During a cyber incident, your usual communications channels may not be available. You may need to establish alternative ways to keep in touch with staff, stakeholders and customers, using phone lines, messaging apps or social media platforms – NCSC
In the past couple of weeks, UK intelligence and security organisations have been raising threat levels. The National Protective Security Authority (NPSA) has updated its threat picture regarding the likelihood of Russian state sabotage, and issued guidance on how to counter the risk of sabotage to UK interests and national security. At about the same time, NCSC has issued guidance on effective communications in a cyber incident. And, the Economist published an article entitled: Vladimir Putin’s spies are plotting global chaos, citing named sources from both MI5 and MI6. It states that the number of incidents in Europe has grown dramatically, listing examples in Germany, France, UK, Poland, America, Africa and the Middle East.
Obviously, we are all aware of the on-going war in Ukraine, and we’ve heard about the allegations of Russian tampering with the last US election. However, the threat is increasing and now coming demonstrably closer to home.
Prepare with incident management and response
One way that organisations can protect themselves is to prepare for such threats with incident management and response policies and processes, set up and tested in advance. Threats include physical sabotage, which might be particularly targeted at organisations providing critical national infrastructure (CNI; which the EU NIS2 has widened beyond government and public administration, critical infrastructure, finance, telecommunications, to include sectors such as postal and delivery, food production/distribution, chemicals production/distribution, high-tech manufacturing, hospitals, diagnostic laboratories, medical device manufacturers, pharmaceutical companies, and other life sciences organisations). But the threats also include cyber attacks on almost any type of business for the purposes of extortion, disruption and general mischief making.
Communication with external third parties is crucial to protect corporate reputation
Secure communication with key stakeholders is one area that many organisations overlook in the panic to deal with a serious incident. Indeed, it is one of the first points that NCSC makes in its guidance document for effective communications in a cyber incident (referred to above) and goes on to state that “…effective communication to staff, stakeholders, customers and the media is crucial for shaping how an organisation is perceived.”
NCSC advises that a key step for preparing communications strategy as part of incident response is to set up an alternative communications channel, i.e. one that does not rely on the organisation’s usual channels, since these may have been compromised in the attack.
Both NIST and the Digital Operational Resilience Act (DORA) suggest that incident response groups with key contacts/structures are pre-defined and set up before an incident occurs, so that communications can begin immediately on the secure channel. Groups can be internal and external, typically including suppliers, law enforcement, internal groups, employees, key stakeholders and the SOC team, etc.
If your organisation relies on mass-adoption infrastructure for critical communications, it is difficult to communicate with external parties without trusted, secure federated groups already in place. Indeed, NIST SP800.61 recommends having multiple back up communications solutions in place.
Our previous blog In the midst of a cyber attack, who you gonna call? And how? explains the challenges in more detail.
How do current systems stack up?
Think for a moment about how your organisation communicates currently? You probably use mass-adoption desktop platforms that include messaging and collaboration tools, which are often the basis for an entire enterprise technology infrastructure with many critical dependencies. For example, if your main systems were attacked so that your Active Directory or Identity and Access Management systems were no longer working, how would the business operate? What would be the ramifications for your employees trying to do their jobs and communicate with colleagues?
An organisation using a compromised service doesn’t need to be the subject of the attack, they can become collateral damage despite not being a target, simply by relying on the service and not having a secure alternative.
Ensuring you have the right infrastructure components for effective incident management and response is key
For all organisations it is crucial to have a back-up communications channel (often referred to as out-of-band) that can be used to marshal a response to any attack or major incident, and organise recovery processes.
A standalone, independently or in-house hosted secure communications platform that is as engaging and easy to use as a consumer-grade app can ensure that employees have a solution that keeps data secure, while providing the capability to communicate effectively. Such platforms deliver:
- Data protection using UK Government and NATO approved tools, Secure by Design/Secure by Default
- One easy-to-implement solution that enables multi-domain integration of communications amongst trusted third parties and stakeholders
- Instant, remote and mobile secure collaboration
What is an ‘out-of-band’ communications channel?
An out-of-band communications channel is one that does not rely on the standard enterprise infrastructure: It is a system that can operate completely on its own as a standalone solution, i.e. it doesn’t rely on email, Microsoft Office/365, or other mainstream systems. An out-of-band communications platform can work when other systems are compromised and its standalone nature protects it from the attackers.
NCSC Exercise in a Box – testing resilience
NCSC’s online tool Exercise in a Box is aimed at organisations of all sizes, in all sectors, and shows how to test resilience to a cyber attack. The free-to-use tool provides a range of exercises that give organisations a safe environment in which to practice how they would respond to a cyber attack. As they develop their internal processes, they can repeat the exercises to see how their cyber resilience stance has improved.
How Armour can help
Armour provides a single platform for communicating securely even on BYOD devices, keeping control of the data without the requirement for an MDM. It enables secure calls (audio and video), video conferencing, and secure instant messaging with document exchange, using personal, off-the-shelf smartphones and desktops. This allows trusted colleagues to share and discuss sensitive information, protected from eavesdroppers, even in the event of a cyber attack.
Armour can also provide a secure archive/audit capability, as required by regulated industries and public sector bodies where a record of material conversations/communications including voice/messages/video are a legal imperative, and may be required for FoI responses. Recording the incident response maybe needed for internal review, criminal proceeding against the hackers and for use to review and refine response to incidents by an organisation in the future to further improve incident management processes.
Users/call groups are centrally managed, and people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE secure social media protocol) means that users can be confident when using the platform that they are communicating with who they think they are. Armour addresses the issue of identity-spoofing and ghost-callers, particularly useful when video conferencing.
With the Armour Comms platform, organisations are able to create internal and external user groups and integrate them into business continuity processes, ideal for when communications with distinct groups of stakeholders is imperative. In addition to pre-defined call groups, new people can quickly be provisioned onto the service via secure QR codes and downloading the app from the appropriate app store.
Armour can be deployed as a cloud or on-premises installation which preserves data sovereignty by giving full control as to where data resides, as well as providing the independence from third party solutions required to provide an ‘out-of-band’ emergency communications channel.
And, of course, Armour can also be deployed for day-to-day, sensitive communications (with built-in audit compliance), if your business needs to protect its C-suite users, frequent overseas travellers, etc.
Secure Communications Buyer’s Guide
For more comprehensive information about what you should be looking for in an ‘out-of-band’ secure communications platform, download our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/
