Considerations For Secure Communications

With ‘hybrid working’ now a way of life for many, the NCSC (National Cyber Security Centre) has published risk management advice on what organisations should think about before choosing and using communication and collaboration apps for use on ‘corporately provisioned and managed’ devices. The guidance should be used by organisations looking to use, deploy, and understand the risks of adopting a range of popular Software as a Service (SaaS) applications.

Step 1: Establish the business context in which the app will be used
Users like the familiar. More specifically, they like what they use on their own devices, and they may prefer to use an app running on their personal phone instead of something that’s corporately available. Existing corporate solutions are usually rejected, usually providing a poor user experience, incorrect configuration, or the underlying architecture issues that can’t support effective communication. When adopting new software, the first step involves the question ‘is there a genuine business case for the app?’ will the adoption of a new communication process benefit the organisation as a whole?

Step 2: Research the app you intend to use
Have other organisations (such as other governments, academia, the IT industry and the technical media) conducted any security reviews of the app in question?

Be particularly wary of claims about end-to-end encryption, as it usually only refers to the data in transit, and will likely not apply to the backup of messages and related communications (i.e. the data at rest). Control of the metadata accessed by the app must also be assessed. Check the User Agreements to see what the supplier will do with the data and establish an acceptable level of risk.

Can the app settings on the user’s device be controlled by your organisation? If they are wholly controlled by the user, then you will need to trust your users to maintain the settings you advised to ensure the protection of your organisation. Finally, and importantly, you also need to make sure the app provider is GDPR compliant.

Step 3: Configure the app to minimise risk
So you’ve approved the business case and researched the app, and you still think the app is suitable for your organisation. In which case we’d recommend the following:

• Limit the use of the app to only those users who have a business need. The less people who use it, the less difficult the risk will be to manage.
• Understand the default privacy settings that the app applies and set these to ensure the most appropriate privacy settings are in place.
• Control system-level access permissions for the app so that only those accesses essential to your business use are required.
• How are messages and collaborative data backed up? If they are to a cloud service, are these provided by the end user device or the app? Are you confident this offline storage is secure enough for your business?
• Develop clear procedures so that users understand that it is their responsibility to maintain privacy settings. If possible, establish procedures that will allow you to audit these settings.

Step 4: Document your decisions
Record why you have chosen the app (rather than one that is already available on your enterprise). Record your risk assessment of what you require users to do when using the app, and what you will do should a breach occur.

As the cyber landscape evolves, we are encouraging our clients to reassess their communication tools and secure their digital footprint across both business and private life. Standard reactive support is no longer adequate to ensure privacy. Priavo Security provide market-leading technology for encrypted communications. This cloud-based secure platform can be tailored for use within Enterprise and government markets, private homes and even onboard superyacht vessels, and is fully ISO 27001 Certified and FIPS, NATO and CPA approved.

If you would like to learn more, contact us at enquires@priavosecurity.com and book a consultation with one of our experts.