How global cyber security frameworks are evolving to meet the cyber & operational resilience challenges, and how secure communications is a key part of the solution
With the ever-increasing incidence of cyber attacks, particularly via mobile phones, cyber security is arguably one of the biggest threats to business in modern times. Almost everyone carries a mobile phone, and many of us take for granted the connectivity and convenience they provide. These are the very reasons that we love our phones, however, they also open up a whole host of risks around data security. Not just our own personal data, but that of our friends, family, and if the phone is used for work communications (and most are), then business data too!
Recently there has been a lot of media attention on the importance of cyber security frameworks with updates from national and international security agencies. The UK’s National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) and the US’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) have both increased their scope. Likewise, in the EU the NIS2 Directive (which takes effect from October 2024) has extended the previous NIS 1 regulations to cover many more industries. In the financial services sector the Digital Operational Resilience Act in Europe, and the Operational Resilience regulations in the UK, already impose mandatory cyber requirements.
Cyber security and assessment frameworks now cover most industries
The key theme running through all of this is that all of the regulations and frameworks mentioned above have been expanded to cover more industries, more organisations of all sizes and more risk scenarios. In short, having a formal cyber security assessment framework and policies for managing cyber incidents is no longer the preserve of just the semi-public sector companies that run critical national infrastructure. Any organisation providing any public service, such as healthcare, telecommunications, transportation, financial services, energy/water/utilities, digital services and infrastructure, pharmaceuticals, chemicals, food production, space, communications and manufacturing will all be subject to new cyber security legislation.
All of these frameworks and regulations outline their own variations on the five key functions of an effective cyber security function, namely:
- Identify
- Protect
- Detect
- Respond
- Recover
None of the frameworks or regulations are prescriptive, but rather suggest processes by which each organisation can develop their own internal procedures for handling cyber security and dealing with cyber attacks.
Building resilience – how secure mobile communications are a key part of the solution
Mobile phones play a key role. While providing a huge risk to organisations, mobile phones are also part of the solution – or at least, the way they are used, and the way that data can be separated and managed on them. This is equally true for BYOD devices that are used for business but that the organisation does not manage (e.g. via a Mobile Device Management solution). An enterprise secure communications platform can ensure separation between business and personal data, even on BYOD devices.
A secure communications platform that runs independently of the mass-use consumer-grade apps that are very often monitored and targeted by hackers and other malicious and state-backed actors, can provide a communications channel when other corporate systems are compromised. This is a critical requirement when first discovering a cyber breach, and marshalling a response. Calls and other communications involving classified or sensitive data CAN be made safely on ordinary mobiles when appropriately secure software is used.
Indeed in the NIST Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final , in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”
NCSC CAF, NIST CSF and DORA all suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOCs, etc. are pre-defined and set up before the incident occurs, so that communications can begin immediately on the secure channel. With the Armour Comms platform, organisations are able to pre-define the groups for internal and external contacts and integrate them into business continuity processes in the event of a critical incident.
https://www.armourcomms.com/2023/03/31/in-the-midst-of-a-cyber-attack-who-you-gonna-call-and-how/
Secure Communications – Beyond Incident Management
There are many other ways in which a secure comms platform can support compliance with cyber security and assessment frameworks beyond simply providing a safe communications channel in the event of an attack.
- Incident co-ordination with colleagues, collaborators and third parties
- Supply chain communications
- Central user management, for rapid deployment and (just as importantly) one-click revocation of lost or stolen devices, ensuring only authorised users can access your secure communications
- Identity based authentication so that users can be sure who they are communicating with (protect against spoofed accounts, identity theft and deepfake scams)
- Data security for corporate information held on BYOD devices. Features such as Message Burn and remote wipe capabilities mean that the organisation keeps control of data within its secure communications ecosystem, even after it has been sent
- Resilient communications networks supported by ‘out of band’ channels that do not rely on the public internet so are more robust to attack
- Response and recovery planning is kept private and secure, so that adversaries cannot monitor plans and progress
Look out for our upcoming White Paper on Incident Management and Secure Communications. In the meantime, our recent webinar with The Register explains NCSC’s 7 Principles of Secure Communication https://armourcomms-25743375.hubspotpagebuilder.eu/register-webinar and our Buyer’s Guide outlines exactly what you should be looking for, with a Top 10 Questions to Ask. Download your copy here: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2