Posted on

User Success – Are you making the most of Armour technology?

Convincing people to use security products is a challenge.  Employees are often reluctant to change their working practices, especially if it involves any kind of inconvenience. So when you have successfully built the business case, found the product, got budget approval, procured the product and rolled it out to end users – then what? How can you ensure that the product is being used, and can you demonstrate business value, or return on investment?  With security products this is notoriously difficult because if the product is successful at diverting a threat, then there may be no obvious outcome or benefit to the end user.

With this in mind we’re going to be revisiting customer successes that we think will help our clients achieve maximum benefit from their investment in Armour technology.

Secure Note to Self – Provide a great user experience

Evidence shows that the most enthusiastic adoption of Armour Mobile and SigNet by Armour is where it solves a compelling business problem, as well as providing better security. The product must be easy and pleasant to use, and users need to see immediately how it makes their lives easier.

By talking to our many clients about how they are using our products on the ground, we have learnt about some surprising real-world benefits.  For example, SigNet has an extremely useful Note to Self capability – something that once users discover they absolutely love. No more sticky notes, or emails to self, just a voice memo that is completely secure and cannot be eavesdropped or overheard by anyone other than the intended recipient that goes to devices linked to the same account.

Cyber Essentials Plus and BYOD don’t mix – or can they?

Another point worth keeping in mind, if your organisation is planning to undertake Cyber Essentials Plus accreditation, then employees’ unmanaged personal devices (i.e. BYOD) cannot be used to access corporate information, including email.  Employees are generally highly resistant to Mobile Device Management (MDM) solutions on their personal devices, however, by using Armour Mobile all corporate information shared using the app is completely isolated from the rest of the device.  This makes Armour Mobile an extremely viable alternative to MDM which employees are more than happy to use as it does not interfere with their personal apps, while protecting business information. The same device can be used for both personal and business communications. For more information about this read our blog: https://www.armourcomms.com/2022/05/03/protecting-sensitive-comms-on-byod-devices-without-resorting-to-mdm/

In the coming weeks and months, we’ll be sharing different scenarios where our customers have achieved sometimes unexpected benefits from different use cases.  In the meantime, if you have a business problem, get in touch and it may be that someone else has already faced that same issue, and we have the solution ready and waiting.

Posted on

Time to make cybersecurity personal

It’s been a tough 18 months for everyone, and as things start to get back to some semblance of normal in the UK at least, many people are enjoying a bit of down time.  Some are playing PCR bingo and going abroad, while others are stay-cationing.

When staff are in holiday mood – will they throw caution to the wind?

While relaxing on holiday, will your employees remember your security protocols?  The harsh answer is probably not!  It’s not just the corporate information stored on personal mobile devices, or business devices that are also used for personal use, that could be compromised, it is their own personal privacy.

With the spectre of mobile network roaming charges (due to UK leaving the EU), some people may choose to use standard voice calls to keep costs down, but these easy for hackers, malicious actors (eg. business competitors) or foreign network carriers to intercept.

When taking business devices abroad, how does your organisation manage the export controls of taking data overseas?

On a personal level, will staff remember not to access their banking apps over an untrusted (hotel) Wi-Fi connection?

There’s a lot to think about – especially when people are fatigued by security measures in their working lives that can make getting ‘the job done’ that bit more laborious.

Personal Privacy is being infringed – Every day

Enlightened self-interested is as big a motivator as any to get people to follow corporate policy.  When it comes to personal privacy versus what some describe as the surveillance state, many people are of the opinion that if you’ve done nothing wrong, you’ve nothing to fear.  Recent stories in the press highlight the error in that thinking.

One such story to hit the headlines concerns Pegasus spyware manufactured by Israeli company NSO that is for sale to governments and other organisations for the purposes of surveillance.  A data leak revealed how the spyware has been used to target journalists, human rights activists, politicians, government officials and business executives around the world. A list of 50,000 mobile phone numbers of potential targets has been uncovered.

This is one example of a ‘list’ that no one wants to be on. There are other databases of mobile phone numbers that people are not aware they are listed in.  A recent BBC article told about how the reporter received a call via WhatsApp from someone she didn’t know.  The caller had got her number from a database held in the US (there are many companies collecting and monetising personal data, scraped from a variety of online sources which allowed someone to link her WhatsApp account and personal phone number).

Live Facial Recognition (LFR) – is now a reality, and so concerning that UK Information Commissioner, Elizabeth Denham recently voiced her concerns about the technology. When CCTV cameras are overlaid with LFR, for instance, in a shopping centre, it could be used for identifying known shoplifters, or for serving up personalised adverts to shoppers.  Safety or an invasion of privacy?

Another story to hit the more technical journals is news that Apple is to introduce new scanning software to detect Child Sexual Abuse Material (CSAM) on people’s iPhones.  No one would argue that cracking down on the peddling of CSAM and the apprehension of paedophiles is anything but a good thing. However, in this case, the method is being called into question because it introduces a security and privacy weakness in Apple’s operating system, that previously enjoyed a robust reputation. It doesn’t take a huge leap of imagination to see how this type of well-meaning surveillance could be appropriated for more political or sinister purposes.  Indeed, there has been such a degree of public outcry that Apple has now announced it is deferring the launch of the service.

Corporate Duty of Care

Infringements of personal privacy can impact business. Most people are wedded to their mobile phones, making these devices a tempting and lucrative attack vector. Not only may perpetrators be able to steal the user’s identity, they may also gain valuable commercial information, or indeed, that might be the very reason for the attack in the first place.  It is in the interest of any organisation to educate and protect its employees.

Products such as Armour Mobile and SigNet by Armour are delightfully easy to use, and yet provide a much higher level of security than consumer-grade apps.

In today’s world of increasing surveillance, anyone who handles sensitive or commercially valuable information on their mobile phone, needs to consider protecting it, and with that, their own privacy.

 

Contact us today to see how we can help your organisation protect your employees personal privacy and with it, your corporate IP.

 

Posted on

Armour Comms showcases new secure collaborative working solutions with MOD and Bittium at DSEI

DSEI, 14 – 17 September, 2021

ExCeL, London

Stand No: H1-450

 

London, UK, 9 September 2021Armour Comms will be showcasing several new capabilities of its OFFICIAL-SENSITIVE, NATO approved Armour® Mobile at DSEI, including a technical preview of its secure collaboration solution, Unity by Armour. Other innovations on show will be Armour’s work with the Ministry of Defence (MOD) for secure mobile comms which is currently being successfully deployed across several operational areas to replace use of consumer grade apps; and Armour’s unique technology for Bittium devices, which enables users of Bittium’s Android TM2 solution to communicate without using the public internet.

Unity by Armour works in conjunction with Armour Mobile extending its secure collaboration capabilities with secure video conferencing calls (pre-defined or on-the-fly), screen sharing and integration with secure chat groups, in addition to the existing one-to-one secure audio and video calling, and interconnectivity with trusted unified communications systems. Unity by Armour provides picture in picture and multiple screens, and offers a familiar video conferencing interface, making it easy and intuitive to use. Unity by Armour is available with a choice of hosting options, including on-premises installation, ensuring that communities are controlled by invitation-only, increasing security and guarding against ‘zoom-bombing’.

Armour Comms will also be showcasing the latest innovation for its NATO approved secure communications solution which now includes unique Secure Push technology from Bittium. This feature allows secure and battery efficient signalling of incoming Armour Mobile calls and messages also in classified networks that do not have connectivity to public Internet.

Armour Mobile runs on Bittium’s Tough Mobile™ 2 series of ruggedised and secure smartphones ensuring voice and video conversations, and the associated files and attachments, stay completely private, no matter how hostile the environment. In addition, Bittium Secure Suite provides additional capabilities such as mobile VPN, device and application management, remote attestation and other functions.

Aimed at military, defence, law enforcement and government markets worldwide, Bittium and Armour products provide the same user experience as consumer-grade solutions, while keeping both data at rest and data in transit secure at all times

David Holman, Director at Armour Comms said; “At Armour Comms we are focused on delivering highly capable, easy to use, intuitive solutions that are robustly secure and suitable for deployment at scale. For specific markets, like Defence we also work closely with our partners to enable higher assurance communications solutions.

“The new capabilities we have on show at DSEI are driven by our users and are designed with the user in mind. Delivering solutions that are easy and pleasurable to use encourages strong user adoption, avoiding the kind of workarounds that often beset traditional secure communications solutions, such as people resorting to the use of highly insecure consumer-grade apps on ‘shadow IT’ devices.  Armour Comms solves the conundrum of a secure-by-default comms application that is still easy to use and quick to deploy at scale.”

Armour has recently announced the availability of its Armour Core v4 server-side software which includes a range of enhancements designed to significantly improve performance and usability including support for IPv6, the latest network communications protocol, enabling calls to seamlessly transition between modern networks.

More information about Armour Communications solutions can be found at www.armourcomms.com.

Posted on

GDPR and Mobile Comms

How compliant is your organisation?

GDPR may have slipped from the headlines, and now be seen simply as ‘job done’ in many organisations. However, with the widespread adoption of remote working due to the pandemic, some aspects of data security may have slipped as people revert to less than optimal practices. It is worth remembering that the penalties for infringement can be costly with a maximum fine of EU20m or 4% of annual global turnover, whichever is the greater.

Data Privacy is a worthy goal

GDPR legislation should not be viewed merely as a compliance requirement. There is very real value in protecting privacy given that personal data is so highly sought after by criminals, and its loss can be devasting for the individual concerned. Protecting personal data is a worthy goal in its own right. If people in your organisation are using consumer-grade apps for business communications then you may be contravening GDPR regulations.

As an example as we cover in our Replacing WhatsApp for Business? blog, WhatsApp should not be used for business communications – it expressly says so in its Ts & Cs. Apart from this, you should keep in mind these points when assessing what data might be shared using an app that your organisation does not control:

  • What type of data is being shared using mobile apps? Is it personally identifiable, like HR or payroll data?
  • Has consent been given for the data to be shared, such as business contacts whose details are then distributed via mobile phone apps?
  • Can you control where the data might end up? Can you stop it being forwarded to an unauthorised user or location? Do you know where the servers are located that will store the data?
  • Can you control who might see the data?
  • Can the data be deleted once it is no longer required?

If you are unsure about any of these points, then it is worth taking a closer look at the apps in use in your organisation, and safe-guarding your business by moving to an Enterprise-grade secure communications app.

Enterprise-grade alternatives from Armour Comms

Armour Comms provides a range of solutions, and the knowledge and experience to curate a suitable service to meet exact requirements. Armour Comms solutions are specifically designed to provide enterprise-ready capabilities, including gateways into existing unified communications systems, for professional customers including governments, financial and legal businesses, defence organisations and high net worth individuals.

Armour Mobile – available for iOS, Android and Windows Desktop, hosted on the Armour Secure Cloud, or as an on-premises solution. Based on NCSC and NATO approved MIKEY-SAKKE protocols, the Armour Mobile app is downloadable from app stores, and benefits from both central administration and quick-and-easy provisioning of new users.

Armour Recall – is now available as an additional module for Armour Mobile users for on-premises deployments and provides secure, centralised audit of all text, audio and message attachments. While designed for organisations in regulated industries such as financial services, legal, pharmaceutical and medical, Recall audit capabilities can be useful for many other security conscious organisations that need to be able to prove who said what, to whom, and when.

SigNet by Armour – an alternative to Armour Mobile for specific use case requirements, using AES 256-bit encryption technology. Available as a hosted or an on-premises solution, SigNet too is downloadable from the app stores, centrally administered, and quick and easy to provision new users.

All Armour products are designed with the end user in mind, to deliver a highly usable experience that surpasses free-to-use apps, with enterprise features and security baked in.

For more information on how Armour Comms can help your organisation to secure personal and sensitive data held on business mobile devices, contact us today.

 

Armour Comms has published a podcast explaining GDPR and its impact on Mobile Communications which you can view here:

https://youtu.be/kI7qyzXR0-U

Posted on

Armour Comms wins Queen’s Award for Enterprise: International Trade 2021

Cyber-security firm wins highest industry accolade for Secure Communications technology

London, 29 April 2021: Armour Comms, a supplier of UK Government and NATO approved solutions for secure communications including voice, video, messaging and data, has been awarded a prestigious Queen’s Award for Enterprise: International Trade 2021. The award was made for outstanding short term growth in overseas sales over the last three years.

Established in 2015, Armour Comms is one of only 112 organisations nationally to be recognised with an acclaimed Queen’s Award for Enterprise: International Trade this year. Armour Comms technology provides the convenience and usability of consumer-grade apps, with enterprise and government grade security features required by professional users to protect sensitive information and maintain privacy. Armour technology provides a highly secure mobile communications platform where every element of data, including meta-data, can be controlled.

David Holman, Director and co-founder of Armour Comms said; “The whole team at Armour are honoured to have been selected for a Queen’s Award and I know our many customers around the world will share our excitement at this recognition. It is the highlight for us of a busy 12 month period where many organisations moved to remote working and therefore required more robust security for their home workers.

“During the pandemic cyberattacks have increased significantly, generating an awareness that security for mobile workers is incredibly important because it presents such a large attack surface. By combining the usability of consumer-grade apps with enhanced security required for business use our products provide the assurance required when sharing sensitive information of all kinds and maintaining privacy, even in the most challenging of environments.”

Armour Comms supplies the secure communications solutions of choice for governments, banks, defence and law enforcement, financial services, legal and healthcare organisations, as well as family offices, ultra-high nett worth individuals and journalists operating in unfriendly regimes.

This short video explains how the Armour technology works: https://www.youtube.com/watch?v=lufP-IUckhE

Posted on

Replacing WhatsApp? Advice from NCSC

Replacing WhatsApp? Advice from NCSC

What exactly should you be looking for?

When considering a secure communications solution for your organisation there are a lot of different options.  Not least of these are free-to-use consumer grade apps.  Without vigilance these apps can seep into business use without any oversight from the organisation, often because employees use the apps for personal life and they seem like an expedient way to communicate.  These apps claim end to end encryption, but do they really meet the needs of an enterprise?  And what extra do paid-for Enterprise solutions offer?

As we’ve point out many times before, there is much more to security than just encryption – this is an important point made by the UK National Cyber Security Centre (NCSC).  It has published a document ‘Secure communications principles’ highlighting key points for secure communications.  As usual, NCSC has done an excellent job of laying out the potential hazards – and how to avoid them – in an easy-to-read form.  Here is an outline of those principles and why they are important.

NCSC 7 Principles for Secure Communications

There are seven principles defined by NCSC, and they are:

  1. Protect Data in transit
  2. Protect network nodes with access to sensitive data
  3. Protect user access to the service
  4. Ensure secure audit of communications is provided
  5. Allow administrators to securely manage users and systems
  6. Use metadata only for its necessary purpose
  7. Assess supply chain for trust and resilience

 

Protect Data in Transit

At some point, your communications are very likely to travel over the public internet, which is by its nature an untrusted network.  You don’t control it, so you can’t trust it. If not well protected, data travelling over an untrusted network can be tampered with, or people may be able to eavesdrop on your conversations and exchanges.

Another issue is messages being sent to the wrong person. This could be because you mistyped their address, or someone has spoofed or stolen an identity.  This means that you could think you are interacting with a trusted colleague, when in fact a hacker has misappropriated their account. You could be tricked into giving sensitive, valuable information, or downloading malware.

Protect network nodes with access to sensitive data

A node is a connection point inside a network that can receive, send, create, or store data. Each node requires you to provide some form of identification to receive access.  As your message travels across the network and passes through these nodes, if it has any unencrypted data, it may be accessed by the nodes. While the communication within the message may be encrypted by the app, your metadata may not be.

Another key point to consider is that encrypted messages rely on an encryption key to encrypt and decrypt. The key needs to be shared with the recipient for them to read the message, so there needs to be some form of key management system. If someone were to get hold of the key, they could read the message. If someone could get into the key management system, that would undermine the trust of the communications system, and you wouldn’t necessarily know that this had happened until it was too late, and that sensitive information had been compromised.

Protect user access to the service

As alluded to earlier, when you communicate with a trusted colleague, you assume that it is them. However, if their account is hacked, you may not be communicating with who you think you are*.  For this reason, strong user authentication is an important part of a communications system.

If your colleagues are using their own phones for business use, i.e. an unmanaged device, there is also the danger that details such as user credentials and historic communications content are processed and stored without being encrypted. Therefore, if someone else gains access to that device/phone, information could be compromised. This is another reason for strong access control authentication (for example, fingerprint scan or password).

*In case the risk here isn’t clear, this is the ‘messaging app’ analogy to Business Email Compromise (BEC) which the FBI’s 2020 Internet Crime Report https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics  indicated cost $1.8B last year, more than the total costs of confidence fraud, ransomware, identity theft and several other categories all added together!

Ensure secure audit of communications is provided

For those working in regulated industries (financial services and health, for example) it is important that all communications can be audited (i.e. recorded and stored). However, this is not as easy as it sounds. The communications content must be kept secure, and there needs to be tight controls around who can access the content, when and why. This level of access would be highly desirable to criminals. Consumer grade apps certainly do not provide this level of service and some may even monitor your content for advertising or other purposes.

Allow administrators to securely manage users and systems

All IT service desks know that if users are allowed to administer their own accounts you end up with anarchy. For a secure communications system to remain secure, it must be properly managed. This means controlling who can join, and who can communicate with which groups. In contrast, consumer apps allow anyone to join – which could include hackers, criminals, and disgruntled ex-employees – and then to contact anyone else on the system.

Controlling who is admitted to the system provides a level of trust, that you know who you are communicating with, and that should someone leave the organisation, their account is disabled.

Use metadata only for its necessary purpose

Put simply metadata is the ‘who’, ‘where’, ‘when’, and ‘how’ of the communication. It reveals information about the user, for example, who is talking to who, which in certain cases can be useful even if a malicious actor doesn’t know what they are saying.

When aggregated, metadata can become even more valuable and is often harvested and sold to advertisers.  This is how free-to-use services monetise their users. Apart from the adverts being annoying (and creepy), it is a security risk for organisations.

Assess supply chain for trust and resilience

Do you know every element of your secure communications service and who supplies it?  Can you trust every element? If your existing solution uses the public internet then you can’t know every element, and therefore you need to mitigate the risks.  Another point to consider is whether the system is standards-based (and so can be supported by multiple vendors) or a proprietary system?  If proprietary, what happens should that supplier go out of business or be taken over by another organisation?

A final point to think about, for a secure communications solution to be genuinely usable (in other words, there is no reason for users to circumvent the system with workarounds or “shadow IT”), can users communicate with people outside of the organisation?  Any solution adopted needs to be able to talk to other secure communications systems.

The ease of use of a communications app belies the underlying complexity, so when looking for a solution that is secure enough for enterprise and business use, there is a lot to consider.

Our new technical white paper goes into each of the NCSC’s Secure Communications Principles in much more detail and explains how Armour applies these principles across our products.  You can download a copy here:

 

Alternatively you can view our Podcast:

Part 1: Click Here

Part 2: Click Here

Posted on

Armour Comms attains ISO27001 certification

Secure communications supplier achieves ISO/IEC 27001:2013 in just six months

London, 30 March 2021: Armour Comms has been registered by Intertek Certification Limited as conforming to the requirements of the ISO/IEC 27001:2013 standard ensuring  that security is embedded within company culture, to minimise risks from cyber threats, and to ensure resilient processes and controls. The certification covers Armour’s Information Security Management System (ISMS) which encompasses the development and delivery of Armour’s flagship products Armour® Mobile and SigNet by Armour®, and all white-labelled products. Armour Comms provides trusted, secure instant collaboration solutions for mobile devices and desktops, that are widely used in Government, military and defence sectors around the world.

David Holman, Director and co-founder of Armour Comms said; “We are delighted that the ISO27001 certification for our company management processes has been achieved at the first attempt and within the ambitious timescales that we set ourselves. This is testament to the hard work and dedication from our technical and management team, all while operating under COVID-19 lockdown conditions.

“Achieving ISO27001 provides a strong baseline for our continued development of robust security solutions, that protect sensitive data, while delivering a great user experience on standard smartphone devices and desktops – an attractive alternative to consumer-grade apps designed for business use. End-user engagement is a key component of good security solutions and an area that we will continue to focus on within our ISO27001 product design processes.”

ISO/IEC 27001 details requirements for establishing, implementing, maintaining and continually improving an information security management system – the aim of which is to help organisations make the information assets they hold more secure. It requires that management:

  • Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
  • Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
  • Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements

Dr. Andy Lilly, CTO and co-founder of Armour Comms added; “At Armour we have a strong track record in compliance with industry standards. We have previously completed CPA and NATO certifications, and Armour Mobile uses the NCSC’s MIKEY SAKKE protocols. Achieving ISO27001 certification demonstrates our continued holistic approach to security, throughout the entire lifecycle of our products which will ultimately benefit all customers, across all product lines.”

 

Armour Comms has published a podcast explaining the differences between CPA and ISO27001.  It can be viewed here:

https://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be

Posted on

ISO27001 and CPA certification – Apples and Bananas

ISO27001 and CPA certification – Apples and Bananas

 

Comparing ISO27001 and CPA is like comparing apples with bananas. They are both recognised industry standards associated with cybersecurity in much the same way that apples and bananas are both fruit, but they are designed to do different things.  In a nutshell, CPA certifies an individual product and ISO27001 certifies a whole company covering all of its processes and procedures around information security, and the way that it develops its products.

At Armour we are well qualified to talk about both ISO27001 and CPA as we have achieved both.  Here is an explanation of each, with plus and minus points for both.

What is CPA

Commercial Product Assurance (CPA) was a scheme introduced in 2014 by CESG, the UK’s National Technical Authority for Information Assurance which is now part of the National Cyber Security Centre (NCSC). It was launched to coincide with the replacement of the Government Protective Marking Scheme (GPMS) by the Government Security Classifications Policy (GSCP) where data is categorised into just three levels of classification for UK information assets, OFFICIAL, SECRET and TOP SECRET  (<uhttps://www.gov.uk/government/publications/government-security-classifications). The three classifications didn’t give quite enough granularity so a ‘handling caveat’ of OFFICIAL-SENSITIVE was also introduced for the subset of OFFICIAL information that required additional protection (https://www.gov.uk/guidance/official-sensitive-data-and-it).

For the CPA scheme, the NCSC sets a series of standards which independent test laboratories use to assess products for their suitability to handle OFFICIAL data. (Formally, SECRET use required High Grade products assessed using the even more costly CAPS process https://www.ncsc.gov.uk/information/products-cesg-assisted-products-service). The CPA standards are published so that both the companies and potential purchasers of the products can see the requirements against which testing has been performed.

In other words, CPA certification confirms that the product does what the vendor says it does, giving a level of assurance for purchasing organisations, that they know what they are buying, and that it does what they think it does. The more experienced (cynical) among you will know that this is not always a forgone conclusion in the world of software.

What is ISO27001

ISO27001 is an international standard specific to Information Security Management, originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013 and again for European markets in 2017. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organisations make the information assets they hold more secure. Organisations that meet the standards are audited by an independent body and certified as such.

ISO/IEC 27001 requires that management:

  • Initiates processes that examine the organisation’s information security assets, and assesses risks, threats, vulnerabilities and the associated possible impacts
  • Implements a series of integrated and comprehensive controls and risk management strategies that address risks to information security assets
  • Undertakes a program of continuous assessment and improvement to ensure that information security controls evolve to meet current and ongoing requirements

Comparing ISO 27001 and CPA

The main limitation of the CPA scheme is that it is product based, so only ever relates to an individual product. If that product is updated, for example, to introduce new features and benefits, or simply to run on a newer version of hardware, it needs to be re-assessed (and CPA also requires a full re-certification every 2 years). This is costly and time-consuming. It makes it difficult for vendors to keep pace with the rapid pace of technology (particularly in the mobile space) and reduces the choice for purchasers.

ISO27001 is not product specific, therefore does not provide the very specific assurance offered by CPA certification. However, it does provide a more holistic approach to information security and ensures that organisations are managing the processes within their declared scope. For Armour, this means the entirety of our product development, delivery and support operations as well as all supporting aspects of the company (finance, HR, etc.) follow security best practices. (The scope is important – some suppliers only certify a subset of their processes/operations.) This provides purchasers with broad confidence that products and services delivered by ISO 27001-certified organisations should be secure and – just as importantly – that they will be updated over time to mitigate new security concerns.

Both CPA and ISO27001 are expensive and time consuming for the vendor, however they do demonstrate a certain commitment to providing quality products that comply with recognised industry standards.

And why is all of this important?

NCSC is discontinuing the CPA scheme for all products with the exception of smart meters. At the moment there is no replacement scheme, causing a dilemma for security conscious organisations that would normally opt for a CPA certified solution.  How can they be assured that any new solutions they use to handle classified data are suitable and up to the job?

This is where we believe ISO27001 is becoming increasingly important. ISO27001 covers much more than simply IT, and certainly more than a single product, making it significantly different to CPA, but in many ways, we believe better. In essence, with ISO27001, the processes and controls within the company or organisation are assessed and certified, meaning that any and all products developed will have been done so using tried and tested means. This enables a more flexible approach for the vendor and purchaser alike.  Under ISO27001 it is much easier for products to be updated to keep pace with rapidly changing technology and security threat landscape.

In the meantime we continue to work closely with NCSC with the aim of supporting whatever assurance scheme they implement to supersede CPA.

To hear our CTO Andy Lilly further discuss the differences between CPA and ISO27001 listen to our podcast here: <uhttps://www.youtube.com/watch?v=4v9aojG3EeQ&feature=youtu.be

If you or your security accreditors have any questions please get in touch. sale@armourcomms.com

Posted on

The Deadline for Ditching WhatsApp

Facebook has declared its intentions for WhatsApp – and it’s not great news for business users (or anyone else for that matter).

Data is moving West!

We are seeing a worrying trend where tech behemoths are moving data away from the EU and back to the US, possibly, to avoid stringent GDPR data regulations.  WhatsApp has recently introduced a new policy for users outside of the EU where users are forced to agree to share their personal information with other Facebook companies. Details here: https://www.theregister.com/2021/01/06/whatsapp_privacy_policy_demand/

The original deadline for providing this permission was 8 February, after which time dissenting users will no longer be able to use the app. Due to public outcry and a mass exodus to other messaging platforms, the deadline has now been postponed to later in the year, BUT, we can see the direction of travel.  Users who already have privacy settings blocking sharing of their information will retain that protection, but for anyone else they could be giving up personal info such as names, profile pictures, status updates, phone numbers, contacts lists, IP addresses, mobile device model, operating system, network carrier, etc. and – if you engage with businesses via the app – sensitive details such as shipping addresses and the amount of money spent on orders.

Facebook looking for ROI?

When Facebook acquired WhatsApp in 2014 they stated that they would not look to monetise the WhatsApp user base for 5 years.  Those 5 years are now passed, and it is to be expected that Facebook will look to recoup its investment (some $22bn).  They initiated this with their drive to get businesses taking orders and providing support to customers over WhatsApp, and all that information could end up stored on Facebook’s servers if businesses opt to store it there.  While WhatsApp currently states that contact details will not be shared with Facebook for advertising purposes, they could be in future.

Data fallout from Brexit

Just before Christmas we saw a story that Facebook is moving the responsibility and legal obligations for UK users from its operations in Dublin to the US, due to Brexit and the UK’s changing relationship with the EU, albeit they also regard the UK as still being part of their “EU region”.  https://www.reuters.com/article/us-britain-eu-facebook-exclusive/exclusive-facebook-to-move-uk-users-to-california-terms-avoiding-eu-privacy-rules-idUSKBN28P2HH  Google made a similar announcement earlier in the year.

GDPR still applies, WhatsApp is NOT suitable for Business Use

At the moment, the UK’s data protection laws mirror those of GDPR.  For this reason alone, WhatsApp, and some other consumer-grade, social media messaging platforms, are not suitable for business use – and never have been. Some industry bodies, such as the Finance Conduct Authority are warning against its use: https://www.ftadviser.com/regulation/2021/01/11/fca-warns-advisers-on-using-whatsapp-and-social-media/

This latest change to its Terms and Conditions indicates Facebook’s ongoing intention to monetise its users, potentially opening up its options for dealing with UK users’ data, particularly in the advent of a UK and US trade deal, that includes handling data.

Our White Paper: Why WhatsApp is Not Suitable for the Workplace explains.  Download a copy HERE