As cyber-espionage, state-sponsored hacking and identity-based attacks powered by AI and deepfake technology become mainstream, so details of sensitive communications amongst supply chain partners are at particular risk of compromise.
Any organisation that collaborates with others and shares commercially sensitive information needs to take robust action to secure their internal and supply chain communications to avoid becoming victims of malicious attacks that can result in damage to reputation, and financial loss to commercial and brand value.
Keeping your supply chain secure
The NCSC reports that supply chain attacks are on the rise, as increasingly complex technology ecosystems present more opportunities to be exploited. Where organisations cannot directly be compromised, an adversary may target the organisation’s digital supply chain, with just one of many examples demonstrated recently when Swiss Air Force documents were published on the dark web after an attack on one of its suppliers.
Organisations that need to collaborate with others, perhaps because they are working together on major projects, need to be able to communicate securely.
Mass-adoption applications are NOT secure enough
While popular mass-adoption communication applications offer convenience, claiming to be secure, they have not been designed for sharing sensitive commercial information. Using products not specifically designed to address the needs of high assurance organisations introduces unnecessary risk to all organisations within the supply chain.
Advanced Mobile Solutions – 9 Top Tips
The UK’s National Cyber Security Centre (NCSC) has defined a range of cyber security principles which a secure communications system should meet with the aim of delivering more secure devices that are as easy and convenient to use as commercial/consumer devices. With this in mind, here are 9 top tips for setting up secure communications systems that protect sensitive conversations, enabling secure collaboration with trusted partners.
1.Provide reasonable protections against device compromise
Data should be encrypted at rest, time limited (i.e. automatically deletes after a set amount of time) and can be remotely wiped, if for example, the device, or the user is compromised. The communications app should not start if the platform, or operating system has been rooted or jailbroken.
2.Prevent bulk interception of sensitive data
Data should be encrypted in transit, including Push notifications, and it should be agnostic to being further protected by multiple layers of secondary encryption (for example, VPNs)
3.Prevent devices being compromised in bulk
Each user is separately Activated, Keyed, and Authenticated throughout use and is instantly Revocable, including the remote wipe of all data held within the app.
4.Keep sensitive data encrypted in the mobile infrastructure
Apply a ‘walled garden’ approach to network zoning of infrastructure. User management and key generation is held within the inner zone securely segregated from external-facing services. Sensitive data passed from inner to outer zones is encrypted and can only be decrypted by the recipient user app.
5.Monitor the mobile infrastructure to detect attacks
Service providers should deliver logging and data ‘pinch points’ to assist in monitoring.
6.Make it easy to destroy and recreate the mobile infrastructure
Infrastructure should be containerised for fast refresh or updates.
7.Protect the core with hardware assured Cross Domain Solution (CDS)
Ensure interoperability with CDS gateways for voice, video, messaging and Inner/Outer infrastructure zone control channels.
8.Control and monitor the release of data from the core
The infrastructure should only permit the Inner network zone to initiate connections to the Outer zone to prevent external attacks back into the Inner zone.
9.Engaging and User-friendly
Any solution must balance security with usability. Apps need to be as engaging and easy to use as consumer-grade apps, but with significantly more robust security, so that users have no need of workarounds to get the job done.