as a consumer-grade app, with a whole host of useful additional features for protecting information. There really is no excuse for the current saga involving Hancock’s messages, which is damaging to the reputation of the British Government.

Having your Cake and Eating it – Remote Message Wipe and Audit

Armour Mobile provides a secure alternative to WhatsApp and any other messaging app that does not have centralised control over its users.  Armour Mobile messages can be set by the user to automatically delete at a set time either after the message has been read or after it was sent, leaving no trace of the message behind.

In addition, a central administrator can set retention limits so that all messages automatically delete after a set amount of time, for example, one month.  Does anyone need to keep messages beyond a certain point?  Not unless they are planning to write a book of course!

Finally, if a phone is lost, stolen or compromised, or an employee leaves the organisation, the data held within the Armour app can be remotely wiped by an admin, therefore minimising the risk that sensitive data could be exposed.

Preserving the Public Record

While Armour Mobile securely protects messages, documents, voice and video calls both over-the-air, and also when at-rest on a device, Armour is also able to provide an archive and audit option, ReCall by Armour. If this additional module is enabled on an Armour Mobile system, copies of the encrypted communications can be saved to a secure environment, where only specially approved administrators can decrypt specific messages or conversations, whether for legal compliance purposes or to store as a “public record”.

This means that the contents of any conversations within Armour Mobile can be managed centrally, and removed from devices remotely, while still ensuring a copy is securely saved, should it need to be audited at a later date.  Using such a system, ministers and civil servants can debate policy, argue, bicker and name-call to their hearts’ content, safe in the knowledge that the contents of their discussions are protected centrally, with no copies hanging around afterwards that can be passed retrospectively to third parties… or appear in someone’s memoirs!

Whether the messages were taken out of context, whether the journalist had an axe to grind, whether Hancock was naive and/or incompetent is actually irrelevant. Government data such as this should have been properly protected.

Lessons for Enterprises that don’t want to air linen (dirty or otherwise) in public

It’s easy to bash politicians because they are in the public eye, and when they fall from grace they do so with plenty of noise.  However, there is a lesson to be learnt here for every enterprise and every business person.

Ask yourself – what conversations/chats do you have on your mobile residing in a messaging app that could cause you embarrassment should the wrong person see them?

Now ask yourself what conversations and information might be on your employees’ phones that could do your business damage should they be exposed?

Every enterprise has some intellectual property to protect; every HR department discusses the relative merits of job candidates; managers and supervisors discuss the performance of people in their team; sales people discuss sensitive details of negotiations to close a large deal.  All of this information could cause financial loss, be deeply embarrassing if leaked, lead to loss of reputation, breach GDPR and attract huge fines, or at worst, could jeopardise the entire business.

When considering the predicament an ex-minister finds themselves in, ask yourself whether it could be you or your organisation next?

Contact us today to make sure that the things you want to keep secret are securely protected: https://armourcomms.com/contact

The perils of using consumer grade apps for business

Last week it was widely reported (https://www.bbc.co.uk/news/technology-64584001)  that Signal will leave the UK market if the Online Safety Bill, introduced by Boris Johnson and currently going through Parliament, undermines encryption.  This would leave hundreds of thousands of users looking for an alternative secure messaging service.

The Online Safety Bill, critics say, means that companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law.  Apple tried to address the same issue a couple of years ago, where it proposed introducing new scanning software to detect Child Sexual Abuse Material (CSAM) on people’s iPhones.

No one would argue that cracking down on the peddling of CSAM and the apprehension of terrorists is anything but a good thing. However, in this case, the method was called into question because it introduced a security and privacy weakness in Apple’s operating system, that previously enjoyed a robust reputation. It doesn’t take a huge leap of imagination to see how this type of well-meaning surveillance could be appropriated for more political or sinister purposes.  Indeed, there was such a degree of public outcry that Apple deferred the launch of the service.

As the BBC coverage comments, it is ‘magical thinking’ to imagine that online privacy can be maintained for the good guys, but not the bad guys!

Signal is a well respected service and indeed, our own SigNet by Armour entry-level enterprise service is based on Signal technology. However, this latest story brings into question the wisdom of using consumer-grade apps for business.  If you use a free service, you are at the whim of the supplier.

This also highlights the reasons to use an enterprise/government/military grade solution for secure communications and collaboration. In subscribing to a professional service, such as those provided by Armour, you benefit from the following:

• Hosted or on-premises options for complete control of your data and metadata

• Central management of users with easy provisioning and equally easy revocation

• Access to, and potentially input into, the roadmap of product development

• Bespoke development capabilities to handle unique/complex requirements

Contact us today to find out how Armour Comms can help your organisation to manage secure communications more reliably.