Category: View All

The French Prime Minister, Elisabeth Borne has banned the use of consumer messaging solutions WhatsApp, Signal and Telegram by government ministers and their teams.  The ban cites security vulnerabilities, something that we at Armour have been talking about for a number of years now!

Many organisations still commonly use mass-adoption platforms for communicating, when there is an alternative that is every bit as convenient and easy to use as a consumer-grade app, and is approved by the UK’s National Cyber Security Centre (NCSC).  This solution, Armour Mobile, is widely used throughout the MOD, and parts of the government that require higher assurance.

Why are mass-adoption services so unsecure?

Any messaging, communications or collaboration platform that allows anyone to join can not be considered secure, simply because without strong, identity-based authentication, participants cannot be sure that they are really communicating with who they intended to.  Account theft, SIM swapping and simply renaming one’s social media account to look like someone else makes it very easy for people, including government personnel, to get phished and accidentally leak sensitive information.  The exponential increase in the power of AI to generate deep-fake impersonations mean that this is going to be an escalating issue. Our recent blog explains the dangers of impersonation-based attacks and how to mitigate them.

On top of this very significant security flaw, there are a number of other issues such as:

A tempting target

Mass-adoption platforms, due to the very nature that everyone uses them, are a lucrative target for hackers, activists, cyber criminals and nation-state sponsored attacks.  This means that any organisation using WhatsApp, Signal, Telegram, or Teams, Zoom, GoogleMeet could easily get caught in the cross-fire, and suffer lost data, or inability to communicate, even if they are not the intended target.

No data sovereignty

You have no control over where your data goes, what server it is held on and who might have access to it.  At the very least, this raises data privacy concerns, for example, GDPR compliance, quite apart from the issues around handling sensitive data that, if exposed, could put an organisation at a commercial disadvantage, or even compromise national security.

No control over where your information is sent

With social media apps, once a communication has been sent to a third party, the sending organisation has no control over what the recipient then does with that information.  Ex-Health Minister Matt Hancock’s published WhatsApp messages demonstrated this point admirably.  The fierce back-and-forth arguments between Boris Johnson and Dominic Cummings are another such example. Read more here, complete with fruity language https://www.bbc.co.uk/news/uk-67275967    

 

How Armour Comms delivers secure communications

In answer to the issues outlined above, Armour Comms delivers a secure communications platform with all of the convenience and usability of a consumer-grade app, but with enterprise-grade management features.  Such as:

• Managed communities meaning that only verified people can join, so users can be confident they will only be communicating with authorised and authenticated users.
• All information is protected within the Armour environment. Armour can be hosted in the secure Armour cloud, or on-premises (e.g. within a government or other known data centre), so that you know exactly where your data is being held, delivering your data sovereignty requirements.
• Message Burn and automated message deletion mean that any conversations can be set to automatically delete after a set time to ensure sensitive data doesn’t accumulate on a device. Additionally, individuals can set a message to delete at a certain time after it has been read, or after it has been sent.
• For any device that is lost, stolen, or compromised, all data held within the Armour environment can be remotely wiped.
• Secure auditing capabilities mean that all communications are securely recorded for secure review at a later date, even if the messages have been deleted from the original device, delivering compliance needs, such as Public Records, the Freedom of Information Act and other industry specific regulations.

Armour Mobile is approved by the NCSC and NATO.  It is widely in use across the MOD and defence contractors, as well as areas of the UK government that require higher assurance.

Read our buyer’s guide for more information about how Armour Comms’ secure communications platform can help, and what questions you should be asking. DOWNLOAD HERE

When the lights go out, what happens to your secure comms capabilities? And how do you ensure legislative compliance – particularly in regulated industries?

If you are working in a location prone to power outages, how do your employees continue working and communicating securely if your corporate business systems are out of action? How do you ensure operational resilience?

In many areas around the world, power transmission can’t be taken for granted. Power cuts are an all too frequent occurrence in some geographic locations, for numerous different reasons. People and organisations adapt and generally speaking business continues.

But stop and think for a minute.  Exactly how do your staff continue working?  If they are using their own devices, and non-corporate means of communicating what happens when people are sharing company-confidential information over unmanaged networks to unmanaged devices? All the issues associated with the use of shadow IT during normal operations (lack of oversight, accountability and traceability, and heightened data security risks) are magnified when there is a power outage.

A particular risk for financial services organisations is the punitive fines and loss of reputation should employees be found using non-sanctioned apps such as WhatsApp.  Our previous blogs outline the details of nearly $2 bn in fines levied by the US Securities and Exchange Commission (SEC) and the Commodity Futures Trade Commission (CFTC) for the use of unauthorised apps.  More recently, the UK energy regulator Ofgem fined US bank Morgan Stanley for failing to keep records of communications after energy market traders used WhatsApp to discuss the details of energy deals.

How confident are you that your intellectual property, corporate data, trade secrets, sensitive customer information and commercially valuable information isn’t being put at risk?

Are Satellite Services the answer

For those used to travelling to remote locations where landlines are non-existent and mobile coverage can be patchy, satellite services have long provided an alternative. Today satellite bandwidths are much greater and hence signals more reliable than even just 5 years ago, and while reception can be affected by atmospheric conditions (rain), services are now far more consistent.

As well as providing an alternative means of communication, using satellite services can, in some respects, be a more secure option because it does not rely on the open internet. In fact, in the US’s National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final, in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”

When combined with a built-for-purpose, Secure by Design secure communications platform, a satellite service can provide a strong solution for business resilience.

What do we mean by Secure Communications

Secure communications are defined as a means by which people can share information with a strong degree of certainty that the communications remain completely private. Third parties cannot intercept or overhear what was said, and that information shared remains in the control of the sender (for example, information cannot be forwarded to other unauthorised parties).

Typically truly secure communications run on an independent platform that does not rely on mass-use consumer technology to operate.  Secure communications should include:

• Voice
• Instant Messaging
• Video calls and conferencing
• Sending attachments and files while conversing

Ideally, the secure communications platform runs over a variety of networks including 3/4/5G, Wi-Fi and satellite, and will also interoperate with SIP-based PBXs, providing secure communications right to the desktop.

What exactly should you be looking for?

Consumer applications all claim end-to-end encryption, but there is a lot more to security than just encryption, so when looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) in its document Secure communications principles which highlights key points to look for in a secure communications solution.

Popular collaboration apps, such as MS Teams, Zoom, GoogleMeet etc. may not provide end-to-end encryption because they often decrypt the data at the server in order to provide an audit capability.  And if power is down, the services cannot be relied upon to be operational, even if your employees can gain access to them.

Our Buyers’ Guide provides a list of pertinent questions applicable to commercial organisations, government, defence, and the wider public sector. It covers key points recommended by NCSC as well as some additional questions that are particularly relevant to the protection and preservation of data in regulated industries such as financial services.

10 Questions to Ask?

1. How is data protected, both at rest on the device, and in transit?
2. How does the app prove identity? Can it protect against deep fake scams?
3. Where is the data stored? Does it provide data sovereignty?
4. Can you separate business and personal communications? Is it suitable for use on a BYOD device?
5. Is the app designed with security in mind (Secure by Design), from the ground up? Are the default settings secure?
6. What are the archiving and audit options?
7. Are there different levels of security to handle different classifications of data? And can people from different entities or groups communicate across the app?
8. How does it handle video conference calls? Does it provide higher levels of security for conference calls?
9. How would your IT/business continuity teams communicate in the event of a severe cyber breach?
10. Do your existing comms and messaging arrangements meet the NCSC 7 principles for secure communications?

 

Ensuring compliance with industry regulations

In the event of a severe power outage, or other critical incident, being able to communicate securely is of paramount importance for keeping business running.  Many organisations rely on employees using their own phones in an emergency, but when the dust has settled and the lights are back on, it will be extremely difficult to analyse what information was sent where.  And with no audit trail, there will be no possibility of complying with data privacy, Know Your Customer, DORA, MiiFID, GDPR or any other form of industry regulation, and little opportunity to learn from mistakes.

Armour Comms has published the Securing Communications Channels – A buyer’s guide  to help organisations identify the key points they should look for.

Download your copy here: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

 

Just how secure is your Video Conferencing service?

The National Cyber Security Centre (NCSC) has recently launched its Exercise in a Box online tool for organisations of all sizes, in all sectors, to test how resilient they are to a cyber attack. The free-to-use tool provides a range of exercises that give organisations the chance to practice how they would respond to a cyber attack in a safe environment.  As they develop their internal processes, they can repeat the exercises to see how their cyber resilience stance has improved.

How secure is your video conferencing service?

One of the exercises is: Securing video conferencing services. A key question to ask is;

Can your video conferencing service be separated from your existing communications infrastructure to ensure resilience? Will it work as a standalone system when a critical incident occurs and your communications infrastructure has been compromised?

Organisations should be aware that any mass-adoption messaging and collaboration tool is likely to be the target of malicious hackers itself, because it presents such a vast attack surface, and the spoils of a successful attack can be considerable. Often these mass adoption collaboration tools are part of the very infrastructure that is subject to a cyber attack, and once compromised the infrastructure can no longer be trusted for important communications with external suppliers, partners, customers or law enforcement. Ask yourself, what would happen if your email system went down?.  Also these tools don’t solve the issue of communicating with external parties securely which you need to do in the event of an incident.

Mass-adoption desktop platforms that include messaging and collaboration tools are often the basis for an entire enterprise technology infrastructure with many critical dependencies. For example, if your main systems were attacked so that your Active Directory or Identity and Access Management systems were no longer working, how would the business operate?  What would be the ramifications for your employees trying to do their jobs and communicate with colleagues?

An organisation using a compromised service doesn’t need to be the subject of the attack, they can become collateral damage despite not being a target, simply by relying on the service and not having a secure alternative.

Therefore, for all organisations it is crucial to have a back-up comms channel (often referred to as out-of-band) that can be used to marshal a response to any attack or major incident, and organise recovery processes.

What do we mean by ‘out-of-band’?

An out-of-band communications channel is one that does not rely on the standard enterprise infrastructure. It is a system that can operate completely on its own as a standalone solution. It doesn’t rely on email, Microsoft Office/365, or any mainstream system to access the open internet. An out-of-band comms platform can work when all other systems are compromised.

As we’ve explained in some detail in our blog In the midst of a Cyber Attack who you gonna call – and how?, you can’t rely on a compromised system to communicate (assuming it still operates which is a big assumption), because your adversaries could be monitoring it, keen to see how the organisation is responding so that they can reap even more havoc. In addition an organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.

So when assessing your video conferencing service for security and resilience, what should you be thinking about?.

5 Questions you need to ask about your Video Conferencing service

1. Do you have a video conferencing platform that uses identity-based encryption to authenticate both end points?

If you rely on a mass-adoption collaboration platform then you almost certainly don’t!

2. Can you control who can initiate or join a video call?

Are you able to manage who joins your video conferencing platform? When there are only known users allowed, participants on a call can be sure who they are sharing potentially sensitive information with.

3. Do you know where your data is stored and who has access to it?

Do you retain complete control of your data, including chat, and files shared within a call?  Do you know where your data is stored, i.e. does it meet the requirements for data sovereignty and GDPR compliance? If you use a system that allows third party access to your users’ contact lists, it is unlikely to be GDPR compliant.

4. Can you be sure who you are communicating with?

Identity-based attacks are on the increase, with deepfake and AI-generated impersonation attacks hitting the headlines more often.  A video conferencing platform that uses the NCSC recommended MIKEY-SAKKE protocol for identity-based encryption authenticates users, so that you can be sure who you are communicating with.

 5. Do you have pre-arranged incident response secure federated call groups set up?

Both NIST and the Digital Operational Resilience Act (DORA) suggest that incident response groups with key contacts/structures are pre-defined and set up before an incident occurs, so that communications can begin immediately on the secure channel. Groups can be internal and external, typically including suppliers, law enforcement, internal groups, employees and key stakeholders and the SOC team, etc. If your organisation relies on mass-adoption infrastructure for critical communications, it can be difficult to communicate with external parties without trusted, secure federated groups already in place. Indeed, NIST SP800.61 recommends having multiple back up communications solutions in place.

If the answer is NO to any of the 5 questions above, then you should be looking for an additional, out-of-band secure communications channel that your key people can use to communicate between themselves, and critically, with external third parties in the event of a serious incidents and cyber attacks.

How Armour can help

Armour Unity™ extends the highly successful Armour® ecosystem to provide secure, pre-defined or on-the-fly enterprise-level mobile video conferencing, screen sharing and in-app messaging for iOS and Android devices. Documents and chats associated with a conference call benefit from the trusted security of the Armour platform. This can be achieved as an on-premises or cloud solution to suit your business needs.

With the Armour Comms platform, organisations are able to create internal and external user groups and integrate them into business continuity processes.

In common with Armour Mobile™, Unity uses MIKEY-SAKKE identity-based encryption, which is recommended by the UK National Cyber Security Centre (NCSC).  This innovative approach means that participants on a call can be certain that only authenticated and invited attendees are able to join the conference.

Secure Communications Buyer’s Guide

For more comprehensive information about what you should be looking for in a secure communications platform, download our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

Proof of Concept or Pilot Offer

For those undertaking the NCSC Exercise in a Box, Armour offers a free Proof of Concept or Pilot project, subject to conditions.  Contact us today for more details.

MIKEY-SAKKE provides higher assurance for sensitive communications

Never heard of MIKEY-SAKKE? If not, you need to find out about it soon because it can help mitigate the threat from deepfake and AI-generated impersonation attacks. Our CTO, Dr. Andy Lilly, explains how.

The privacy of calls, messages and emails is an on-going challenge for government and enterprise organisations alike. The proliferation of remote working and mass-adoption collaboration platforms has completely changed the way that business is conducted in recent years. Add to this the rapidly growing threat from deepfake, and AI-generated impersonation-based attacks, and the need for protecting the digital identity at both ends of a communication becomes imperative. Despite the increasing threat levels  there are steps that organisations can take to provide higher levels of assurance for sensitive communications. Adopting products developed using the MIKEY-SAKKE standard and protocol for encryption and identity-based authentication means that you can mitigate the threat from impersonation-based attacks by being certain who you are communicating with.

Securing mobile communications – Confidentiality, Integrity, Authentication

When looking at securing mobile communications, be it voice, instant messaging, video or data, it is important for any solution to deliver three key outcomes. The first is confidentiality, i.e. ensuring no unauthorised person or machine can access the content of any data exchange. The second is integrity, ensuring that information, messages, attachments have not been tampered with. Third is authentication of identity, i.e. ensuring that the parties exchanging data – whether persons or machines – are doing so with the individual or the machine with which they believe they are exchanging data.

Sharing information securely with someone remotely is a more complex task than it at first appears.  Below we explain different techniques for using encryption keys to safely share data.

Traditional encryption – How encryption keys are managed 

Encryption of data passed between two parties requires an encryption key. However, the challenging part of a cryptographic protocol is deciding on a key to use for encrypting a particular set of data (for example, a voice call between two users). One method is called asymmetric cryptography, also known as public key cryptography: this uses the concept of a public and private key pair, encrypting the data with the public key, such that only the owner of the private key can decrypt it (thus also proving the recipient’s identity if they are the only holder of that private key). Each user’s application holds a private key within it which remains secret whilst their public key is made available to any other users who wish to encrypt a call or send a message to them.

However, there are disadvantages with typical implementations of public key cryptography in that it is cumbersome to scale in large organisations as public keys need to be distributed to all the users before encrypted communications can take place. To ease administration, organisations can use a central trusted server to store the public keys and users can then ‘look-up’ the public key of another user whenever needed. However, this requires the server to be always available 24×7 and fully secure, so no one can maliciously insert fraudulent keys.

Alternatives include one-time asymmetric encryption also known as ephemeral Diffie-Hellman. This method establishes a one-time key between two users; however, a disadvantage of this method is that it doesn’t prove the other user’s identity (so could be spoofed by a malicious hacker posing as the recipient, or acting as a man-in-the-middle between the two users) and is therefore reliant on another layer of complexity to prove authenticity of the end points.

MIKEY-SAKKE protocol – Secure multimedia communications

Secure communications are clearly needed across government and within regulated industries such as finance, telecoms, health, critical national infrastructure, defence and others. To this end MIKEY-SAKKE, an international standard RFC6509 defined by the IETF and expanded upon by the 3GPP for use in Mission Critical communications, has been adopted and is recommended by the UK’s National Cyber Security Centre (NCSC) for the development of products that enable secure, cross-platform multimedia communications.

The MIKEY-SAKKE protocol uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient and effective protocol for building a wide range of secure multimedia services for government and enterprise organisations. As the capabilities of malicious actors embrace AI and deepfake technology, MIKEY-SAKKE is one reliable way to be sure that you know who you are communicating with.

Identity-based encryption and authentication

Identity-based encryption uses the publicly known identity of the communicating parties to determine the encryption keys to use. For example, a trusted domain management service provides a domain certificate giving any user within its system with the ability to take an input ‘identity’ and create a public key to encrypt data to the user with that unique ‘identity’. The identity could be a phone number, email address or other similar identifier. So the key to encrypt to the recipient doesn’t need to be pre-distributed to every possible contact, nor stored on a server; it can simply be generated “on the fly”, as needed.

Each user’s identity needs to be centrally verified, so that everyone in the system knows the identity is associated with a particular user. Using an existing unique identity (such as a mobile phone number) can provide a ready source for these identities. However, with a system such as Armour Mobile™, any unique identifier can be used, and the option to use something other than a mobile phone number can add an extra level of security. The recipient, provisioned with the private key for their unique identity, can then decrypt the calls and messages sent to their identity. As a result, anyone can securely communicate with any user in the domain without having to individually exchange any prior information between the users.

Scalable, flexible and complete control

Armour’s identity-based encryption solution Armour Mobile™ delivers the flexibility, convenience and security required for fast-paced communications from any location and any device. As secure registration is established using a single message, the Armour® identity-based encryption solution is highly scalable and flexible, while providing the higher assurance that only known and approved individuals can be enrolled into a secure communications community.

The Armour platform supports both real-time communications such as one-to-one and group conference calls (both voice and video), and deferred delivery such as instant messaging, group chats, documents and voicemail. It is designed to be centrally-managed, providing communications domain managers with full control of the security of the system while maintaining high availability.

With Armour Mobile, activation and revocation of users is handled centrally. Should a person change roles or leave the organisation or a device be lost, stolen or compromised, the data held on the device within the Armour ecosystem can be securely wiped remotely.

In addition, the Armour platform provides a wealth of other enterprise-grade features not provided by mass-adoption collaboration platforms, such as archive and audit capabilities to securely store and review communications at a later date (using processes compatible with higher assurance requirements). This capability enables organisations to comply with industry regulations and meet data privacy requirements, as well as public record and Freedom of Information requests.

A new approach

Securing modern methods of communication and collaboration requires a new approach. Various forms of public key infrastructure have attempted to provide usable and scalable, client-to-client security. However, these processes have often been cumbersome and the driving factor behind frustrated users adopting less than secure practices in order to ‘get their job done’, thus creating a weak link in the security chain.

Identity-based encryption avoids having to tie a user to a hard-to-remember-and-exchange public key, instead the user’s identity ‘becomes’ their public key. Armour Mobile provides a feature-rich, secure communications and collaboration platform that provides the higher assurance offered by products that use the MIKEY-SAKKE protocol, with a user-experience to match consumer-grade apps.

Security should not be seen as a hindrance but as a significant component of the overall culture of an organisation and as a business enabler that can allow innovation by supporting modern working practices.

For more information about MIKEY-SAKKE visit:  https://www.ncsc.gov.uk/articles/using-mikey-sakke-building-secure-multimedia-services   

When it comes to mission-critical conversations, ‘secure-enough’ mass-use communications applications, are often NOT secure enough – they need an extra layer of assurance.  

Technology industry website, CRN, recently ran its Cybersecurity Week, publishing the 10 Emerging Cybersecurity Threats and Hacker Tactics 2023.  It made alarming reading.

One of the most worrisome trends is identity-based attacks where hackers use compromised credentials to gain access to systems, or to dupe victims into giving up valuable and/or sensitive information. Identity-based attacks are one way to get around endpoint detection and response.  Phishing and social engineering remain huge threats, and again, are based on people being tricked into actions that they would not otherwise have considered had they realised that the person they were communicating with wasn’t actually who they thought it was.

In the PwC Cyber Security Outlook 2023, cloud and digital transformation is once again top of the agenda. This global research also makes the point that investing in people and technology is key for successful cyber transformation.

 

Who are you really communicating with?

Phishing attacks via mass-use collaboration apps was one of the top threats identified by CRN. Impersonation threats are posed when a compromised account is used to carry out phishing attacks.  Typically, the attacks aim to steal credentials from a targeted organisation by engaging a user and eliciting approval of multifactor authentication prompts.

Deepfake, another class of impersonation attack that has been a threat for a few years now, has continued to develop, with deepfake video creation software now reportedly available.  In 2023 audio deepfakes have been used for funds transfer scams. A larger threat is that attackers may soon be able to generate real-time voice-clone deepfakes.

 

Secure collaboration?  One size does not fit all

With the rise of impersonation-based cyber attacks, it is time for organisations to re-consider the use of mass-use communication and collaboration tools. While they may be ‘secure-enough’ for many mission-critical conversations, when a higher level of assurance is required, the latest research indicates that an extra layer of security is required based on the use case scenario, its related sensitivity and related risk.

For conversations and interactions that need additional assurance, there are secure communication platforms readily available.  Built with a Secure by Default ethos with UK government/NCSC and NATO accreditations, the Armour® platform provides the same ease of use, and great user experience as mass-use apps, but with considerably more security for managing users and content.

 

Identity-based Authentication supports Trusted Communications

To pick up the point made in the PwC Cyber Security Outlook report, which cites a catastrophic cyberattack as the number one risk in Operational Resilience plans, organisations should be looking to protect their more sensitive, commercially valuable communications with additional security.  Indeed, best practice guidelines from NCSC and NIST stipulate that if communications channels are even suspected of being compromised, an ‘out-of-band’ secure comms channel should be used to assess the damage and lead the recovery.  Mass-use communications platforms are simply too large and amorphous. Anyone can join, and the platforms themselves provide very little control over where data is stored, who has access to it and what they do with it.

By using a secure messaging and collaboration platform that has Secure by Default as its very heart, and that uses identity-based authentication, organisations can maintain complete privacy and security of communications.  Armour Unity^TM extends the highly successful Armour ecosystem to provide secure, pre-defined or on-the-fly enterprise-level mobile video conferencing, screen sharing and in-app messaging for iOS and Android devices. Documents and chats associated with a conference call benefit from the trusted security of the Armour platform.

In common with Armour Mobile, Unity uses MIKEY-SAKKE identity-based encryption, which is recommended by the UK National Cyber Security Centre (NCSC).  This innovative approach means that participants on a call can be certain that only other invited attendees are able to join the conference. Read our previous blog for an explanation of how MIKEY-SAKKE works and why it is important: https://www.armourcomms.com/2018/02/27/are-you-talking-to-me/

 

Share information only with those you Trust

Using a communications solution that harnesses identity-based authentication, such as the Armour platform, ensures that information is shared only with the intended recipient, safeguarding corporate intellectual property, sensitive commercial information, and complying with data privacy and operational resiliency requirements such as GDPR, DORA and the PRA’s Operational Resilience regulations.

Armour’s holistic Secure by Design approach delivers assurance that mass consumer-use conferencing applications simply can’t provide.

We will be showcasing Armour’s secure (and high assurance) collaboration solutions, including Armour Unity at the forthcoming SDSC-UK, 1-2 November at the Telford International Centre.  Contact us today for a free expo and conference ticket and to arrange a meeting.

How global cyber security frameworks are evolving to meet the cyber & operational resilience challenges, and how secure communications is a key part of the solution

With the ever-increasing incidence of cyber attacks, particularly via mobile phones, cyber security is arguably one of the biggest threats to business in modern times. Almost everyone carries a mobile phone, and many of us take for granted the connectivity and convenience they provide.  These are the very reasons that we love our phones, however, they also open up a whole host of risks around data security.  Not just our own personal data, but that of our friends, family, and if the phone is used for work communications (and most are), then business data too!

Recently there has been a lot of media attention on the importance of cyber security frameworks with updates from national and international security agencies. The UK’s National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) and the US’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) have both increased their scope. Likewise, in the EU the NIS2 Directive (which takes effect from October 2024) has extended the previous NIS 1 regulations to cover many more industries. In the financial services sector the Digital Operational Resilience Act in Europe, and the Operational Resilience regulations in the UK, already impose mandatory cyber requirements.

Cyber security and assessment frameworks now cover most industries

The key theme running through all of this is that all of the regulations and frameworks mentioned above have been expanded to cover more industries, more organisations of all sizes and more risk scenarios.  In short, having a formal cyber security assessment framework and policies for managing cyber incidents is no longer the preserve of just the semi-public sector companies that run critical national infrastructure. Any organisation providing any public service, such as healthcare, telecommunications, transportation, financial services, energy/water/utilities, digital services and infrastructure, pharmaceuticals, chemicals, food production, space, communications and manufacturing will all be subject to new cyber security legislation.

All of these frameworks and regulations outline their own variations on the five key functions of an effective cyber security function, namely:

• Identify
• Protect
• Detect
• Respond
• Recover

 

None of the frameworks or regulations are prescriptive, but rather suggest processes by which each organisation can develop their own internal procedures for handling cyber security and dealing with cyber attacks.

Building resilience – how secure mobile communications are a key part of the solution

Mobile phones play a key role.  While providing a huge risk to organisations, mobile phones are also part of the solution – or at least, the way they are used, and the way that data can be separated and managed on them. This is equally true for BYOD devices that are used for business but that the organisation does not manage (e.g. via a Mobile Device Management solution).  An enterprise secure communications platform can ensure separation between business and personal data, even on BYOD devices.

A secure communications platform that runs independently of the mass-use consumer-grade apps that are very often monitored and targeted by hackers and other malicious and state-backed actors, can provide a communications channel when other corporate systems are compromised. This is a critical requirement when first discovering a cyber breach, and marshalling a response. Calls and other communications involving classified or sensitive data CAN be made safely on ordinary mobiles when appropriately secure software is used.

Indeed in the NIST Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final , in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”

NCSC CAF, NIST CSF and DORA all suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOCs, etc. are pre-defined and set up before the incident occurs, so that communications can begin immediately on the secure channel. With the Armour Comms platform, organisations are able to pre-define the groups for internal and external contacts and integrate them into business continuity processes in the event of a critical incident.

https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/

Secure Communications – Beyond Incident Management

There are many other ways in which a secure comms platform can support compliance with cyber security and assessment frameworks beyond simply providing a safe communications channel in the event of an attack.

• Incident co-ordination with colleagues, collaborators and third parties
• Supply chain communications
• Central user management, for rapid deployment and (just as importantly) one-click revocation of lost or stolen devices, ensuring only authorised users can access your secure communications
• Identity based authentication so that users can be sure who they are communicating with (protect against spoofed accounts, identity theft and deepfake scams)
• Data security for corporate information held on BYOD devices. Features such as Message Burn and remote wipe capabilities mean that the organisation keeps control of data within its secure communications ecosystem, even after it has been sent
• Resilient communications networks supported by ‘out of band’ channels that do not rely on the public internet so are more robust to attack
• Response and recovery planning is kept private and secure, so that adversaries cannot monitor plans and progress

 

Look out for our upcoming White Paper on Incident Management and Secure Communications.  In the meantime, our recent webinar with The Register explains NCSC’s 7 Principles of Secure Communication https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar and our Buyer’s Guide outlines exactly what you should be looking for, with a Top 10 Questions to Ask.  Download your copy here: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2

WhatsApp mis-use is becoming a wider issue for businesses than simply compliance with financial regulations.

The UK energy regulator Ofgem has fined US bank Morgan Stanley for failing to keep records of communications after energy market traders used WhatsApp to discuss the details of energy deals. Ofgem said that the bank “did not take sufficient reasonable steps to ensure compliance with its own policies and the requirements of the regulations.”

The growing risk from Shadow IT

This incident is a prime example of the dangers of shadow IT which was highlighted in a recent blog from the National Cyber Security Centre (NCSC). In guidance published by NCSC on how best to tackle the risks of shadow IT, it comments that if employees are using unsanctioned processes and insecure workarounds to get their work done, it is usually because the tools provided by the organisation don’t work, are slow, or cumbersome to use.  NCSC recommends using such situations as an opportunity to investigate what issues the users are experiencing, what exactly it is that employees are trying to achieve, and why the systems provided by the organisation are not working. With this information IT can re-examine approved solutions and source suitable alternatives that do meet the users’ requirements.

Penalties applied to employees as well as business

This is not just an issue that affects organisations, it can also have a huge impact on employees. In 2021 Morgan Stanley was one of a number of US banks that were fined $2.5bn for their employees’ use of WhatsApp and other unapproved apps to discuss deals with clients and colleagues.  It was reported by the Financial Times that as a result of these fines, the bank imposed pay forfeitures of as much as $1m on some staff, depending on the number of messages sent, seniority and whether the employee had received prior warnings.

Preserve communications for later auditing

One of the key elements in the latest case with Ofgem, is the failure to store communications, which has long been a requirement of the financial services industry. The major failing with the use of WhatsApp and other consumer apps like it is that there is no ability to archive and audit conversations. Cathryn Scott, regulatory director of enforcement at Ofgem stated; “It is unacceptable that [Morgan Stanley] failed to prevent electronic communications which could not be recorded or retained. It risks a significant compromise of the integrity and transparency of wholesale energy markets.”

Enterprise secure communications applications such as Armour Mobile and Recall by Armour provide the ease of use of consumer messaging/calling/conferencing apps, but with UK MOD/government-accredited security and a secure audit facility, meaning that a copy of all communications and associated files are saved and can be reviewed later, subject to the appropriate security processes. Recall stores communications even when the original messages have been deleted from the user’s device (whether through normal use or in an attempt to hide misuse), something that simply can’t be achieved with a consumer app.

Recall by Armour

With Recall by Armour, suitably approved compliance officers are able to playback messages, audio or video calls subject to strict security processes:

• All transmitted media (text, attachments, audio) are archived.
• Tightly managed authorisation for audit access.
• Individual encryption keys limits access.
• All access to audit files is audited.

 

It’s not just FCA compliance that is important

The fine imposed on Morgan Stanley by Ofgem is the first of its kind under the transparency rules, which are aimed at protecting consumers against market manipulation and insider trading. It demonstrates the ever widening requirement for organisations to maintain transparency in communications, and to be able to prove that they have complied. Providing Armour Mobile on employees’ mobiles ensures there is no excuse for not using a secure and compliant communications app for all business use.

As we have argued on many occasions, keeping business communications secure, separate from personal communications and under the control of the organisation, even on devices that the organisation does not own (BYOD) IS possible, and is increasingly a business imperative.

Providing centrally managed applications for secure business communications puts you back in control of your data while still enabling the use of BYOD devices. Armour Mobile can also be deployed within an organisation’s own infrastructure, providing total surety of data sovereignty to comply with Data Protection / GDPR laws.

For more information about how Armour Mobile and Recall by Armour could help your organisation to keep control of all business conversations, prove compliance with a wide range of regulatory requirements and avoid heavy fines, CONTACT US today.

Complying with the EU’s Digital Operational Resilience Act (DORA) will affect any financial institution offering their services to clients in the EU.

When it comes to operational and cyber resilience, there are a lot of regulatory requirements, which are NOT optional, and plenty of best practice guidelines. While wrestling with the requirements for compliance, finding the resources and budget to complete resilience projects, many IT Directors and CISOs are looking at how they can generate additional benefits for the business off the back of such projects. Use of productivity tools that boost cyber resilience, can also increase compliance with data protection laws such as GDPR, and tackle the growing spectre of shadow IT.  There are many aspects to making an organisation more resilient to cyber attacks and other incidents that may disrupt the business, and a secure communications channel is one way to support resilience while delivering additional business benefits to the rest of the organisation.

Financial services firms and ICT technology providers have less than 18 months to comply with the new legislation which comes into effect on 17 January 2025.  DORA comes hot on the heels of the UK’s own Operational Resilience regulations developed by the Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA). The PRA announced that the deadline for starting the implementation of the Operational Resilience Framework for UK financial institutions was 31 March 2022 and the deadline for implementing all aspects of operational resilience is 31 March 2025.

With multiple deadlines looming so close together, many financial firms are tackling both sets of legislation concurrently. As both adhere to the five pillars of operational resilience there is a lot of common ground.

Five pillars of Operational Resilience

• • • ICT risk management and governance
    • ICT-related incident reporting
    • Digital operational resilience testing
    • Intelligence sharing
    • ICT third-party risk

 

Secure communications are key to enhancing Cyber & Operational Resilience

There are several ways in which secure communications are essential for compliance with best practice advice, regulations and legislation. These are applicable whether firms are working towards compliance with UK or EU regulations and are good business practice for any organisation looking to increase business resilience.  An organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.

Indeed in the NIST Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final , in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”

Incident Response Plans – What are your safe communications channels?

Well run organisations will have an incident management process that is well documented in advance, with technology and infrastructure in place, so that they are prepared for a crisis. When an organisation succumbs to a cyber-attack or catastrophic IT failure, the first thing to do, even before assessing the situation fully and putting together a plan for recovery and future mitigation, is to understand exactly how you are going to communicate.

One cannot only consider the IT department discussing the technicalities, and business continuity managers communicating with the C suite and the board to keep them abreast of events. There is a wide variety of people involved in handling the situation that will need secure, reliable comms.  They will include those with internal roles such as project managers, risk and incident managers, as well as employees with external roles such as customer relationship managers, public relations, and legal counsel/lawyers.  The last thing you should do is use the very platform that has just been compromised, i.e, your corporate network, if indeed that is still functional.

DORA and NIST suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOC, etc. are pre-defined and set up before the incident occurs, so that communications can begin immediately on the secure channel. With the Armour Comms platform, organisations are able to create the groups and integrate them into business continuity processes.

https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/

Robust ICT Risk Management Practices – Keep tight control of your data

There are many situations where sensitive corporate information can be put at risk by the use of non-approved communications apps which cannot separate business from personal data. For example, details of what were thought to be private messages can be leaked to malevolent third parties (see our previous blog for some grizzly details: https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/).  Calls and other communications involving classified or sensitive data CAN be made safely on ordinary mobiles when appropriately secure software is used.

Armour Mobile is able to provide secure archive and audit capabilities which record conversations and messages and so allow full review (and policing) of employee communications. The archived details are securely preserved, even if the original messages are deleted from the user’s phone.

Enhanced Information Security Measures

In the event of a major cyber attack, by protecting the communications of the IT and digital forensics team, as well as other key senior members of staff, you are blocking a very useful source of information from being intercepted or modified by the hackers (who commonly infiltrate and monitor a company’s normal communications to see if they have been detected, and to pre-empt any countermeasures). In addition, by using a secure communications platform, such as Armour Mobile, and having the secure comms hosted by a third party, you are further isolating the senior management and IT team’s comms from the potentially compromised systems that they are trying to recover.

Out of band comms is essential not optional.

It’s not just DORA compliance

Quite apart from Governance, Risk & Compliance (GRC) requirements for which a secure communications platform is essential for compliance, every enterprise has some intellectual property to protect; every HR department discusses the relative merits of job candidates; managers and supervisors discuss the performance of people in their team; sales people discuss sensitive details of negotiations to close a large deal.  All of this information could cause financial loss, be deeply embarrassing if leaked, lead to loss of reputation, breach GDPR and attract huge fines, or at worst, could jeopardise the entire business.

A secure communications platform will provide a safe channel for communications during a serious cyber security event, it provides an audit trail to prove compliance and it can also be used to protect all manner of business information.

To find out exactly what you should be looking for, the questions you should ask, and the NCSC’s 7 principles of Secure Communication, read our Buyer’s Guide.

What it means for enterprise secure communications

Secure by Design and Secure by Default are both terms coined by the UK National Cyber Security Centre (NCSC), and used in different contexts.  Sometimes they are used interchangeably, however, they do have slightly different meanings, which are important for enterprise security in general, and for secure communications in particular.

Secure by Design

Broadly speaking, Secure by Design means that software products and services are designed to be secure from the ground up.  Every layer is considered from a security and privacy standpoint and starts with a robust architecture design.  Secure by Design incorporates strategies such as forcing patterns of behaviour, for example, strong authentication, and the use of best practice protocols such as least privilege access.

More specifically, Secure by Design is part of the Government’s National Cyber Security Strategy. The Department for Digital, Culture, Media & Sport (DCMS) and the NCSC conducted a review into how to improve the cyber security of consumer Internet of Things (IoT) products and associated services, and as a result published various documents regarding the security of smart devices.

Secure by Default

Secure by Default builds on the premise of Secure by Design.  According to NCSC Secure by Default is about taking a holistic approach to solving security problems at the root cause rather than treating the symptoms. It covers the long-term technical effort to ensure that the right security attributes are built into software and hardware. As well as ensuring that security is considered at every stage when developing products and services, it also includes ensuring that products are delivered to the end-user in such a way that the default settings enforce good security practices, while balancing usability with security.

In short, when you turn on your device and turn on your Armour Mobile app you are immediately configured to be secure. This protects against human error, where an end-user may not realise that they need to turn on encryption or security.  After all, if a product is too difficult to use, people will simply find a workaround, meaning that security ends up being compromised anyway.

Secure by Default principles prescribed by NCSC are:

• • security should be built into products from the beginning, it can’t be added in later;
  • security should be added to treat the root cause of a problem, not its symptoms;
  • security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
  • security should never compromise usability – products need to be secure enough, then maximise usability;
  • security should not require extensive configuration to work, and should just work reliably where implemented;
  • security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
  • security through obscurity should be avoided;
  • security should not require specific technical understanding or non-obvious behaviour from the user.

 

Armour’s Secure by Design and Secure by Default principles are intended to help organisations safeguard and control data, privacy, and whatever secrets they need to protect, whether that’s government, military, financial, legal, medical, intellectual property, strategic or competitive.

Armour Mobile complies with Secure by Design AND Secure by Default

At Armour Comms we have been working with NCSC since our inception in 2014 to ensure that our products are designed with best practice security protocols in place. Our initial products were CPA certified to demonstrate they adhered to these security principles; when that scheme finished (for all products with the exception of smart meters) we focused on ISO27001 and Cyber Essentials Plus certification as externally audited proof of our strong security practices, and targeting NCSC’s latest Principles Based Assurance (PBA).

Our products are approved for use up to OFFICIAL-SENSITIVE, NATO Restricted and for Higher Assurance requirements and are already deployed at these levels, as well as being suitable for handling Corporate Confidential information. Our innovative developers work hard to deliver products that strike the balance between providing a user experience that mimics consumer-grade apps, while delivering the security credentials required for higher assurance use.  Armour Mobile is in use in numerous areas of Government departments and the MoD, as well as to commercial customers who understand the value of securing their sensitive communications.

For a more detailed look at the NCSC Secure by Default principles read our blog: The future of NCSC Technical Assurance: https://www.armourcomms.com/2022/01/25/the-future-of-ncsc-technical-assurance/  and for more information about the NCSC Secure by Default principles please read: https://www.ncsc.gov.uk/information/secure-default.

The UK Government’s Secure by Design principles are outlined at: https://www.security.gov.uk/guidance/secure-by-design/  and these principles are recognised internationally, e.g. by the US Cybersecurity and Infrastructure Security Agency (CISA) at  https://www.cisa.gov/securebydesign

NCSC’s Principles Based Assurance is described at https://www.ncsc.gov.uk/information/principles-based-assurance and is discussed in detail in https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar